Re: New rootkit targetting Debian squeeze (amd64 only)
On 11/22/12 11:33, Laurentiu Pancescu wrote:
> On 11/22/12 14:13 , Milan P. Stanic wrote:
>> Nothing about infection vector, so it is non-issue, probably. Yes,
>> root can be faked to install it from some third party module or even
>> DKMS, but root shouldn't do such things without careful checking
>> everything about third party modules.
> The original post  on full-disclosure mentions running a web service
> and having customers (I assume a company with production servers). I
> doubt they're that clueless if they were able to strace it back to the
> rootkit and find its hidden files.
> More likely: a vulnerability in their web service (some form of
> execution of attacker-provided code), combined with a local privilege
> elevation exploit (the Linux kernel had quite many such bugs, some are
> probably yet undiscovered). I find it interesting that the rootkit was
> written or customized specifically for squeeze.
> I posted the link to allow people worried about being infected to know
> what files to look for, after booting from clean media.
>From what I gather on the crowdstrike site detection of "just this
module" could be as simple as...
touch /sysctl.conf && ls | grep sysctl\\.conf
>  http://seclists.org/fulldisclosure/2012/Nov/94