[VoiceOps] Fwd: [Sheflug] Zero-day rootkit?
myaklin at g4.net
Thu Feb 21 18:01:24 EST 2013
Since it mentions control panels wouldn't this more then likely
be a local root exploit that one can use once you have a sliver
of access via the control panel user interface?
I highly doubt the folks who can audit sshd to find a remote
root would send spam. By the time spammers get a hold of such
an exploit the guys who release such exploits already made
it publically known. (After they had their fun of rooting
openbsd.org or what have you ;-) ).
Not bashing linux here.. but there has to be dozens of people
around who make it a hobby to find local root exploits. I imagine
one decided to sell the exploit instead of emailing full disclosure
mailing list to get many kudos and "street" cred.
On Thu, 21 Feb 2013, Gavin Henry wrote:
> Hi all,
> Anyone seeing this on any of your softswitches/SBCs/SIP Proxies that
> are built on Linux kernels?
> ---------- Forwarded message ----------
> From: Chris J <cej at nightwolf.org.uk>
> Date: 21 February 2013 19:25
> Subject: [Sheflug] Zero-day rootkit?
> To: sheflug at sheflug.org.uk
> Just a heads-up in case it's not been seen. The last couple of days I've
> seen blogs and forums light up with news of an active zero-day attack - the
> actual attack vector is currently not known, which makes this more worrying
> than most. Some folk are placing the blame on SSH, others on cPanel, but
> really, no-one currently knows.
> Typically it's been Redhat or CentOS machines affected, although I've seen
> (unconfirmed) anecdotes on forums that Debian has also been affected.
> You'll know to be suspicious if you have a file, libkeyutils.so.1.9, on
> your box, most likely under /lib (but could be elsewhere). The latest
> "good" version of this file is 1.3...
> It's also curious that most of the talk is on forums. I haven't seen
> anything from the distributions about this.
> Relevent links and more info:
> A google for libkeyutils.so.1.9 brings back other various forums, etc...
> Don't know if anyone's got more solid information on this?
> Chris Johnson :: cej at nightwolf.org.uk :: PGP 0xBC618B81
> :: http://cej.nightwolf.org.uk/
> Sheffield Linux User's Group
> FAQ at: http://www.sheflug.org.uk/mailfaq.html
> GNU - The Choice of a Complete Generation
> Kind Regards,
> Gavin Henry.
> Managing Director.
> T +44 (0) 1224 279484
> M +44 (0) 7930 323266
> F +44 (0) 1224 824887
> E ghenry at suretec.co.uk
> Open Source. Open Solutions(tm).
> Suretec Systems is a limited company registered in Scotland. Registered
> number: SC258005. Registered office: 24 Cormack Park, Rothienorman, Inverurie,
> Aberdeenshire, AB51 8GL.
> Subject to disclaimer at http://www.suretecgroup.com/disclaimer.html
> Do you know we have our own VoIP provider called SureVoIP? See
> Did you see our API? http://www.surevoip.co.uk/api
> VoiceOps mailing list
> VoiceOps at voiceops.org
More information about the VoiceOps