Discussion in 'all things UNIX' started by ComputerSaysNo, Feb 23, 2013.
https://isc.sans.edu/diary/SSHD rootkit in the wild/15229
and some thoughts on the subject
Hmm. I'm somewhat more interested in knowing how the attackers are gaining root access to compromised systems.
It's believed that the workstations used to access remote servers via SSH were infected with a keylogger (quite possibly with a malicious flash/java exploit), then used to back connect to the server and plant the rootkit. Nasty stuff.
Nasty indeed. Time to tighten up my Noscript settings, I think.
According to the article linked by the OP (which has been updated) - The source appears to be a compromised support server at cpanel . Which then got credentials stored on support tickets so that cpanel support staff could login.
There's a very lengthy thread on WHT. It seems that it's not yet quite clear what's going on here (as I understand it after not reading through all 1362 posts there ).
Seems like CentOS is being hammered.