[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: New rootkit targetting Debian squeeze (amd64 only)

On 11/22/12 11:33, Laurentiu Pancescu wrote:
> On 11/22/12 14:13 , Milan P. Stanic wrote:
>> Nothing about infection vector, so it is non-issue, probably. Yes,
>> root can be faked to install it from some third party module or even
>> DKMS, but root shouldn't do such things without careful checking
>> everything about third party modules.
> The original post [1] on full-disclosure mentions running a web service
> and having customers (I assume a company with production servers).  I
> doubt they're that clueless if they were able to strace it back to the
> rootkit and find its hidden files.
> More likely: a vulnerability in their web service (some form of
> execution of attacker-provided code), combined with a local privilege
> elevation exploit (the Linux kernel had quite many such bugs, some are
> probably yet undiscovered).  I find it interesting that the rootkit was
> written or customized specifically for squeeze.
> I posted the link to allow people worried about being infected to know
> what files to look for, after booting from clean media.
>From what I gather on the crowdstrike site detection of "just this
module" could be as simple as...

touch /sysctl.conf && ls | grep sysctl\\.conf

> Regards,
> Laurentiu
> [1] http://seclists.org/fulldisclosure/2012/Nov/94

Reply to: