Threat Level: green Handler on Duty: Richard Porter

SANS ISC InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free! Compromise

Published: 2011-08-31
Last Updated: 2011-09-01 05:22:22 UTC
by Johannes Ullrich (Version: 1)
4 comment(s) announced that it was compromised sometime earlier this month [1]. The compromise was discovered on Aug. 28th. At this point, the assumption is that the attacker obtained valid user credentials, and then escalated privileged to become root. The exact nature of the privilege escalation is not known so far.

The attacker apparently managed to modify the OpenSSH client and server on the system, logging user interactions with the server.

It is very unlikely that kernel source code got altered. The kernel source is verified via SHA-1 cryptographic checksums according to the note on No changes were detected.These hashes exist on other machines as well so if an attacker modifies the hash on the server, the change would still be detected.

[an earlier version of this diary stated that the OpenSSH source was modified. This was a misinterpretation of the advisory. Thx Maarten for pointing this out]



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

Keywords: kernelorg linux
4 comment(s)
Diary Archives