Last friday a security vulnerability affecting 64-bit Linux operating systems has been identified (see: http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3081 and http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-3301).
This vulnerability is potentially very harmful because it allows an ill-disposed hacker to take over a web server and give him full root access thanks to a backdoor.
The problem is even more important that this vulnerability seems to have been exploited much more rapidly than usual. Once a vulnerability is released it usually takes some time before hackers might try to exploit it.
This time the flaw is easily exploitable and the first reports were published by various web hosts barely 48 hours after the publication of the fault. Fortunately the problem can be countered by quickly updating the kernel of the system.
Debian and Ubuntu have released fixes, but those of CentOS and Redhat
are still awaited(see update below):
The company Ksplice has also published an application that allows you to check if the vulnerability has been exploited on a server and detects if a backdoor is running into memory. The tool is available here: http://www.ksplice.com/uptrack/cve-2010-3081
If you suspect that your server has been affected, please note that the hacker has possibly installed several other types of backdoors on the server. It is always possible to use the ‘chkrootkit’ command in order to check for known and detectable backdoors and rootkits.
It is also important that all applications running on a server are updated regularly as hackers particularly target Web sites that use flaws in outdated applications (for instance Joomla ou Wordpress) to bypass normal security measures.
As for iWeb, we have encountered the problem on one of our shared hosting servers, but we are in control of the situation. We have implemented several measures that allow us to protect our shared hosting environments and we closely monitor our customers’ dedicated servers until final security fixes are available.
UPDATE: New kernels by Redhat and CentOS that address the vulnerability (CVE-2010-3081) have now been released. They are available here:
Official Redhat release: kernel-2.6.18-194.11.4.el5.rpm https://rhn.redhat.com/errata/RHSA-2010-0704.html
note that it is a patched kernel that has been posted by CentOS in the test repository without waiting for RedHat. Final official CentOS fix is expected soon
It can be installed this way:
wget http://dev.centos.org/centos/5/CentOS-Testing.repo -O
yum --enablerepo=c5-testing update kernel\*
Latest official CentOS kernel is now available: http://bugs.centos.org/view.php?id=4518
to update type the command:
yum update kernel*
and restart your server with the command