View Issue Details

IDProjectCategoryView StatusLast Update
0015651CentOS-7rtkitpublic2018-12-29 22:36
Reporterdavid.oliva 
PrioritynormalSeveritymajorReproducibilityhave not tried
Status newResolutionopen 
Product Version 
Target VersionFixed in Version 
Summary0015651: Indicators of a CentOS rootkit in the wild
DescriptionHello CentOS community.

I am an avid CentOS believer and have been very happy thus far (proactively for about 2-1/2 years).

I have two systems (one a laptop and one a desktop). The laptop was
running CentOS 7.6 and had the rkhunter rootkit rpm installed and running. The
desktop had an older version CentOS 7.3 and no rootkit detector installed.

Yesterday at around 6:00 PM I ran a "yum update" as root and I saw the
following:

1. The rkhunter detected and reported a new user added to the passwd file
(integrity and confidentiality violation). Unfortunately, detection was not
enough to keep the my system safe.

2. At this point I get no prompt (root#, or regular user user$) in CLI, and my
GUI is inoperable. No services are available. I only get a useless gui display, my screen flickers without control.

As it has been less than 24 hours since this event, I figured to let the
community know.

I have tried booting to older kernels unsuccessfully.


At this point it looks as a total loss of two systems ( I am taking this as a challenge).
Steps To ReproduceI tried to boot from several of the old kernels and all of them are equally affected. If I were able to provide some kind of memory dump I would include it here, but not even that can I do.
Additional InformationIf one needs to do a yum update, first would be to try on a virtual machine, then on a host, disconnected from everything.
TagsNo tags attached.
abrt_hash
URL

Activities

TrevorH

TrevorH

2018-12-29 22:24

manager   ~0033473

Since all CentOS packages are GPG signed it is extremely unlikely that any possible compromise of your systems has come from merely running `yum update` with just CentOS repos enabled. Because packages are GPG signed it is impossible for them to have been altered since they were signed without corrupting that signature. To the best of my knowledge there are only about 3 people who have access to the GPG signing key and the passphrase required to use it. There have been no other reports of problems like this. I've just done a yum update on several systems, got no unexpected updates, all went through and reboots are fine.

You'll need to do some digging to find out the real cause of your current problems before anyone can look further. Check what other repos you have configured and whether those repos GPG sign their packages. Check /var/log/yum.log to see what else was updated around the same time.

Yes, yum update may add new users to the system depending on what packages were selected to be installed/updated. In this situation, if something is monitoring /etc/passwd it would legitimately alert about a new user having been added. Since you don't currently know what user that was, you'll need to check that to find out.

What it sounds more like is a video problem. Did you attempt to switch to a different VT using e.g Ctrl-Alt-F2 and get a cli prompt there and login that way? What video card do you use?

To investigate further it sounds like you will need to boot from the install media and use the Rescue target that's off the initial Troubleshooting menu. That will mount your installed system under /mnt/sysimage and you can poke around and see its current state.
david.oliva

david.oliva

2018-12-29 22:36

reporter   ~0033474

I re-installed the system from scratch. Downloaded the most current 7.6 ISO (CentOS-7-x86_64-DVD-1810.iso), created a bootable thumbdrive and loaded it with the ISO. Re-created my system by going thru the whole installation process. I was able to log in as root, but the system is still unstable. The opening gui comes on, then it flickers a few times, then screen goes dark.

Issue History

Date Modified Username Field Change
2018-12-29 18:10 david.oliva New Issue
2018-12-29 22:24 TrevorH Note Added: 0033473
2018-12-29 22:36 david.oliva Note Added: 0033474