Skip to main content
Welcome guest. | Register | Login | Post

SECURITY: Rootkit Detected For Major Distros

3 replies [Last post]
supermike's picture
Offline
Joined: 2006-02-17

!!!!!!!!!!!!!!! http://www.securityfocus.com/bid/18874/discuss !!!!!!!!!!!!!!!

 

* Requires at least local shell access before one can be hacked with the rootkit.
* Operates through an exploit activated by user's crontab that causes a coredump and root connectivity. Not quite clear how that works, but you can see the C source on the link above if you click the Exploit tab.

Fix appears to be:

* Remove 'gcc' if you don't use it.
* Linux kernel versions prior to 2.6.17.4 are vulnerable. Pressure your distro provider for a patch if they don't have one already.
* If someone's running an old version of Linux that may not have been tested, they should probably try the various versions of the exploit code and see if can be achieved on their systems. Lord help the person who still wants to run something like Red Hat 7 or something like that.

 

This was the exploit that was used to compromise the Debian source code servers in the news the other day. It was done by a malicious cracker who gained Debian developer credentials. However, it affects many popular Linux distros.

 

Thanks to my Brazilian coworker, I just found out this news.

 

dylunio's picture
Offline
Joined: 2005-12-20
Hmm, it's good to know about

Hmm, it's good to know about these things...

I'm doing some testing of Andrew Morton's patchset on release candidate kernels at the moment, so I should be fine (linux-2.6.18-rc1-mm1).

Thanks for the heads up supermike.

dylunio

free-zombie's picture
Offline
Joined: 2006-03-08
this is the bug that was

this is the bug that was used to exploit gluck.debian.org right ?

supermike's picture
Offline
Joined: 2006-02-17
yep

yep

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.