[Unix-l] Redhat box compromised
Dave Calafrancesco
dcalaf at vassar.edu
Tue Mar 9 07:15:54 EST 2004
Eric Myers said:
> David,
>
> Thanks both for the heads-up and for the pointers to the root-kit.
> Do you know what actual vulerability was used to get into the machine?
Not yet.
> There was a kernel vulnerability announced just this weekend
> [http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt] which
> affects every kernel up to 2.4.24 and 2.6.2, but I believe it requires
> local access to exploit it, so this was likely not the problem.
It's a local root escalation, you have to already have access to be able
to use the mremap to get to root.
> I'm running 7.2 or 7.3 on several machines in physics, and I've been
> concerned that there won't be further security updates from RH and so
> I've been considered updating either to 9.x or to Fedora Core.
9.x is EOL end of this month IIRC. I'd suggest looking at Debian, start
from the new Sarge installer and you don't have to deal with the install
of the old potato and upgrade to sarge route. I usually have local Debian
ISO files online but have them down migrating them to a new system and
haven't had time to put them back online with everything else going on
around here.
>> We also noticed that 35GB of data files were deleted.
>
> Ouch. Another good reason to have backups...
Yup... but I have to analyze the backups for evidence that they weren't
tampered with before the rootkit was inserted.
--
David Calafrancesco
Vassar College SysAdmin
dcalaf at vassar edu
More information about the Unix-l
mailing list