[Gluster-infra] Slave23 compromised

Michael Scherer mscherer at redhat.com
Mon Mar 9 16:36:18 UTC 2015


Le lundi 09 mars 2015 à 16:30 +0000, Justin Clift a écrit :
> On 6 Mar 2015, at 17:58, Michael Scherer <mscherer at redhat.com> wrote:
> > Le vendredi 06 mars 2015 à 16:24 +0100, Michael Scherer a écrit :
> >> Le vendredi 06 mars 2015 à 10:18 -0500, John Mark Walker a écrit :
> >>> Huh. What was running on the VM?
> >> 
> >> Just jenkins, salt-minion, nginx and the usual stuff.
> >> 
> >> The attack likely occured around 9h42 UTC, since that's when the kernel
> >> log start to complain about a segfault.
> >> 
> >> And the way the attacker entered :
> >> 
> >> Mar  6 09:42:03 slave23 sshd[20045]: reverse mapping checking
> >> getaddrinfo for 115.114.191.205.static-mumbai.vsnl.net.in
> >> [115.114.191.205] failed - POSSIBLE BREAK-IN ATTEMPT!
> >> Mar  6 09:42:03 slave23 sshd[20045]: Accepted password for root from
> >> 115.114.191.205 port 52378 ssh2
> >> 
> >> Case closed. 
> >> I am gonna switch root to be ssh keys only.
> > 
> > Ok so today is not my day, as I managed to also break sshd on everything
> > but RHEL 7 while trying to secure everything.
> > 
> > Hopefully, I was able to fix, but if you see jenkins job failure
> > between 18h40 and 18h55 UTC, that's me.
> > 
> > I suspect it to be a bug somewhere in salt, since it doesn't correctly
> > change the file correctly on RHEL 6 while it work with RHEL 7.
> 
> Interesting.  The guys I spoke with a while ago at FOSDEM um... a year
> ago were running Salt in their Production, and their feeling of it
> (then) is that it's very buggy.

I would not call it "very buggy". So far, that's the first bug I found
and I am not exactly sure if I didn't do something stupid. 
The doc is quite awful so I usually understand less after reading it, so
maybe that's why. 

-- 
Michael Scherer
Open Source and Standards, Sysadmin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://www.gluster.org/pipermail/gluster-infra/attachments/20150309/3cc62b0f/attachment.sig>


More information about the Gluster-infra mailing list