FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 01-26-2009, 10:15 AM
"Nigel Kendrick"
 
Default I may have been rooted - but I may not!? FOLLOW UP

Just found ZK root kit.
*
Any ideas on infection vector?
*
Ho hum



From: centos-bounces@centos.org
[mailto:centos-bounces@centos.org] On Behalf Of Nigel
Kendrick
Sent: Monday, January 26, 2009 11:01 AM
To: 'CentOS
mailing list'
Subject: [CentOS] I may have been rooted - but I may
not!?



Morning,
*
I am going to treat
this as a rooted box and reinstall from scratch, but any thoughts
appreciated:
*
This is a Trixbox
Server based on Centos, running kernel 2.6.18-53.1.4.el5 SMP
*
The phone system
stopped working but this was traced to a configuration error with a replacement
switch (it did not get added to the vlan properly), which meant that Trixbox
could not see any DNS servers and this b0rks TB.
*
Anyway, during
debugging I went to reboot the server and got the following:
*
/dev/kmem
missing
*
IDT*table read
failed
*
I have run rkhunter,
which turns up nothing
If have forced a
filesystem check - all clean
I have checked the
logs and history file and*cannot see anything
The server is behind
a hardware firewall and the only ports open are those needed for RTP, IAX2 and
SIP - there is no other public access and no user accounts.
Having fixed the
vlan issue, Asterisk is running fine.
*
I re-created
/dev/kmem, but it's missing at subsequent reboots.
*
I have Googled many
references to the IDT table problem being associated with the SuckIT rootkit,
but I can find no evidence that it's installed.
*
OK, bearing in mind
that I will go ahead and reinstall the server (no biggie as I have Trixbox
config backups and installing TB is not a big task), I just wanted to check
whether there were any IDT table issues that may *NOT* be rootkit related and if
there are any simple fixes I can try on the box while it's isolated on the
bench?
*
In the other
direction, has anyone seen this type of behaviour with any rootkit that is not
detected by rkhunter and doesn't leave any obvious footprints? Anything to look
for?
*
Happy
Monday!
*
Thanks
*
Nigel
*
*
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-26-2009, 10:25 AM
Ralph Angenendt
 
Default I may have been rooted - but I may not!? FOLLOW UP

Nigel Kendrick wrote:
> Just found ZK root kit.
>
> Any ideas on infection vector?

> This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5
> SMP

Not really saying anything about the vector, but that kernel has a local
root exploit (google for 'vmsplice'). One of the reasons one should keep
his boxes updated ...

> I have checked the logs and history file and cannot see anything
> The server is behind a hardware firewall and the only ports open are those
> needed for RTP, IAX2 and SIP - there is no other public access and no user
> accounts.

Did you update asterisk as regularly as you updated the rest of the
system?

<http://www.derkeiler.com/Mailing-Lists/Securiteam/2008-03/msg00069.html>

And there is exploit code for this vulnerability. So I get in via this
and get root via vmsplice and then suddenly Bob's your uncle and the box
isn't yours anymore.

SIP and IAX2 exploits are from 2007, there has been an information
disclosure weakness in IAX2 too, which has been announced some days ago.
But that would "only" lead to knowledge about valid users on the system.

Ralph
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 01-26-2009, 10:31 AM
"Nigel Kendrick"
 
Default I may have been rooted - but I may not!? FOLLOW UP

Ralph,

Thanks for the info. I expect this is Asterisk-related.

Nigel

-----Original Message-----
From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf
Of Ralph Angenendt
Sent: Monday, January 26, 2009 11:25 AM
To: centos@centos.org
Subject: Re: [CentOS] I may have been rooted - but I may not!? FOLLOW UP

Nigel Kendrick wrote:
> Just found ZK root kit.
>
> Any ideas on infection vector?

> This is a Trixbox Server based on Centos, running kernel 2.6.18-53.1.4.el5
> SMP

Not really saying anything about the vector, but that kernel has a local
root exploit (google for 'vmsplice'). One of the reasons one should keep
his boxes updated ...

> I have checked the logs and history file and cannot see anything
> The server is behind a hardware firewall and the only ports open are those
> needed for RTP, IAX2 and SIP - there is no other public access and no user
> accounts.

Did you update asterisk as regularly as you updated the rest of the
system?

<http://www.derkeiler.com/Mailing-Lists/Securiteam/2008-03/msg00069.html>

And there is exploit code for this vulnerability. So I get in via this
and get root via vmsplice and then suddenly Bob's your uncle and the box
isn't yours anymore.

SIP and IAX2 exploits are from 2007, there has been an information
disclosure weakness in IAX2 too, which has been announced some days ago.
But that would "only" lead to knowledge about valid users on the system.

Ralph

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 09:57 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org