Det här verkar vara intressant.
Citat:
|
Ursprungligen postat av http://www.webhostingtalk.com/showpost.php?p=8567877&postcount=995
<nenolod> interesting
<nenolod> we found a rootkit on tortoiselabs office equipment
<nenolod> running windows 7
<nenolod> and our OVH creds were changed from that machine
<steven> oh noes the h4x
<nenolod> i wonder if it is related to SSHD thing
<steven> good question
<steven> get to work
<steven> :P
<nenolod> i have the binaries, i intend to look at them in a bit with idapro
<nenolod> btw
<nenolod> the rootkit
<nenolod> was sending keystrokes as DNS requests
<nenolod> to the same russian IP
<steven> which ip
<steven> what did you use to pickup the rootkit
<nenolod> the 78.x nameserver ip
<steven> gotcha
<nenolod> i used tcpdump while typing into the keyboard on the errant machine
<nenolod> i then disconnected it from the network :P
<nenolod> rabbit:/home/nenolod# apk audit --system
<nenolod> M /lib/libkeyutils.so.1 -> /lib/libkeyutils.so.1.9
<nenolod> ? /lib/libkeyutils.so.1.9
<nenolod> well, that's concerning
<nenolod> and, /tmp contains a copy of openssh source
<steven> even the great neno has been h4x
<nenolod> this is new
<nenolod> and it is a honeypot
<nenolod> it's supposed to be h4x
<nenolod> the concerning part is that they seem to build the rootkit on the machine
<nenolod> observation: why would sshd link against libkeyutils.so?
<nenolod> ran apk fix
<steven> kernel key management
<ramnet> nenolod, did you access your honeypot from the workstation that had the keylogger on it?
<nenolod> as a matter of fact, yes!
<ramnet> so, you've pretty much confirmed that's what the cause of the hack is then
<steven> nenolod would you be willing to pass me the windows rootkit?
<nenolod> steven, yeah as soon as i have a chance to get the machine network-accessible again
|