On 30.06.2017 00:51, stan wrote:
Wikileaks released a document about an attack against CentOS / Rhel. https://wikileaks.org/vault7/#OutlawCountry Here's the text, there are some docs there also. My first take is that this doesn't represent a very serious threat. Do you disagree?
if we were talking about a root kit, and I look at the manual https://wikileaks.org/vault7/document/OutlawCountry_v1_0_User_Manual/ (page 4 installation) which user does see these modules at the system? (is there a user besides root that has more rights?) I did a ls -alR / > /tmp/ls.txt and there I didn't find any nf_table...this is the complete directory /lib/modules/2.6.32-696.3.2.el6.x86_64/kernel/net/ipv4/netfilter:
total 540 drwxr-xr-x. 2 root root 4096 Jun 21 15:47 . drwxr-xr-x. 3 root root 4096 Jun 21 15:47 .. -rwxr--r--. 1 root root 7872 Jun 20 03:46 arptable_filter.ko -rwxr--r--. 1 root root 32288 Jun 20 03:46 arp_tables.ko -rwxr--r--. 1 root root 5680 Jun 20 03:46 arpt_mangle.ko -rwxr--r--. 1 root root 20496 Jun 20 03:46 ip_queue.ko -rwxr--r--. 1 root root 8888 Jun 20 03:46 iptable_filter.ko -rwxr--r--. 1 root root 8936 Jun 20 03:46 iptable_mangle.ko -rwxr--r--. 1 root root 16152 Jun 20 03:46 iptable_nat.ko -rwxr--r--. 1 root root 7176 Jun 20 03:46 iptable_raw.ko -rwxr--r--. 1 root root 7832 Jun 20 03:46 iptable_security.ko -rwxr--r--. 1 root root 37232 Jun 20 03:46 ip_tables.ko -rwxr--r--. 1 root root 6584 Jun 20 03:46 ipt_addrtype.ko -rwxr--r--. 1 root root 5160 Jun 20 03:46 ipt_ah.ko -rwxr--r--. 1 root root 20120 Jun 20 03:46 ipt_CLUSTERIP.ko -rwxr--r--. 1 root root 5720 Jun 20 03:46 ipt_ecn.ko -rwxr--r--. 1 root root 6752 Jun 20 03:46 ipt_ECN.ko -rwxr--r--. 1 root root 15872 Jun 20 03:46 ipt_LOG.ko -rwxr--r--. 1 root root 8984 Jun 20 03:46 ipt_MASQUERADE.ko -rwxr--r--. 1 root root 6944 Jun 20 03:46 ipt_NETMAP.ko -rwxr--r--. 1 root root 6960 Jun 20 03:46 ipt_REDIRECT.ko -rwxr--r--. 1 root root 8560 Jun 20 03:46 ipt_REJECT.ko -rwxr--r--. 1 root root 21264 Jun 20 03:46 ipt_ULOG.ko -rwxr--r--. 1 root root 25472 Jun 20 03:46 nf_conntrack_ipv4.ko -rwxr--r--. 1 root root 6040 Jun 20 03:46 nf_defrag_ipv4.ko -rwxr--r--. 1 root root 5992 Jun 20 03:46 nf_nat_amanda.ko -rwxr--r--. 1 root root 10768 Jun 20 03:46 nf_nat_ftp.ko -rwxr--r--. 1 root root 20624 Jun 20 03:46 nf_nat_h323.ko -rwxr--r--. 1 root root 7960 Jun 20 03:46 nf_nat_irc.ko -rwxr--r--. 1 root root 45312 Jun 20 03:46 nf_nat.ko -rwxr--r--. 1 root root 13472 Jun 20 03:46 nf_nat_pptp.ko -rwxr--r--. 1 root root 6088 Jun 20 03:46 nf_nat_proto_dccp.ko -rwxr--r--. 1 root root 9816 Jun 20 03:46 nf_nat_proto_gre.ko -rwxr--r--. 1 root root 6456 Jun 20 03:46 nf_nat_proto_sctp.ko -rwxr--r--. 1 root root 6048 Jun 20 03:46 nf_nat_proto_udplite.ko -rwxr--r--. 1 root root 14848 Jun 20 03:46 nf_nat_sip.ko -rwxr--r--. 1 root root 18976 Jun 20 03:46 nf_nat_snmp_basic.ko -rwxr--r--. 1 root root 5208 Jun 20 03:46 nf_nat_tftp.ko and the next thing: it is talking about IPv4 and NAT, would be IPv6 an option to block them? Just my thoughts, Walter
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx