urgent notice on Linux security (fwd)

gboyce at badbelly.com gboyce at badbelly.com
Mon Jan 12 16:15:07 EST 2004


The root kit behavior sounds a bit like the SucKIT root kit.  It directly 
patches /proc/kcore, so you do not need to have loadable module support 
enabled for it to be loaded into your kernel.

Of course, if it is SucKIT, that explains what was done, not how it was 
done.  

The only recent remote exploit I can think of is the rsync vulnerability 
which could gain root using the kernel brk vulnerability.  Otherwise it's 
either something very new (there goes my week), or something older that 
wasn't updated properly.

Info on the rsync vulnerability:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0962

On Mon, 12 Jan 2004, David Kramer wrote:

> 
> This was from another list I'm on.  I know nothing else about it.
> 
> --
> DDDD   David Kramer         david at thekramers.net       http://thekramers.net
> DK KD  
> DKK D  "What kind of supreme being would condone such irony?"
> DK KD                                                              Tremors 3
> DDDD   
> 
> ---------- Forwarded message ----------
> Date: Mon, 12 Jan 2004 11:49:53 -0500 (EST)
> To: david at thekramers.net
> Subject: urgent notice on Linux security
> 
> A heads-up to all the Linux users out there. In the last few days,
> at least a half dozen machines run by some very security conscious
> friends of mine have all been compromised. What is very unsettling
> is that these breakins occurred en masse.  My friends suspect that
> whatever this vulnerability is it is easily detectable and
> exploitable through portscans of netblocks. I am passing on their
> recommendation that any Linux users check recent security bulletins
> and look both for vulnerabilities and for evidence of breakins on
> any networked Linux machines you may be running.
> 
> The crackers binary-patched the kernel of the affected machines as
> they were running so as to hide files and processes. Something was
> wedged in there that managed to extract passwords from SSH
> connections. Needless to say, all of us who have either logged into
> or out of accounts on the known affected machines have been advised
> to change our passwords at once.
> 
> My friends were originally alerted to the problem when MIT informed
> them that one of the affected machines was port-scanning. To quote an
> excerpt from a followup technical discussion:
> 
> "Forensics on [the affected machines] revealed files in
> /usr/local/games that the KERNEL was hiding from us, trojaned
> /bin/netstat, trojaned /sbin/init, file added in /etc/rc.d/rc3.d,
> log cleaner in /dev/mig.  Also, logins from user "news", who should
> never be logging in. The primary giveaway in cases like this is a
> gap in the logfiles in /var/log."
> 
> Fwiw, it appears at this point that there was a lot of specific x86
> stuff happening, so PPC linux hosts may not be vunerable to whatever
> took these machines out.
> 
> Given the everyday high level of cluefulness and tech paranoia of
> these friends of mine, and the affected machines' proximity to the
> greater MIT-centric network, I thought that this event would be of
> interest to folks recieving this email.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
> 




More information about the Discuss mailing list