Red Hat, Inc. is a company dedicated to free and open source software, and a major Linux distribution vendor. On August 22, 2008, Red Hat discovered that a website used for downloading updates had been compromised with rogue OpenSSH packages. These packages contain code that opens a backdoor on the infected system allowing an intruder to gain superuser privileges. The compromise affects both Red Hat and Fedora Linux distributions.
The compromise resulted in the posting of a malicous update with the Red Hat signature which was available on some of the download websites. Red Hat Enterprise Linux systems treated the updates as official, likely installing them automatically without raising any warnings. Anyone who downloaded a recent copy of OpenSSH, on or before August 22, 2008, and installed the package, may be infected.
Red Hat reported that the problem was associated with download sites other than those of official Red Hat subscribers and that customers who keep their systems updated using Red Hat Network are not at risk.
Recommendations:
The following actions should be taken:
- Check your system to ascertain if a rogue OpenSSH was installed. Red Hat has provided a web page http://www.redhat.com/security/data/openssh-blacklist.html outlining a process for you to detect a tampered software package.
- If a rogue OpenSSH package was installed, immediately isolate the system, wipe the system clean and reinstall the operating system and application and apply the vendor update for OpenSSH.
- Review system and firewall logs to identify anomalous activity associated with the rogue OpenSSH software.
References:
Red Hat:
http://rhn.redhat.com/errata/RHSA-2008-0855.html
SecurityFocus:
http://www.securityfocus.com/bid/30794