[Gllug] [Fwd: SSH Security Advisory: Centos (and other distros)]

[Karanbir Singh]

On 07/08/2009 08:32 AM, Andy Millar wrote:
> There are no real details (and no timings) relating to any of the
> claims. For all we know, the "0pen0wn" script could just brute force
> sshd and the owner of the exemplar system just having poor passwords?

Over the last couple of days, some very capable people have been looking 
at what is being claimed and how it might be possible to achieve the 
results that those scripts claim to have achieved.

There are a few things to keep in mind here - cPanel has been installed 
on every 'supposedly hacked' machine. an old version of grsecurity has 
been installed in every 'supposedly hacked' machine and there are signs 
that a non distro mysql was listening on :3306 with no firewall to wrap 
around it.[1] - so there is a very high probability that the 'exploit' 
is weak passwords and/or password compromise. We will all know for sure 
in a few days. In the mean time, firewall off remote access to the 
machine to only those destinations that need it. This is something that 
most people should do anyway!

This isnt the official centos position on the issue, just what the 
present thinking is. Unless there is a real exploit, there isnt much to 
fix anyway.

- KB

[1]- keep in mind that there is *no* known exploit out there at the 
moment, these details are only scraped together from the 'hacker logs' 
and other public sources where this is being discussed.

-- 
Karanbir Singh : http://www.karan.org/  : 2522219 at icq
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug