Kernel.org Compromise
Kernel.org announced that it was compromised sometime earlier this month [1]. The compromise was discovered on Aug. 28th. At this point, the assumption is that the attacker obtained valid user credentials, and then escalated privileged to become root. The exact nature of the privilege escalation is not known so far.
The attacker apparently managed to modify the OpenSSH client and server on the system, logging user interactions with the server.
It is very unlikely that kernel source code got altered. The kernel source is verified via SHA-1 cryptographic checksums according to the note on kernel.org. No changes were detected.These hashes exist on other machines as well so if an attacker modifies the hash on the kernel.org server, the change would still be detected.
[an earlier version of this diary stated that the OpenSSH source was modified. This was a misinterpretation of the advisory. Thx Maarten for pointing this out]
[1] http://kernel.org
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Phishing e-mail to custom e-mail addresses
Geoff wrote in with an interesting phishing sample. The part that it interesting is less the content of the phish, but the e-mail address it was sent to. The content is a standard "ACH Payment Canceled" phish. There are probably a dozen or so that my spam filter dutifully removes each day.
The interesting part: The particular email was send to an address, Geoff only uses for one particular credit rating agency. The "user" part of the e-mail address is the credit rating agencies name.
I assume others here are doing similar tricks to cut down on spam, or at least track where spam is coming from. Many times I see addresses like "user+sans@example.com" in our database. However, in Geoff's case, this would be "sans@example.com", and it is possible that spammers do us company names like that as part of their username dictionary.
Has anybody else seen companyname@example.com addresses used as "To:" addresses in spam? In particular if the company name is a financial institution?
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Port 8909 Spike
One of our readers noticed a spike in activity recently with regard to port 8909 which can be seen at Dshield. However, we do not have any idea what was causing this. Anyone have any packets or information with regard to this recent trend? Please take a look at your netflows, or other packet captures and lets see if we can answer this question.
Update 1:
It appears that this one was perhaps easy to figure out. Per www.proxynova.com/proxy-server-list/port-8909/ and mrhinkydink.blogspot.com/2011/08/tcp-port-8909-proxies.html there appears to be a number of proxy servers in China (and elsewhere) which may be using this port. One explanation for the spike may be related to individuals trying to find proxy servers which can be exploited.
Scott Fendley ISC Handler
Comments