vicidial.org

[ctc_olsen]

Happy New Year guys! Sad to say I'm still working. Sighs*

We found a rootkit on or VICI

Using rkhunter:
Rootkit checks...
Rootkits checked : 321
Possible rootkits: 3
Rootkit names : SHV4 Rootkit, SHV5 Rootkit, Sniffer

We immediately wiped it out. I would like to ask if anyone here have any suggestions on what entries to add at iptables or which ports we need to block in order to prevent this from happening again.

I have browsed around but I couldn't really find an exact article on what I am looking for. Please help.

[Vince-0]

Root kits can be installed using a number of attack vectors. You should install and use the latest versions of Vicidial (astguiclient from SVN trunk) and the latest Vicidial ISO and keep those up to date because there could be SQL injection, cross-site scripting, PHP or Asterisk vulnerabilities that can lead to root permissions escalation. If your server is hosted on the Internet then you can do IP white-lists to limit access to each of these sub-systems.

Any services directly exposed to the Internet need constant updating and vulnerability checks. I hope you wiped out the entire OS installation after finding root-kits.

Vin.

[williamconley]

http://www.viciwiki.com/index.php/DGG