| VID |
24081 |
| Severity |
40 |
| Port |
23 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The account 'bash' has no password set. This account was probably created by a backdoor installed by a fake Redhat Linux patch.
Emails pretending to come from the Red Hat Security Team are circulating in the wild. These emails tell users to download and install malicious updates. These Trojaned updates contain malicious code designed to compromise the systems they are run on.
This rootkit does the following:
- Create the user "bash" without a password
- Grab the IP address and the uptime
- Start SSHd
- Mail this informations to root@addlebrain.com
* References:
http://www.securiteam.com/securitynews/6O00Q2ABFE.html
http://www.k-otik.com/news/FakeRedhatPatchAnalysis.txt
* Platforms Affected:
RedHat Linux Any version |
| Recommendation |
Remove the account, 'bash' and check your system. For details, see the links at "References" section of this document. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
