Do they all have the same root password? I have heard that some people
think it may be a root password compromise.
What else is there that is unique to this box?
I also heard that the exploit may be installed in some of the site code,
the entry point is elsewhere, but once infected, it installs the exploit
in source code for a site.
Gary B
Jeff Plewes wrote:
> Update,
>
> The problem box:
> - centos 5 base, updated via yum from default repository.
> - httpd 2.2.3-11.el5_1.centos.3 (2.2.8 backport?)
> - php 5.2.5 compiled from source
> - courier-authlib 0.60.2 compiled from source
> - courier-imap-4.3.0 compiled from source
> - exim 4.69 compiled from source
> - proftpd 1.3.1 compiled from source
>
> I have no control panel of any sort installed.
>
> The box was running RH9.. had the issue.. formatted and replaced with
> fresh install of centos 5... copied over customer vhosts..
>
> Gets hit again within days.
>
> ports open = 20,21,22,25,80,110,143,443 + pasv port range for ftp
>
> I have many other hosts in the datacenter with various configurations
> but all would have had the same apache, php, ssh, ssl versions as this
> box before at RH9. None of them have been hit.. none of them however,
> contain exim, courier, or proftpd
>
> Im starting to lean towards these packages as a possible entry-point
> for the trojan?
>
> And no its not ARP or DNS poisoning nor router or proxy problems.
>
> -Jeff
>
>
> On Jan 25, 2008 1:00 PM, Cedric Blancher <blancher (at) cartel-securite (dot) fr [email concealed]> wrote:
>
>> On ven, 2008-01-25 at 13:31 +0100, Ronald van der Westen wrote:
>>
>>> I don't think ARP cache poisoning is the problem here, unless client
>>> and server are in the same subnet.
>>>
>> Not necessarily.
>> Sitting on one of them subnet is way sufficient. More generally, you
>> need to be somewhere on the path between your two targets to perform a
>> traffic redirection. As routers and firewalls can be poisoned as any
>> other node and as they act as gateways, they are all the more
>> interesting targets.
>>
>>
>> --
>> http://sid.rstack.org/
>> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>>
>>>> Hi! I'm your friendly neighbourhood signature virus.
>>>> Copy me to your signature file and help me spread!
>>>>
>
>
>
think it may be a root password compromise.
What else is there that is unique to this box?
I also heard that the exploit may be installed in some of the site code,
the entry point is elsewhere, but once infected, it installs the exploit
in source code for a site.
Gary B
Jeff Plewes wrote:
> Update,
>
> The problem box:
> - centos 5 base, updated via yum from default repository.
> - httpd 2.2.3-11.el5_1.centos.3 (2.2.8 backport?)
> - php 5.2.5 compiled from source
> - courier-authlib 0.60.2 compiled from source
> - courier-imap-4.3.0 compiled from source
> - exim 4.69 compiled from source
> - proftpd 1.3.1 compiled from source
>
> I have no control panel of any sort installed.
>
> The box was running RH9.. had the issue.. formatted and replaced with
> fresh install of centos 5... copied over customer vhosts..
>
> Gets hit again within days.
>
> ports open = 20,21,22,25,80,110,143,443 + pasv port range for ftp
>
> I have many other hosts in the datacenter with various configurations
> but all would have had the same apache, php, ssh, ssl versions as this
> box before at RH9. None of them have been hit.. none of them however,
> contain exim, courier, or proftpd
>
> Im starting to lean towards these packages as a possible entry-point
> for the trojan?
>
> And no its not ARP or DNS poisoning nor router or proxy problems.
>
> -Jeff
>
>
> On Jan 25, 2008 1:00 PM, Cedric Blancher <blancher (at) cartel-securite (dot) fr [email concealed]> wrote:
>
>> On ven, 2008-01-25 at 13:31 +0100, Ronald van der Westen wrote:
>>
>>> I don't think ARP cache poisoning is the problem here, unless client
>>> and server are in the same subnet.
>>>
>> Not necessarily.
>> Sitting on one of them subnet is way sufficient. More generally, you
>> need to be somewhere on the path between your two targets to perform a
>> traffic redirection. As routers and firewalls can be poisoned as any
>> other node and as they act as gateways, they are all the more
>> interesting targets.
>>
>>
>> --
>> http://sid.rstack.org/
>> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>>
>>>> Hi! I'm your friendly neighbourhood signature virus.
>>>> Copy me to your signature file and help me spread!
>>>>
>
>
>
[ reply ]