[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New rootkit targetting Debian squeeze (amd64 only)

On 11/22/12 14:13 , Milan P. Stanic wrote:
> Nothing about infection vector, so it is non-issue, probably. Yes,
> root can be faked to install it from some third party module or even
> DKMS, but root shouldn't do such things without careful checking
> everything about third party modules.

The original post [1] on full-disclosure mentions running a web service and having customers (I assume a company with production servers).  I doubt they're that clueless if they were able to strace it back to the rootkit and find its hidden files.

More likely: a vulnerability in their web service (some form of execution of attacker-provided code), combined with a local privilege elevation exploit (the Linux kernel had quite many such bugs, some are probably yet undiscovered).  I find it interesting that the rootkit was written or customized specifically for squeeze.

I posted the link to allow people worried about being infected to know what files to look for, after booting from clean media.


[1] http://seclists.org/fulldisclosure/2012/Nov/94

Reply to: