SECURITY: Rootkit Detected For Major Distros
!!!!!!!!!!!!!!! http://www.securityfocus.com/bid/18874/discuss !!!!!!!!!!!!!!!
* Requires at least local shell access before one can be hacked with the rootkit.
* Operates through an exploit activated by user's crontab that causes a coredump and root connectivity. Not quite clear how that works, but you can see the C source on the link above if you click the Exploit tab.
Fix appears to be:
* Remove 'gcc' if you don't use it.
* Linux kernel versions prior to 18.104.22.168 are vulnerable. Pressure your distro provider for a patch if they don't have one already.
* If someone's running an old version of Linux that may not have been tested, they should probably try the various versions of the exploit code and see if can be achieved on their systems. Lord help the person who still wants to run something like Red Hat 7 or something like that.
This was the exploit that was used to compromise the Debian source code servers in the news the other day. It was done by a malicious cracker who gained Debian developer credentials. However, it affects many popular Linux distros.
Thanks to my Brazilian coworker, I just found out this news.