Linux-servers rooted and plundered via 0-day

[polonus]

Read: https://access.redhat.com/security/cve/CVE-2013-0871 (RHSRT)
This 0-day hole probably was detected here: http://linux.die.net/man/2/ptrace
Some systems were protected against this 0-day via the use of a virtual file system: CageFS
http://docs.cloudlinux.com/index.html?cagefs.html  (Reddit discussions)
weak PHP code attacks or plesk vulnerabilities could also lay at the culprit of this security break..
Cloud Linux seems most threated now...

polonus

[MAG]

I've always assumed this is probably a 'golden age of linux freedom from malware that can't last for ever. I make the most of it while it lasts though.

As the only person with access to my machine and BIOS password, I'm assuming I can be fairly relaxed about malware that has a local access vector and allows local users to gain privileges?

[Abraxas]

Linux-servers rooted and plundered via 0-day
Cloud Linux seems most threated now... Maybe a  little Dramatic ? 
I asked for opinions on your assessment of the status of Linux security Polonus, from interpretting the info in the links you posted, and got some interesting feedback.

The last thing we want is to discourage people using Linux, so I really have to put forward a reponse, from the experts.

Sure what you posted is true, But,...  Linux-servers rooted and plundered via 0-day, maybe over stepping, and misleading to the general state of Linux now.

From the developer of a popular Linux Distro in response to asking for an opinion on this post:

A local exploit for the everyday home Linux user requires someone to be in front of your computer to execute. If someone is sitting in front of your computer they can simply boot into single user mode. The exploit isn't even required to get elevated privileges.

A remote exploit is a serious matter. A remote exploit would allow someone to get access to your computer without being in front of it and able to get root access. These types of exploits are far and few.

Response from Advanced Linux user, who read your post:

About the php thingie... Php is php. Linux is Linux. If php is vulnerable then it's vulnerable on all operating systems it's being installed to - just like Java, Flash, Adobe Reader or Firefox for example. This is called cross-platform vulnerability and NOT Linux vulnerability.

Unless someone (developer of the application) did a boo boo while creating Linux-specific package - this way only "Linux" is vulnerable altho here we need to stop and think about what Linux really is... Linux is a kernel.
Kernel that the apps use to share resources. Linux != apps. App vulnerability != Linux vulnerability.

Advice on Linux Security, along the line of thought mag put forward. :

Bios password, booting from the first / local hdd, full drive encryption... those can slow down (or even stop) the machine from being locally exploited  .

If the person gains access to Your machine and cannot go past the cmos password or boot from other media then first local HDD - they have to reset the bios password. This takes time and tools (especially on laptops). After that even if they go past the bios password they are being asked for the hdd encryption password and cannot boot to the OS without it (neither will they boot to the single user mode). Even if they can now boot into the LiveCD - they won't be able to see the HDD content without the passcode... This can be cracked given time. Sometimes a lot of time is needed. Sometimes attacker gives in after hours and hours and hours of cracking...

There are as You said - few of them - the most recent I hear about is the ssh imitating backdoor which has hit the RHEL based distros (some cases on Debian as well)...

Regards.

So, as the Topic heading sounds very dramatic, in reality such exploits are rare, and Linux is alive and well, ready to respond quickly to any vulnerability.
 
Also, Btw... We don't have to wait for a fix till the second Tuesday of the month.

I've not given names of the responders, as I find it irrelevant, but will if asked.

Also, this is not an attack on you Polonus, I respect you for about a decade now, just some clarification of this thread for others thinking of using Linux.

Another point I'd personally like to make. Linux is a Academic pursuit, Microsoft windows is a Huge Business.

Regards all,

Abraxas.

[Abraxas]

Some further information about Linux servers being penetrated, and some insights.

Backdoor imitating ssh - check Your systems for libkeyutils.so.1.9 file...

"...Many users have reported  that on some servers they have noticed suspicious file: libkeyutils.so.1.9
The only "symptom" so far is the fact that from those servers from time to time spam is being sent but everything indicates that the attackers gained root on the machines and can start using them for any other purpose anytime..."

No one knows how the file gets on the server. Some say that right after the file was detected they have "burned the machines to the ground" and got fresh systems installed just to find out that the file was there few minutes later. This might suggest attack from the administrators machine. Infected administrator logs into the remote machine and unwillingly / unknowingly places the backdoor on the remote machine. Logs indicate that the attack is performed automatically.
How to check if You were 'rooted'?

Code: [Select]

ls -la /lib64/libkeyutils.so.1.9

Code: [Select]

rpm -qf /lib64/libkeyutils.so.1.9

Code: [Select]

ls -la /lib/libkeyutils.so.1.9

Code: [Select]

rpm -qf /lib/libkeyutils.so.1.9Those files should not exist.

or:

Code: [Select]

su -c "updatedb" && locate libkeyutils.so.1.9There should be no output:

[andrzejl@wishmacer ~]$ su -c "updatedb" && locate libkeyutils.so.1.9
Password:
[andrzejl@wishmacer ~]$

Backdoor analysis - is it a 0day attack?

One of the reddit users analyzed the file and found encoded IP in it:

$ ./audit libkeyutils.so.1.9 output
$ strings output |grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
78.47.139.110

IP points to domain: RUBOP.COM, which belongs to:

Administrative Contact:
Ibragimov, Sergey pmadison12 at gmail dot com
Polanskay 11
Moskow, Russia 11223

Additionally some users report that some of the backdoored systems during the SSH connection are sending packets to 72.156.139.154 on port 53/UDP (containing users data - plain-text login credentials...)

It was confirmed that problems exist in distros based on RHEL and with the cPanel, DirectAdmin and Plesk. One of the vulnerabilities used by the backdoor is CVE-2012-56-71, remote code execution in Exim.

Removing the libkeyutils.so.1.9 file from Your server is not really solving anything... Atacker somehow had to access the machine so without knowing the point of entry and patching it You are still vulnerable. There is no confirmed info about which vulnerability attackers are using, is it old - known vulnerability or 0day...
Source: http://niebezpiecznik.pl/post/backdoor-udajacy-biblioteke-ssh-sprawdzcie-swoje-systemy-pod-katem-libkeyutils-so-1-9/

This is kind of showing that Linux is vulnerable just like any OS, but that things are being done to observe, and ultimately fix any vulnerabilty.

[FreewheelinFrank]

Some further information about Linux servers being penetrated, and some insights.

Latest on this suggests it's not a Linux 0-day- the rootkit is being installed after attackers install a keylogger on a Windows workstation via a vulnerability on that computer and gain access to the server with the stolen password.

http://www.webhostingtalk.com/showthread.php?t=1235797

[REDACTED]

Linux.Sshdkit attacks Linux-servers

http://translate.google.ru/translate?sl=ru&tl=en&js=n&prev=_t&hl=ru&ie=UTF-8&eotf=1&u=http%3A%2F%2Fnews.drweb.com%2Fshow%2F%3Fi%3D3332%26lng%3Dru%26c%3D14&act=url

[polonus]

Hi Abraxas,

Thanks for your in-depth comments and setting the threat implications in a more realistic perspective. There is also a positive side to all this, that this issue could lead to further better protection. "Watch your input" has always been an important motto that cannot be stressed enough...
And I agree with you that the linux community always has been more vigilant where vulnerabilities are concerned and there was not much that could pass "under their security radar"...

polonus

[Abraxas]

No worries polonus, we are all fighting for better protection everyday.   

Some further information about Linux servers being penetrated, and some insights.

Latest on this suggests it's not a Linux 0-day- the rootkit is being installed after attackers install a keylogger on a Windows workstation via a vulnerability on that computer and gain access to the server with the stolen password.

http://www.webhostingtalk.com/showthread.php?t=1235797

Heck, who would of guessed a Windows' machine was the weak link in the chain of events to the back door of a Linux server, ... 

[Asyn]

Hi guys,

this might interest you: https://isc.sans.edu/diary/SSHD+rootkit+in+the+wild/15229

Asyn