SSHD rootkit in the wild

Discussion in 'all things UNIX' started by ComputerSaysNo, Feb 23, 2013.

Thread Status:
Not open for further replies.
  1. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,424

    https://isc.sans.edu/diary/SSHD rootkit in the wild/15229

    Interesting.....
     
    Last edited by a moderator: Feb 23, 2013
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  3. Hmm. I'm somewhat more interested in knowing how the attackers are gaining root access to compromised systems.
     
  4. java dude

    java dude Registered Member

    Joined:
    Aug 5, 2011
    Posts:
    75
    It's believed that the workstations used to access remote servers via SSH were infected with a keylogger (quite possibly with a malicious flash/java exploit), then used to back connect to the server and plant the rootkit. Nasty stuff.
     
  5. Nasty indeed. Time to tighten up my Noscript settings, I think.
     
  6. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Based on?
    Mrk
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    According to the article linked by the OP (which has been updated) - The source appears to be a compromised support server at cpanel . Which then got credentials stored on support tickets so that cpanel support staff could login.

    Cheers, Nick
     
  8. tlu

    tlu Guest

    There's a very lengthy thread on WHT. It seems that it's not yet quite clear what's going on here (as I understand it after not reading through all 1362 posts there ;) ).
     
  9. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,424
    Seems like CentOS is being hammered.
     
Thread Status:
Not open for further replies.