On 11/22/12 14:13 , Milan P. Stanic wrote: > Nothing about infection vector, so it is non-issue, probably. Yes, > root can be faked to install it from some third party module or even > DKMS, but root shouldn't do such things without careful checking > everything about third party modules. The original post [1] on full-disclosure mentions running a web service and having customers (I assume a company with production servers). I doubt they're that clueless if they were able to strace it back to the rootkit and find its hidden files. More likely: a vulnerability in their web service (some form of execution of attacker-provided code), combined with a local privilege elevation exploit (the Linux kernel had quite many such bugs, some are probably yet undiscovered). I find it interesting that the rootkit was written or customized specifically for squeeze. I posted the link to allow people worried about being infected to know what files to look for, after booting from clean media. Regards, Laurentiu [1] http://seclists.org/fulldisclosure/2012/Nov/94 |