Skip to main content
Welcome guest. | Register | Login | Post

SECURITY: Rootkit Detected For Major Distros

3 replies [Last post]
supermike's picture
Joined: 2006-02-17

!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!


* Requires at least local shell access before one can be hacked with the rootkit.
* Operates through an exploit activated by user's crontab that causes a coredump and root connectivity. Not quite clear how that works, but you can see the C source on the link above if you click the Exploit tab.

Fix appears to be:

* Remove 'gcc' if you don't use it.
* Linux kernel versions prior to are vulnerable. Pressure your distro provider for a patch if they don't have one already.
* If someone's running an old version of Linux that may not have been tested, they should probably try the various versions of the exploit code and see if can be achieved on their systems. Lord help the person who still wants to run something like Red Hat 7 or something like that.


This was the exploit that was used to compromise the Debian source code servers in the news the other day. It was done by a malicious cracker who gained Debian developer credentials. However, it affects many popular Linux distros.


Thanks to my Brazilian coworker, I just found out this news.


dylunio's picture
Joined: 2005-12-20
Hmm, it's good to know about

Hmm, it's good to know about these things...

I'm doing some testing of Andrew Morton's patchset on release candidate kernels at the moment, so I should be fine (linux-2.6.18-rc1-mm1).

Thanks for the heads up supermike.


free-zombie's picture
Joined: 2006-03-08
this is the bug that was

this is the bug that was used to exploit right ?

supermike's picture
Joined: 2006-02-17


Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.