Thursday, 8. July 2010
Take a moment and check out: ISC SANS PORT 5060
It appears that the sources/day was on the rise again. I recently ran into a situation where it appears that someone was using wunderbar_emporium root kit to own a system. Then the system started attempting traffic out on 5060.
So, apparently wunderbar_emporium was mitigated by a kernel update : http://serverfault.com/questions/72986/how-to-prevent-wunderbar-emporium-rootkit , but of course a lot of enterprise systems do not do frequent kernel updates. It’s not practical, cost effective, or even possible in most of the HA environments. You have to fight to get an hour Change window at times.
It appears that the code takes advantage of CVE-2009-2692
Now the fun begins, I get to peer into the source code of wunderbar and see if I can figure out what makes it tick. Probably not, but hey, maybe I get lucky.