Ralph,
Thanks for the info. I expect this is Asterisk-related.
Nigel
-----Original Message-----
From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On Behalf
Of Ralph Angenendt
Sent: Monday, January 26, 2009 11:25 AM
To: centos@xxxxxxxxxx
Subject: Re: I may have been rooted - but I may not!? FOLLOW UP
Nigel Kendrick wrote:
> Just found ZK root kit.
>
> Any ideas on infection vector?
> This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5
> SMP
Not really saying anything about the vector, but that kernel has a local
root exploit (google for 'vmsplice'). One of the reasons one should keep
his boxes updated ...
> I have checked the logs and history file and cannot see anything
> The server is behind a hardware firewall and the only ports open are those
> needed for RTP, IAX2 and SIP - there is no other public access and no user
> accounts.
Did you update asterisk as regularly as you updated the rest of the
system?
<http://www.derkeiler.com/Mailing-Lists/Securiteam/2008-03/msg00069.html>
And there is exploit code for this vulnerability. So I get in via this
and get root via vmsplice and then suddenly Bob's your uncle and the box
isn't yours anymore.
SIP and IAX2 exploits are from 2007, there has been an information
disclosure weakness in IAX2 too, which has been announced some days ago.
But that would "only" lead to knowledge about valid users on the system.
Ralph
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
