urgent notice on Linux security (fwd)

[gboyce at badbelly.com (gboyce at badbelly.com)]

That should have been /dev/kmem, not /proc/kcore.

More information on SucKIT is available here:
http://www.phrack.org/phrack/58/p58-0x07

On Mon, 12 Jan 2004 gboyce at badbelly.com wrote:

> The root kit behavior sounds a bit like the SucKIT root kit.  It directly 
> patches /proc/kcore, so you do not need to have loadable module support 
> enabled for it to be loaded into your kernel.
> 
> Of course, if it is SucKIT, that explains what was done, not how it was 
> done.  
> 
> The only recent remote exploit I can think of is the rsync vulnerability 
> which could gain root using the kernel brk vulnerability.  Otherwise it's 
> either something very new (there goes my week), or something older that 
> wasn't updated properly.
> 
> Info on the rsync vulnerability:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962
> 
> On Mon, 12 Jan 2004, David Kramer wrote:
> 
> > 
> > This was from another list I'm on.  I know nothing else about it.
> > 
> > --
> > DDDD   David Kramer         david at thekramers.net       http://thekramers.net
> > DK KD  
> > DKK D  "What kind of supreme being would condone such irony?"
> > DK KD                                                              Tremors 3
> > DDDD   
> > 
> > ---------- Forwarded message ----------
> > Date: Mon, 12 Jan 2004 11:49:53 -0500 (EST)
> > To: david at thekramers.net
> > Subject: urgent notice on Linux security
> > 
> > A heads-up to all the Linux users out there. In the last few days,
> > at least a half dozen machines run by some very security conscious
> > friends of mine have all been compromised. What is very unsettling
> > is that these breakins occurred en masse.  My friends suspect that
> > whatever this vulnerability is it is easily detectable and
> > exploitable through portscans of netblocks. I am passing on their
> > recommendation that any Linux users check recent security bulletins
> > and look both for vulnerabilities and for evidence of breakins on
> > any networked Linux machines you may be running.
> > 
> > The crackers binary-patched the kernel of the affected machines as
> > they were running so as to hide files and processes. Something was
> > wedged in there that managed to extract passwords from SSH
> > connections. Needless to say, all of us who have either logged into
> > or out of accounts on the known affected machines have been advised
> > to change our passwords at once.
> > 
> > My friends were originally alerted to the problem when MIT informed
> > them that one of the affected machines was port-scanning. To quote an
> > excerpt from a followup technical discussion:
> > 
> > "Forensics on [the affected machines] revealed files in
> > /usr/local/games that the KERNEL was hiding from us, trojaned
> > /bin/netstat, trojaned /sbin/init, file added in /etc/rc.d/rc3.d,
> > log cleaner in /dev/mig.  Also, logins from user "news", who should
> > never be logging in. The primary giveaway in cases like this is a
> > gap in the logfiles in /var/log."
> > 
> > Fwiw, it appears at this point that there was a lot of specific x86
> > stuff happening, so PPC linux hosts may not be vunerable to whatever
> > took these machines out.
> > 
> > Given the everyday high level of cluefulness and tech paranoia of
> > these friends of mine, and the affected machines' proximity to the
> > greater MIT-centric network, I thought that this event would be of
> > interest to folks recieving this email.
> > _______________________________________________
> > Discuss mailing list
> > Discuss at blu.org
> > http://www.blu.org/mailman/listinfo/discuss
> > 
> 
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
>