All major distributions have already released updates to their kernels which you can easily update using the corresponding package management system of your distribution. More about the fix and workaround after the jump.
You can find out more details about the updates for each distribution at the following links:
To check if your server is currently running the backdoor, Ksplice have developed a simple tool that can be used to detect it. Instructions on how to use it can be found here.
Upgrading your kernel is recommended method for closing this hole, but if for some reason you are unable to or do not want to upgrade your kernel, your other options are:
You can run the following command on your server.
NOTE:This will disable 32bit application functionality. So if you still have to run 32bit binaries, you should not use this option.
echo “:32bits:M::x7fELFx01::/bin/echo:” > /proc/sys/fs/binfmt_misc/register
This change is not persistent. To make it so, add the above line to the /etc/rc.local file. What this does is invoke “/bin/echo” each time a 32bit binary is executed. So no 32-binaries will work on your system. To undo this change, simply run the following command:
echo -1 > /proc/sys/fs/binfmt_misc/32bits
You should still run the Ksplice tool to check if the back-doors are running, and reboot your server to make sure they are no longer running from memory.
Patching your kernel
You can download the patch here. Of course, to use this patch, you will need to have the source of the kernel you are using, and knowledge of git to help apply the patch to the source.
The Ksplice option
Ksplice have provided details on how to fix this hole here.
I’m not going deep into how this exploit works, as I believe it is already getting more publicity than it should! So we’ll just concentrate on how to mitigate/fix it for now Once you’ve patched/updated the kernel, you should run your regular security audit to check for any other root kits that might have been installed. Tools like rkhunter and chkrootkit will help in this area. If you find your server has already been compromised, or the Ksplice tool detects a back door, you will have to go ahead with your normal procedure for handling compromised systems. Best of luck! hope your systems come up clean
About the Author:
Hamish joined Bobcares in July of 2004, and since then has grown to be well versed in the Control Panels and Operating systems used in the Web Hosting industry today. He is highly passionate about Linux and is a great evangelist of open-source. When not at work, he keeps himself busy populating this blog with both technical and non-technical posts. When he is not on his Xbox, he is an avid movie lover and critic