urgent notice on Linux security (fwd)
gboyce at badbelly.com
gboyce at badbelly.com
Mon Jan 12 16:18:47 EST 2004
That should have been /dev/kmem, not /proc/kcore.
More information on SucKIT is available here:
http://www.phrack.org/phrack/58/p58-0x07
On Mon, 12 Jan 2004 gboyce at badbelly.com wrote:
> The root kit behavior sounds a bit like the SucKIT root kit. It directly
> patches /proc/kcore, so you do not need to have loadable module support
> enabled for it to be loaded into your kernel.
>
> Of course, if it is SucKIT, that explains what was done, not how it was
> done.
>
> The only recent remote exploit I can think of is the rsync vulnerability
> which could gain root using the kernel brk vulnerability. Otherwise it's
> either something very new (there goes my week), or something older that
> wasn't updated properly.
>
> Info on the rsync vulnerability:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962
>
> On Mon, 12 Jan 2004, David Kramer wrote:
>
> >
> > This was from another list I'm on. I know nothing else about it.
> >
> > --
> > DDDD David Kramer david at thekramers.net http://thekramers.net
> > DK KD
> > DKK D "What kind of supreme being would condone such irony?"
> > DK KD Tremors 3
> > DDDD
> >
> > ---------- Forwarded message ----------
> > Date: Mon, 12 Jan 2004 11:49:53 -0500 (EST)
> > To: david at thekramers.net
> > Subject: urgent notice on Linux security
> >
> > A heads-up to all the Linux users out there. In the last few days,
> > at least a half dozen machines run by some very security conscious
> > friends of mine have all been compromised. What is very unsettling
> > is that these breakins occurred en masse. My friends suspect that
> > whatever this vulnerability is it is easily detectable and
> > exploitable through portscans of netblocks. I am passing on their
> > recommendation that any Linux users check recent security bulletins
> > and look both for vulnerabilities and for evidence of breakins on
> > any networked Linux machines you may be running.
> >
> > The crackers binary-patched the kernel of the affected machines as
> > they were running so as to hide files and processes. Something was
> > wedged in there that managed to extract passwords from SSH
> > connections. Needless to say, all of us who have either logged into
> > or out of accounts on the known affected machines have been advised
> > to change our passwords at once.
> >
> > My friends were originally alerted to the problem when MIT informed
> > them that one of the affected machines was port-scanning. To quote an
> > excerpt from a followup technical discussion:
> >
> > "Forensics on [the affected machines] revealed files in
> > /usr/local/games that the KERNEL was hiding from us, trojaned
> > /bin/netstat, trojaned /sbin/init, file added in /etc/rc.d/rc3.d,
> > log cleaner in /dev/mig. Also, logins from user "news", who should
> > never be logging in. The primary giveaway in cases like this is a
> > gap in the logfiles in /var/log."
> >
> > Fwiw, it appears at this point that there was a lot of specific x86
> > stuff happening, so PPC linux hosts may not be vunerable to whatever
> > took these machines out.
> >
> > Given the everyday high level of cluefulness and tech paranoia of
> > these friends of mine, and the affected machines' proximity to the
> > greater MIT-centric network, I thought that this event would be of
> > interest to folks recieving this email.
> > _______________________________________________
> > Discuss mailing list
> > Discuss at blu.org
> > http://www.blu.org/mailman/listinfo/discuss
> >
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list