BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

urgent notice on Linux security (fwd)

Subject: urgent notice on Linux security (fwd)
From: david at thekramers.net (David Kramer)
Date: Mon, 12 Jan 2004 15:38:21 -0500 (EST)

This was from another list I'm on.  I know nothing else about it.

--
DDDD   David Kramer         david at thekramers.net       http://thekramers.net
DK KD  
DKK D  "What kind of supreme being would condone such irony?"
DK KD                                                              Tremors 3
DDDD   

---------- Forwarded message ----------
Date: Mon, 12 Jan 2004 11:49:53 -0500 (EST)
To: david at thekramers.net
Subject: urgent notice on Linux security

A heads-up to all the Linux users out there. In the last few days,
at least a half dozen machines run by some very security conscious
friends of mine have all been compromised. What is very unsettling
is that these breakins occurred en masse.  My friends suspect that
whatever this vulnerability is it is easily detectable and
exploitable through portscans of netblocks. I am passing on their
recommendation that any Linux users check recent security bulletins
and look both for vulnerabilities and for evidence of breakins on
any networked Linux machines you may be running.

The crackers binary-patched the kernel of the affected machines as
they were running so as to hide files and processes. Something was
wedged in there that managed to extract passwords from SSH
connections. Needless to say, all of us who have either logged into
or out of accounts on the known affected machines have been advised
to change our passwords at once.

My friends were originally alerted to the problem when MIT informed
them that one of the affected machines was port-scanning. To quote an
excerpt from a followup technical discussion:

"Forensics on [the affected machines] revealed files in
/usr/local/games that the KERNEL was hiding from us, trojaned
/bin/netstat, trojaned /sbin/init, file added in /etc/rc.d/rc3.d,
log cleaner in /dev/mig.  Also, logins from user "news", who should
never be logging in. The primary giveaway in cases like this is a
gap in the logfiles in /var/log."

Fwiw, it appears at this point that there was a lot of specific x86
stuff happening, so PPC linux hosts may not be vunerable to whatever
took these machines out.

Given the everyday high level of cluefulness and tech paranoia of
these friends of mine, and the affected machines' proximity to the
greater MIT-centric network, I thought that this event would be of
interest to folks recieving this email.

Follow-Ups:
- urgent notice on Linux security (fwd)
  - From: gboyce at badbelly.com (gboyce at badbelly.com)
- urgent notice on Linux security (fwd)
  - From: jjohnson at sunrise-linux.com (miah)
- urgent notice on Linux security (fwd)
  - From: gboyce at badbelly.com (gboyce at badbelly.com)
- urgent notice on Linux security (fwd)
  - From: dsr at tao.merseine.nu (dsr at tao.merseine.nu)

Prev by Date: interesting note on fsck and journalled filesystems
Next by Date: urgent notice on Linux security (fwd)
Previous by thread: ide-tape
Next by thread: urgent notice on Linux security (fwd)
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org