Re: duqu

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, 06 Dec 2011 15:45:04 -0600
Johnny Hughes <johnny@xxxxxxxxxx> wrote:

> On 12/06/2011 02:36 PM, Les Mikesell wrote:
> > On Tue, Dec 6, 2011 at 2:18 PM, Karanbir Singh
> > <mail-lists@xxxxxxxxx> wrote:
> >> On 12/06/2011 08:09 PM, Les Mikesell wrote:
> >>> Any luck on  the specific attack path yet?  The linked article
> >>> suggests Centos up to 5.5 was vulnerable.
> >>
> >> We  dont have access to the actual machines that were broken into
> >> - so pretty much everything is second hand info.
> >>
> >> But based on what we know and what we have been told and what we
> >> have worked out ourselves as well, its almost certainly
> >> bruteforced ssh passwords.
> > 
> > So, coincidence that they were CentOS, and pre-5.6?   Did they have
> > admins in common?
> > 
> 
> Kaspersky has access to the images ... but they were mostly
> cleaned/erased and only what they can recover from erased ext3 files
> are there to see.
> 
> The attackers used something to 00000 out the files that they wanted
> to wipe directly ... so only things like old logs (that were deleted
> by logrotate and not wiped by the attackers) are on there.
> 
> There is one major possibility for something that could be an entry
> point besides brute force, and that is exim:
> 
> http://rhn.redhat.com/errata/RHSA-2010-0970.html
> 
> However, they do not know yet if exim was in use on those machines.
> 
> Note: CentOS released our update within 24 hours of that update from
> upstream ... but people who have < 5.5 and exim are vulnerable to
> that.
> 
> If I had to guess, I would say that the attackers probably developed
> their code on CentOS, so they were looking for a CentOS machine to
> deploy their code on in the wild.  That would be why I would say
> CentOS was the OS used.

The fact that they immediately (first thing, actually) did was to
upgrade OpenSSH does suggest that there is a Zero Day bug around.

If you capture a machine to be your C&C of a botnet, you certainly
don't want the same bug around so others can take your 0wned machine...

Rui

Attachment: signature.asc
Description: PGP signature

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux