Security Advisory-Redhat OpenSSH blacklist script
by J. Miller on Aug.23, 2008, under Linux, Security
In what is a rare security breach, as well as what amounts to bad news coming from Redhat there’s been a possible compromise of repository files used for updates. If you don’t have any idea what Linux or Redhat is then you probably haven’t heard this. If you’re an IT administrator and haven’t heard this, then you better catch up quick. If you work in IT security and haven’t already done this, get a new job.Read more here: http://www.securityfocus.com/news/11532
As noted @ http://www.redhat.com/security/data/openssh-blacklist.html
Last week Red Hat detected an intrusion on certain of its computer systems and took immediate action. While the investigation into the intrusion is on-going, our initial focus was to review and test the distribution channel we use with our customers, Red Hat Network (RHN) and its associated security measures. Based on these efforts, we remain highly confident that our systems and processes prevented the intrusion from compromising RHN or the content distributed via RHN and accordingly believe that customers who keep their systems updated using Red Hat Network are not at risk. We are issuing this alert primarily for those who may obtain Red Hat binary packages via channels other than those of official Red Hat subscribers.”
RedHat has have provided a shell script which lists the affected packages and can verify that none of them are installed on a system:
root@server [~]# wget https://www.redhat.com/security/data/openssh-blacklist-1.0.sh
The script has a detached GPG signature from the Red Hat Security Response Team (key) so you can verify its integrity:
root@server [~]# wget https://www.redhat.com/security/data/openssh-blacklist-1.0.sh.asc
This script can be executed either as a non-root user or as root. To execute the script after downloading it and saving it to your system, run the command:
root@server [~]# bash ./openssh-blacklist-1.0.sh
If the script output includes any lines beginning with “ALERT” then a tampered package has been installed on the system. Otherwise, if no tampered packages were found, the script should produce only a single line of output beginning with the word “PASS”, as shown below:
root@server [~]# bash ./openssh-blacklist-1.0.sh
PASS: no suspect packages were found on this systemThe script can also check a set of packages by passing it a list of source or binary RPM filenames. In this mode, a “PASS” or “ALERT” line will be printed for each filename passed; for example:
root@server [~]# bash ./openssh-blacklist-1.0.sh openssh-4.3p2-16.el5.i386.rpm
PASS: signature of package “openssh-4.3p2-16.el5.i386.rpm” not on blacklist
Related posts:
2 Comments for this entry
Leave a Reply
Recent Tweets...- #LibraryofCongress finally got it right with the newly added exceptions! http://www.copyright.gov/1201/
- I liked a YouTube video -- Tinie Tempah - Pass Out (HD) http://youtu.be/QzvGKas5RsU?a
- RT @OWASP 's "Google Hacking" #DownloadIndexedCache PoC v0.3 is now available from http://code.google.com/p/dic/source/browse/trunk/dic.pl
- @Nixiepixel www.vimeo.com
- I liked a YouTube video -- @Google & YouTube present A Conversation with Conan O'Brien http://youtu.be/u7TwqpWiY5s?a
- Finally settled in my new apartment! If you're in the Ypsilanti or Ann Arbor, MI area give me a shout... :)
- @MentalOddity No.
- Thank you everyone for all the #birthday wishes and good #karma :)
April 13th, 2009 on 4:24 pm
Nice post. Thanks for sharing these tips.
Twitter: z3usy
April 21st, 2009 on 11:07 pm
No problem at all… very soon I’ll be starting to post more frequent notices and updates.