Linux servers hit by Malware

Talking about SolydXK, another distribution or totally off-topic but within the Rules ? It's the right place!
User avatar
MAYBL8
Posts: 1487
Joined: 10 Mar 2013 18:41
Location: Maryland Heights, MO USA
Contact:

Linux servers hit by Malware

Postby MAYBL8 » 19 Mar 2014 01:34



User avatar
Orbmiser
Posts: 829
Joined: 24 Aug 2013 22:58
Location: Portland,Oregon

Re: Linux servers hit by Malware

Postby Orbmiser » 19 Mar 2014 05:00

Yep started a sub-reditt about it.
http://www.reddit.com/r/LinuxActionShow ... e_serving/

In the article there is a link about And reading further in I found this bit from a 2011 before my time back into linux.
Tuesday's report is also notable because it may provide important new details about the 2011 compromise that gained unfettered access to servers belonging to kernel.org, the group that maintains and distributes the Linux operating system kernel. Leaders of the Linux Foundation reneged on a promise to provide a full autopsy of the attack, leaving the motives of the attackers a mystery.
So as newly back to Linux. And all the talk of open community and transparency. Why isn't the community up in arms about the lack response and the secrecy from kernel.org? Is this much ado about nothing and I'm over exaggerating the seriousness of the issue?

As The promise to deliver an incident report remained on kernel.org as recently as March 1 of this year, before being quietly pulled the following day. To this day, officials have yet to provide key details, including exactly how many machines were compromised, how the attackers were able to gain root access to them, and what they did once they seized control.

How are we suppose to continue with Trust If there is any level of secrecy that may impact or compromise my system?
Isn't this how proprietary companies like Microsoft behave?

I guess I may have unrealistic expectations?
As back then I would think there would be pots simmering on standby waiting for some answers.
.
Portfolio
http://500px.com/Orbmiser
Flickr
http://www.flickr.com/photos/orb9220/

SolydK - Kernel 3.16-2-amd64 - KDE 4.14.1 Update Pack: 2014.10.15

User avatar
stelios
Posts: 128
Joined: 28 Feb 2013 21:31
Location: Athens

Re: Linux servers hit by Malware

Postby stelios » 19 Mar 2014 11:33

The Windigo campaign doesn't rely on technical vulnerabilities to take hold of servers, Eset said. Instead, it uses stolen credentials.
How did they steal the passwords for 10,000 Unix and Linux servers??

User avatar
GeneC
Posts: 747
Joined: 12 Feb 2013 17:49
Location: Woods of Maine

Re: Linux servers hit by Malware

Postby GeneC » 19 Mar 2014 19:27

Am I to understand correctly that this is just an issue on Linux Servers? I am ususally not to concerned with virus/malware issues with Linux, but this got my attention, as I just today installed a fresh installation of SolydX-64bit from the latest .iso (UP8).

Running the command

Code: Select all

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
show that its infected..

Code: Select all

gene@solydx:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected
Neither of my other installs is infected.
  • 1. Debian Testing (latest Liquorix kernel)
    2. Siduction (latest sidu kernel 3.13.xx)
I removed all ssh packages as a test to no avail.. :cry:

Code: Select all

Commit Log for Wed Mar 19 14:53:05 2014


Completely removed the following packages:
openssh-blacklist
openssh-blacklist-extra
openssh-client
same result = infected

Am I concerened about nothing?
Why would SolydX be infected and not Debian Testing (I am thinking the kernel)?
GeneC

Debian (Testing)
Siduction (Debian SID)

User avatar
Orbmiser
Posts: 829
Joined: 24 Aug 2013 22:58
Location: Portland,Oregon

Re: Linux servers hit by Malware

Postby Orbmiser » 19 Mar 2014 19:43

The Cracking of Kernel.org
http://www.linux.com/news/featured-blog ... -kernelorg
Kernel.org may seem like the place where kernel development is done, but it’s not; it’s really just a distribution point. The integrity of that distribution point is protected by the combination of clever software and thousands of copies of the repository distributed around the world. So when we say that we know the kernel source has not been compromised on kernel.org, we really know it.
Sorry Gene not savvy to help here. And would take the warning infected with a grain of salt. As to what is really infected?
Kernel? Then highly unlikely with how it works with link above as it is explained.
.
Portfolio
http://500px.com/Orbmiser
Flickr
http://www.flickr.com/photos/orb9220/

SolydK - Kernel 3.16-2-amd64 - KDE 4.14.1 Update Pack: 2014.10.15

User avatar
zerozero
Posts: 5373
Joined: 10 Feb 2013 23:37
Location: West Midlands, England
Contact:

Re: Linux servers hit by Malware

Postby zerozero » 19 Mar 2014 19:49

gene
i don't know from where you got that code string and exactly what it should check but the results here are different;
and in different systems:
vanilla X-64bit fully updated

Code: Select all

Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  libdee-1.0-4
Use 'apt-get autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
zerozero@x64:~$ inxi -Sxr
System:    Host: x64 Kernel: 3.11-2-amd64 x86_64 (64 bit, gcc: 4.8.2) 
           Desktop: Xfce 4.10.2 (Gtk 2.24.18) Distro: SolydXK 1 testing
Repos:     Active apt sources in file: /etc/apt/sources.list
           deb http://packages.solydxk.com/production/ solydxk main upstream import kdenext
           deb http://debian.solydxk.com/production testing main contrib non-free
           deb http://debian.solydxk.com/production/multimedia testing main non-free
           deb http://debian.solydxk.com/security testing/updates main contrib non-free
           deb http://community.solydxk.com/production/ solydxk main
zerozero@x64:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System clean
zerozero@x64:~$ 
my main system

