This only seems to affect Red Hat based systems. I think that somehow the attacker has been able to alter some RPM package(s) on some mirror(s). These packages later got installed on servers as updates infecting those systems.
I think this is also the reason I wasn't aware of this thing yet, it is a distro specific security flaw. On Fri, Mar 22, 2013 at 12:29 PM, Pavol Cupka <[email protected]> wrote: > this is from the infected server > > root@server1 [/var/log]# stat /lib/libkeyutils.so.1.9 > File: `/lib/libkeyutils.so.1.9' > Size: 26904 Blocks: 56 IO Block: 4096 regular file > Device: 6ah/106d Inode: 357728408 Links: 1 > Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) > Access: 2013-02-18 07:28:21.000000000 -0500 > Modify: 2007-01-06 02:57:38.000000000 -0500 > Change: 2013-02-18 07:28:06.000000000 -0500 > > the file libkeyutils.so* are part of the sys-apps/keyutils package the file > is slightly smaller > > stat /lib/libkeyutils.so.1.4 > File: ‘/lib/libkeyutils.so.1.4’ > Size: 9560 Blocks: 24 IO Block: 4096 regular file > Device: 801h/2049d Inode: 33101 Links: 1 > Access: (0755/-rwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) > Access: 2013-03-22 12:19:56.674851171 +0100 > Modify: 2012-12-02 23:16:09.000000000 +0100 > Change: 2013-02-19 02:01:18.301392129 +0100 > Birth: - > > you can also check the files using the > > equery k keyutils > > command, or using the sabayons build-in check in equo (I don't know the name > of it as I don't use sabayon anymore) > > > > > > On Fri, Mar 22, 2013 at 12:23 PM, Andre Jaenisch > <[email protected]> wrote: >> >> 2013/3/22 Joost Ruis <[email protected]>: >> > I checked my system here ( amd64 ) and it seems we are not affected by >> > this. >> > >> > On this page you can find some tests you can perform. >> > http://docs.cpanel.net/twiki/bin/view/AllDocumentation/CompSystem >> >> Can you attend it to http://bugs.sabayon.org/show_bug.cgi?id=4108 ? >> The thread is broken somehow ... >> > > > >
