[VoiceOps] Fwd: [Sheflug] Zero-day rootkit?

Matt Yaklin myaklin at g4.net
Thu Feb 21 18:01:24 EST 2013


Since it mentions control panels wouldn't this more then likely
be a local root exploit that one can use once you have a sliver
of access via the control panel user interface?

I highly doubt the folks who can audit sshd to find a remote
root would send spam. By the time spammers get a hold of such
an exploit the guys who release such exploits already made
it publically known. (After they had their fun of rooting
openbsd.org or what have you ;-) ).

Not bashing linux here.. but there has to be dozens of people
around who make it a hobby to find local root exploits. I imagine
one decided to sell the exploit instead of emailing full disclosure
mailing list to get many kudos and "street" cred.

m



On Thu, 21 Feb 2013, Gavin Henry wrote:

> Hi all,
>
> Anyone seeing this on any of your softswitches/SBCs/SIP Proxies that
> are built on Linux kernels?
>
> Thanks.
>
>
> ---------- Forwarded message ----------
> From: Chris J <cej at nightwolf.org.uk>
> Date: 21 February 2013 19:25
> Subject: [Sheflug] Zero-day rootkit?
> To: sheflug at sheflug.org.uk
>
>
>
> Just a heads-up in case it's not been seen. The last couple of days I've
> seen blogs and forums light up with news of an active zero-day attack - the
> actual attack vector is currently not known, which makes this more worrying
> than most. Some folk are placing the blame on SSH, others on cPanel, but
> really, no-one currently knows.
>
> Typically it's been Redhat or CentOS machines affected, although I've seen
> (unconfirmed) anecdotes on forums that Debian has also been affected.
>
> You'll know to be suspicious if you have a file, libkeyutils.so.1.9, on
> your box, most likely under /lib (but could be elsewhere). The latest
> "good" version of this file is 1.3...
>
> It's also curious that most of the talk is on forums. I haven't seen
> anything from the distributions about this.
>
> Relevent links and more info:
> http://blog.solidshellsecurity.com/2013/02/18/0day-linuxcentos-sshd-spam-exploit-libkeyutils-so-1-9/
> http://blog.configserver.com/index.php?itemid=716
> http://www.webhostingtalk.com/showthread.php?t=1235797
>
> A google for libkeyutils.so.1.9 brings back other various forums, etc...
>
> Don't know if anyone's got more solid information on this?
>
> Cheers,
>
> Chris
>
>
> --
> Chris Johnson :: cej at nightwolf.org.uk :: PGP 0xBC618B81
>               :: http://cej.nightwolf.org.uk/
>
>
> _______________________________________________
> Sheffield Linux User's Group
> http://sheflug.org.uk/mailman/listinfo/sheflug_sheflug.org.uk
> FAQ at: http://www.sheflug.org.uk/mailfaq.html
>
> GNU - The Choice of a Complete Generation
>
>
> -- 
> Kind Regards,
>
> Gavin Henry.
> Managing Director.
>
> T +44 (0) 1224 279484
> M +44 (0) 7930 323266
> F +44 (0) 1224 824887
> E ghenry at suretec.co.uk
>
> Open Source. Open Solutions(tm).
>
> http://www.suretecsystems.com/
>
> Suretec Systems is a limited company registered in Scotland. Registered
> number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
> Aberdeenshire, AB51 8GL.
>
> Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
>
> Do you know we have our own VoIP provider called SureVoIP? See
> http://www.surevoip.co.uk
>
> Did you see our API? http://www.surevoip.co.uk/api
> _______________________________________________
> VoiceOps mailing list
> VoiceOps at voiceops.org
> https://puck.nether.net/mailman/listinfo/voiceops
>


More information about the VoiceOps mailing list