* milw0rm rootkit
@ 2011-03-14 2:31 Justin
2011-03-14 19:08 ` Steven Rostedt
0 siblings, 1 reply; 5+ messages in thread
From: Justin @ 2011-03-14 2:31 UTC (permalink / raw)
To: linux-kernel
My mothers computer was hacked with a program that seems to be
milw0rm. The hacker left the source file in C on her computer. I have
it and the IP address of the FTP server that he seemed to download it
from. Who can I give the file to to be sure that it gets patched? And
is there anything else I should do to help you guys make sure that
this doesnt happen again?
I am not on the list, so please CC me any responses, thanks
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: milw0rm rootkit
2011-03-14 2:31 milw0rm rootkit Justin
@ 2011-03-14 19:08 ` Steven Rostedt
2011-03-14 19:28 ` Justin
0 siblings, 1 reply; 5+ messages in thread
From: Steven Rostedt @ 2011-03-14 19:08 UTC (permalink / raw)
To: Justin; +Cc: linux-kernel
On Sun, Mar 13, 2011 at 07:31:43PM -0700, Justin wrote:
> My mothers computer was hacked with a program that seems to be
Your mom runs Linux? Which distro?
> milw0rm. The hacker left the source file in C on her computer. I have
> it and the IP address of the FTP server that he seemed to download it
> from. Who can I give the file to to be sure that it gets patched? And
> is there anything else I should do to help you guys make sure that
> this doesnt happen again?
This is the Linux kernel mailing list, which I'm pretty sure was not the
cause of the hack, and thus the wrong list. Please contact the people
from the distribution that you are using.
-- Steve
>
> I am not on the list, so please CC me any responses, thanks
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: milw0rm rootkit
2011-03-14 19:08 ` Steven Rostedt
@ 2011-03-14 19:28 ` Justin
2011-03-14 19:57 ` Valdis.Kletnieks
2011-03-14 20:12 ` Alan Cox
0 siblings, 2 replies; 5+ messages in thread
From: Justin @ 2011-03-14 19:28 UTC (permalink / raw)
To: Steven Rostedt; +Cc: linux-kernel
Yes, she runs 2.6.34.8-68.fc13.i686.PAE
I know this is for the kernel... The C file seems to exploit a
vulnerability in the kernel, so I thought I should let the kernel
people know so they could patch it upstream. Right? I know the hacker
couldnt have gotten in if the security was stronger, but shouldnt the
kernel be secured against the rootkit?
On Mon, Mar 14, 2011 at 12:08 PM, Steven Rostedt <rostedt@goodmis.org> wrote:
> On Sun, Mar 13, 2011 at 07:31:43PM -0700, Justin wrote:
>> My mothers computer was hacked with a program that seems to be
>
> Your mom runs Linux? Which distro?
>
>> milw0rm. The hacker left the source file in C on her computer. I have
>> it and the IP address of the FTP server that he seemed to download it
>> from. Who can I give the file to to be sure that it gets patched? And
>> is there anything else I should do to help you guys make sure that
>> this doesnt happen again?
>
> This is the Linux kernel mailing list, which I'm pretty sure was not the
> cause of the hack, and thus the wrong list. Please contact the people
> from the distribution that you are using.
>
> -- Steve
>
>
>>
>> I am not on the list, so please CC me any responses, thanks
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: milw0rm rootkit
2011-03-14 19:28 ` Justin
@ 2011-03-14 19:57 ` Valdis.Kletnieks
2011-03-14 20:12 ` Alan Cox
1 sibling, 0 replies; 5+ messages in thread
From: Valdis.Kletnieks @ 2011-03-14 19:57 UTC (permalink / raw)
To: Justin; +Cc: Steven Rostedt, linux-kernel
[-- Attachment #1: Type: text/plain, Size: 617 bytes --]
On Mon, 14 Mar 2011 12:28:11 PDT, Justin said:
> Yes, she runs 2.6.34.8-68.fc13.i686.PAE
Which is the most recently released Fedora 13 kernel, from Feb 24,
so not ancient...
> I know this is for the kernel... The C file seems to exploit a
> vulnerability in the kernel, so I thought I should let the kernel
> people know so they could patch it upstream.
Toss the .c file to 'security@kernel.org', that's what it's there for.
If you have enough kernel savvy to figure out what's getting abused,
cc: the subsystem maintainer. But if you don't, that's OK too,
somebody reading security@ will handle that if needed.
[-- Attachment #2: Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: milw0rm rootkit
2011-03-14 19:28 ` Justin
2011-03-14 19:57 ` Valdis.Kletnieks
@ 2011-03-14 20:12 ` Alan Cox
1 sibling, 0 replies; 5+ messages in thread
From: Alan Cox @ 2011-03-14 20:12 UTC (permalink / raw)
To: Justin; +Cc: Steven Rostedt, linux-kernel
On Mon, 14 Mar 2011 12:28:11 -0700
Justin <wellspring3@gmail.com> wrote:
> Yes, she runs 2.6.34.8-68.fc13.i686.PAE
>
> I know this is for the kernel... The C file seems to exploit a
> vulnerability in the kernel, so I thought I should let the kernel
> people know so they could patch it upstream. Right? I know the hacker
> couldnt have gotten in if the security was stronger, but shouldnt the
> kernel be secured against the rootkit?
Firstly 2.6.34 is an old kernel, and we've no idea what other patches and
the like are in the Fedora version. You should ask the Fedora people
about that. Secondly the answer is no - there are various bits of user
space that are privileged and bugs in those can lead to exploitation
without the kernel being involved, particularly if you are not using
security containment setups like SELinux.
You need to talk to the distro.
Alan
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2011-03-14 20:12 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-03-14 2:31 milw0rm rootkit Justin
2011-03-14 19:08 ` Steven Rostedt
2011-03-14 19:28 ` Justin
2011-03-14 19:57 ` Valdis.Kletnieks
2011-03-14 20:12 ` Alan Cox
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox