 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
The root kit behavior sounds a bit like the SucKIT root kit. It directly patches /proc/kcore, so you do not need to have loadable module support enabled for it to be loaded into your kernel. Of course, if it is SucKIT, that explains what was done, not how it was done. The only recent remote exploit I can think of is the rsync vulnerability which could gain root using the kernel brk vulnerability. Otherwise it's either something very new (there goes my week), or something older that wasn't updated properly. Info on the rsync vulnerability: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962 On Mon, 12 Jan 2004, David Kramer wrote: > > This was from another list I'm on. I know nothing else about it. > > -- > DDDD David Kramer david at thekramers.net http://thekramers.net > DK KD > DKK D "What kind of supreme being would condone such irony?" > DK KD Tremors 3 > DDDD > > ---------- Forwarded message ---------- > Date: Mon, 12 Jan 2004 11:49:53 -0500 (EST) > To: david at thekramers.net > Subject: urgent notice on Linux security > > A heads-up to all the Linux users out there. In the last few days, > at least a half dozen machines run by some very security conscious > friends of mine have all been compromised. What is very unsettling > is that these breakins occurred en masse. My friends suspect that > whatever this vulnerability is it is easily detectable and > exploitable through portscans of netblocks. I am passing on their > recommendation that any Linux users check recent security bulletins > and look both for vulnerabilities and for evidence of breakins on > any networked Linux machines you may be running. > > The crackers binary-patched the kernel of the affected machines as > they were running so as to hide files and processes. Something was > wedged in there that managed to extract passwords from SSH > connections. Needless to say, all of us who have either logged into > or out of accounts on the known affected machines have been advised > to change our passwords at once. > > My friends were originally alerted to the problem when MIT informed > them that one of the affected machines was port-scanning. To quote an > excerpt from a followup technical discussion: > > "Forensics on [the affected machines] revealed files in > /usr/local/games that the KERNEL was hiding from us, trojaned > /bin/netstat, trojaned /sbin/init, file added in /etc/rc.d/rc3.d, > log cleaner in /dev/mig. Also, logins from user "news", who should > never be logging in. The primary giveaway in cases like this is a > gap in the logfiles in /var/log." > > Fwiw, it appears at this point that there was a lot of specific x86 > stuff happening, so PPC linux hosts may not be vunerable to whatever > took these machines out. > > Given the everyday high level of cluefulness and tech paranoia of > these friends of mine, and the affected machines' proximity to the > greater MIT-centric network, I thought that this event would be of > interest to folks recieving this email. > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://www.blu.org/mailman/listinfo/discuss >
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