Code: Select all

Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  libevent-2.0-5 libsamplerate0:i386 libspeexdsp1:i386
Use 'apt-get autoremove' to remove them.
The following packages will be upgraded:
  firefox
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/30.9 MB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.
zerozero@home ~ $ inxi -Sxr
System:    Host: home Kernel: 3.11-2-amd64 x86_64 (64 bit gcc: 4.8.2) Desktop: KDE 4.12.1 (Qt 4.8.6) 
           Distro: SolydXK 1 testing 
Repos:     Active apt sources in file: /etc/apt/sources.list
           deb http://packages.solydxk.com/testing/ solydxk main upstream import kdenext
           deb http://community.solydxk.com/testing/ solydxk main
           deb http://debian.solydxk.com/testing/ testing main contrib non-free
           deb http://debian.solydxk.com/testing/multimedia/ testing main non-free
           deb http://debian.solydxk.com/security/ testing/updates main contrib non-free
           deb-src http://packages.solydxk.com/testing/ solydxk main upstream import kdenext
           deb-src http://community.solydxk.com/testing/ solydxk main
           deb-src http://debian.solydxk.com/testing/ testing main contrib non-free
           deb-src http://debian.solydxk.com/testing/multimedia/ testing main non-free
           deb-src http://debian.solydxk.com/security/ testing/updates main contrib non-free
           deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
           Active apt sources in file: /etc/apt/sources.list.d/google-talkplugin.list
           deb http://dl.google.com/linux/talkplugin/deb/ stable main
           Active apt sources in file: /etc/apt/sources.list.d/sid.list
           deb http://ftp.debian.org/debian unstable main contrib non-free
           Active apt sources in file: /etc/apt/sources.list.d/snapper.list
           deb http://download.opensuse.org/repositories/filesystems:snapper/Debian_7.0/ /
zerozero@home ~ $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System clean
zerozero@home ~ $ 
bliss of ignorance

User avatar
GeneC
Posts: 747
Joined: 12 Feb 2013 17:49
Location: Woods of Maine

Re: Linux servers hit by Malware

Postby GeneC » 19 Mar 2014 19:50

Hi orb... :)

I dont quite understand it either. Above my head. Just startled to see the 'infected' result... :o That never makes you feel to comfotable and secure.

[rimg]http://www.paulickreport.com/wp-content ... -Entry.jpg[/rimg]

Its gotta be the kernel.

Code: Select all

gene@solydx:~$ inxi -F
System:    Host: solydx Kernel: 3.11-2-amd64 x86_64 (64 bit) Desktop: Xfce 4.10.2 Distro: SolydXK 1 testing
Machine:   Mobo: ASUSTeK model: M4A88TD-M/USB3 version: Rev X.0x Bios: American Megatrends version: 1501 date: 08/09/2012
GeneC

Debian (Testing)
Siduction (Debian SID)

User avatar
GeneC
Posts: 747
Joined: 12 Feb 2013 17:49
Location: Woods of Maine

Re: Linux servers hit by Malware

Postby GeneC » 19 Mar 2014 19:55

zerozero wrote:gene
i don't know from where you got that code string and exactly what it should check but the results here are different;

Hi 'zz'... :D

Got it here..(down near the bottom)

http://arstechnica.com/security/2014/03 ... -exploits/
People who want to know if the servers they operate are affected in the Windigo campaign can run the following command:

Code: Select all

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
GeneC

Debian (Testing)
Siduction (Debian SID)

User avatar
GeneC
Posts: 747
Joined: 12 Feb 2013 17:49
Location: Woods of Maine

Re: Linux servers hit by Malware

Postby GeneC » 19 Mar 2014 19:58

This is a brand new (today) install of solydx-64bit? I added some stuff but nothing I dont have in my other two (uninfected) systems, actually a lot less added?
GeneC

Debian (Testing)
Siduction (Debian SID)

User avatar
GeneC
Posts: 747
Joined: 12 Feb 2013 17:49
Location: Woods of Maine

Re: Linux servers hit by Malware

Postby GeneC » 19 Mar 2014 20:11

OK. Things look fine now. Not quite sure what I did that rectified the situation but now getting System clean

Code: Select all

gene@solydx:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System clean
I removed then re installed ssh files

Code: Select all

openssh-blacklist
openssh-blacklist-extra
openssh-client
ran

Code: Select all

sudo update-initramfs -u && sudo update-grub
Have no idea why that changed things. Thinking it was just a flase alarm. Sorry folks...
All is fine in SolydX land... ;)
GeneC

Debian (Testing)
Siduction (Debian SID)

User avatar
MAYBL8
Posts: 1487
Joined: 10 Mar 2013 18:41
Location: Maryland Heights, MO USA
Contact:

Re: Linux servers hit by Malware

Postby MAYBL8 » 09 Dec 2014 16:29

Here is another article on Linux Malware.
It doesn't look like it would be much of a threat to Desktop or Laptop users:
http://www.zdnet.com/article/two-stealt ... TRE17cfd61



Return to “Open Chat / General Discussion”

Who is online

Users browsing this forum: No registered users and 3 guests