On 11/22/12 11:33, Laurentiu Pancescu wrote: > On 11/22/12 14:13 , Milan P. Stanic wrote: >> Nothing about infection vector, so it is non-issue, probably. Yes, >> root can be faked to install it from some third party module or even >> DKMS, but root shouldn't do such things without careful checking >> everything about third party modules. > > The original post [1] on full-disclosure mentions running a web service > and having customers (I assume a company with production servers). I > doubt they're that clueless if they were able to strace it back to the > rootkit and find its hidden files. > > More likely: a vulnerability in their web service (some form of > execution of attacker-provided code), combined with a local privilege > elevation exploit (the Linux kernel had quite many such bugs, some are > probably yet undiscovered). I find it interesting that the rootkit was > written or customized specifically for squeeze. > > I posted the link to allow people worried about being infected to know > what files to look for, after booting from clean media. > >From what I gather on the crowdstrike site detection of "just this module" could be as simple as...
touch /sysctl.conf && ls | grep sysctl\\.conf > Regards, > Laurentiu > > > [1] http://seclists.org/fulldisclosure/2012/Nov/94 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
