On Mon, 2008-01-28 at 19:55 -0600, Johnny Hughes wrote:
> Johnny Hughes wrote:
> > Here is the applicable article:
> >
> > http://www.linux.com/feature/125548
> >
> > There are links in the above article that explain tests for the system
> > and what is currently known about the rootkit.
> >
> > Apparently initial access is NOT via any vulnerability but just guessed
> > root passwords.
> >
> > There are currently 2 methods to see if you are infected:
> >
> > 1. In some cases, the root kit causes you to not be able to create
> > directories starting with a number ... so as root do:
> >
> > mkdir 1
> >
> > If it gives you an error similar to this, you are probably infected:
> >
> > mkdir: cannot create directory `1': No such file or directory
> >
> > 2. Run this command for several minutes while you have windows users
> > connecting to your web server:
> >
> > tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"
> >
> > If you get output from this script, you may be infected.
> >
> > ========================================================
> > More info:
> >
> > http://blog.cpanel.net/?p=31
> >
> > http://www.cpanel.net/security/notes/random_js_toolkit.html
> >
> > http://www.finjan.com/Pressrelease.aspx?id=1820&PressLan=1819&lan=3
> >
> > http://www.pcworld.com/article/id,141358-c,techindustrytrends/article.html
> >
> > http://www.webhostingtalk.com/showthread.php?t=651748
> >
> > ==========================================================
> >
> > This does not seem to be caused by a specific vulnerability that CentOS
> > or RHEL or cPanel has, but rather it seems to be caused by compromised
> > root passwords.
> >
> > There are several recommendations in the above links to prevent becoming
> > infected as well as what to do if you are infected.
> >
> > While there does not seem to be anything that the CentOS Development
> > Team can "FIX" in relation to this issue ... I thought I would put the
> > information out so that people can test their machines and take action
> > as necessary.
>
> As a secondary note, the CentOS Security Team (and also the upstream
> security team) would like to have access to an infected machine for
> analysis, if anyone is infected and if they can spare the machine for
> several days for us to analyze (you should change your root passwd and
> take apache off line ... meaning you would need to stand up another web
> server to replace this one).
>
> So, if you have a machine for the cause that was infected in the wild
> that you can spare, you can contact the CentOS Security team at:
>
> security_AT_centos.org
>
> We will work also with the Red Hat Security team and see if we can
> isolate any issues that might be FIXABLE.
----
doesn't this almost beg for upstream to make denyhosts a base install
and automatically on, just as sshd is automatically on?
Craig
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
