Fwd: [Sheflug] Zero-day rootkit?
Hi all, Anyone seeing this on any of your softswitches/SBCs/SIP Proxies that are built on Linux kernels? Thanks. ---------- Forwarded message ---------- From: Chris J <cej at nightwolf.org.uk> Date: 21 February 2013 19:25 Subject: [Sheflug] Zero-day rootkit? To: sheflug at sheflug.org.uk Just a heads-up in case it's not been seen. The last couple of days I've seen blogs and forums light up with news of an active zero-day attack - the actual attack vector is currently not known, which makes this more worrying than most. Some folk are placing the blame on SSH, others on cPanel, but really, no-one currently knows. Typically it's been Redhat or CentOS machines affected, although I've seen (unconfirmed) anecdotes on forums that Debian has also been affected. You'll know to be suspicious if you have a file, libkeyutils.so.1.9, on your box, most likely under /lib (but could be elsewhere). The latest "good" version of this file is 1.3... It's also curious that most of the talk is on forums. I haven't seen anything from the distributions about this. Relevent links and more info: http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exp... http://blog.configserver.com/index.php?itemid=716 http://www.webhostingtalk.com/showthread.php?t=1235797 A google for libkeyutils.so.1.9 brings back other various forums, etc... Don't know if anyone's got more solid information on this? Cheers, Chris -- Chris Johnson :: cej at nightwolf.org.uk :: PGP 0xBC618B81 :: http://cej.nightwolf.org.uk/ _______________________________________________ Sheffield Linux User's Group http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk FAQ at: http://www.sheflug.org.uk/mailfaq.html GNU - The Choice of a Complete Generation -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry at suretec.co.uk Open Source. Open Solutions(tm). http://www.suretecsystems.com/ Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL. Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk Did you see our API? http://www.surevoip.co.uk/api
Since it mentions control panels wouldn't this more then likely be a local root exploit that one can use once you have a sliver of access via the control panel user interface? I highly doubt the folks who can audit sshd to find a remote root would send spam. By the time spammers get a hold of such an exploit the guys who release such exploits already made it publically known. (After they had their fun of rooting openbsd.org or what have you ;-) ). Not bashing linux here.. but there has to be dozens of people around who make it a hobby to find local root exploits. I imagine one decided to sell the exploit instead of emailing full disclosure mailing list to get many kudos and "street" cred. m On Thu, 21 Feb 2013, Gavin Henry wrote:
Hi all,
Anyone seeing this on any of your softswitches/SBCs/SIP Proxies that are built on Linux kernels?
Thanks.
---------- Forwarded message ---------- From: Chris J <cej at nightwolf.org.uk> Date: 21 February 2013 19:25 Subject: [Sheflug] Zero-day rootkit? To: sheflug at sheflug.org.uk
Just a heads-up in case it's not been seen. The last couple of days I've seen blogs and forums light up with news of an active zero-day attack - the actual attack vector is currently not known, which makes this more worrying than most. Some folk are placing the blame on SSH, others on cPanel, but really, no-one currently knows.
Typically it's been Redhat or CentOS machines affected, although I've seen (unconfirmed) anecdotes on forums that Debian has also been affected.
You'll know to be suspicious if you have a file, libkeyutils.so.1.9, on your box, most likely under /lib (but could be elsewhere). The latest "good" version of this file is 1.3...
It's also curious that most of the talk is on forums. I haven't seen anything from the distributions about this.
Relevent links and more info: http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exp... http://blog.configserver.com/index.php?itemid=716 http://www.webhostingtalk.com/showthread.php?t=1235797
A google for libkeyutils.so.1.9 brings back other various forums, etc...
Don't know if anyone's got more solid information on this?
Cheers,
Chris
-- Chris Johnson :: cej at nightwolf.org.uk :: PGP 0xBC618B81 :: http://cej.nightwolf.org.uk/
_______________________________________________ Sheffield Linux User's Group http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk FAQ at: http://www.sheflug.org.uk/mailfaq.html
GNU - The Choice of a Complete Generation
-- Kind Regards,
Gavin Henry. Managing Director.
T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry at suretec.co.uk
Open Source. Open Solutions(tm).
http://www.suretecsystems.com/
Suretec Systems is a limited company registered in Scotland. Registered number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie, Aberdeenshire, AB51 8GL.
Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
Do you know we have our own VoIP provider called SureVoIP? See http://www.surevoip.co.uk
Did you see our API? http://www.surevoip.co.uk/api _______________________________________________ VoiceOps mailing list VoiceOps at voiceops.org https://puck.nether.net/mailman/listinfo/voiceops
On Thu, Feb 21, 2013 at 09:46:25PM +0000, Gavin Henry wrote:
Anyone seeing this on any of your softswitches/SBCs/SIP Proxies that are built on Linux kernels?
There is a suggestion that it is related to cPanel tech support server being compromised. http://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229 http://www.webhostingtalk.com/showpost.php?p=8569905&postcount=1187 http://forums.cpanel.net/f185/cpanel-security-325062.html Regards,
participants (3)
-
ghenry@suretec.co.uk -
myaklin@g4.net -
paul@cupis.co.uk