SSHD rootkit in the wild

Discussion in 'all things UNIX' started by ComputerSaysNo, Feb 23, 2013.

Thread Status:
Not open for further replies.

  1. https://isc.sans.edu/diary/SSHD rootkit in the wild/15229

    Interesting.....
     
    Last edited by a moderator: Feb 23, 2013
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,955
    Location:
    Somethingshire
  3. Hmm. I'm somewhat more interested in knowing how the attackers are gaining root access to compromised systems.
     
  4. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    76
    It's believed that the workstations used to access remote servers via SSH were infected with a keylogger (quite possibly with a malicious flash/java exploit), then used to back connect to the server and plant the rootkit. Nasty stuff.
     
  5. Nasty indeed. Time to tighten up my Noscript settings, I think.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,090
    Based on?
    Mrk
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,381
    Location:
    West Yorkshire, UK
    According to the article linked by the OP (which has been updated) - The source appears to be a compromised support server at cpanel . Which then got credentials stored on support tickets so that cpanel support staff could login.

    Cheers, Nick
     
  8. tlu

    tlu Guest

    There's a very lengthy thread on WHT. It seems that it's not yet quite clear what's going on here (as I understand it after not reading through all 1362 posts there ;) ).
     
  9. Seems like CentOS is being hammered.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.