Page 1 of 1

Linux servers hit by Malware

Posted: 19 Mar 2014 01:34
by MAYBL8

Re: Linux servers hit by Malware

Posted: 19 Mar 2014 05:00
by Orbmiser
Yep started a sub-reditt about it.
http://www.reddit.com/r/LinuxActionShow ... e_serving/

In the article there is a link about And reading further in I found this bit from a 2011 before my time back into linux.
Tuesday's report is also notable because it may provide important new details about the 2011 compromise that gained unfettered access to servers belonging to kernel.org, the group that maintains and distributes the Linux operating system kernel. Leaders of the Linux Foundation reneged on a promise to provide a full autopsy of the attack, leaving the motives of the attackers a mystery.
So as newly back to Linux. And all the talk of open community and transparency. Why isn't the community up in arms about the lack response and the secrecy from kernel.org? Is this much ado about nothing and I'm over exaggerating the seriousness of the issue?

As The promise to deliver an incident report remained on kernel.org as recently as March 1 of this year, before being quietly pulled the following day. To this day, officials have yet to provide key details, including exactly how many machines were compromised, how the attackers were able to gain root access to them, and what they did once they seized control.

How are we suppose to continue with Trust If there is any level of secrecy that may impact or compromise my system?
Isn't this how proprietary companies like Microsoft behave?

I guess I may have unrealistic expectations?
As back then I would think there would be pots simmering on standby waiting for some answers.
.

Re: Linux servers hit by Malware

Posted: 19 Mar 2014 11:33
by stelios
The Windigo campaign doesn't rely on technical vulnerabilities to take hold of servers, Eset said. Instead, it uses stolen credentials.
How did they steal the passwords for 10,000 Unix and Linux servers??

Re: Linux servers hit by Malware

Posted: 19 Mar 2014 19:27
by GeneC
Am I to understand correctly that this is just an issue on Linux Servers? I am ususally not to concerned with virus/malware issues with Linux, but this got my attention, as I just today installed a fresh installation of SolydX-64bit from the latest .iso (UP8).

Running the command

Code: Select all

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
show that its infected..

Code: Select all

gene@solydx:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected
Neither of my other installs is infected.
  • 1. Debian Testing (latest Liquorix kernel)
    2. Siduction (latest sidu kernel 3.13.xx)
I removed all ssh packages as a test to no avail.. :cry:

Code: Select all

Commit Log for Wed Mar 19 14:53:05 2014


Completely removed the following packages:
openssh-blacklist
openssh-blacklist-extra
openssh-client
same result = infected

Am I concerened about nothing?
Why would SolydX be infected and not Debian Testing (I am thinking the kernel)?

Re: Linux servers hit by Malware

Posted: 19 Mar 2014 19:43
by Orbmiser
The Cracking of Kernel.org
http://www.linux.com/news/featured-blog ... -kernelorg
Kernel.org may seem like the place where kernel development is done, but it’s not; it’s really just a distribution point. The integrity of that distribution point is protected by the combination of clever software and thousands of copies of the repository distributed around the world. So when we say that we know the kernel source has not been compromised on kernel.org, we really know it.
Sorry Gene not savvy to help here. And would take the warning infected with a grain of salt. As to what is really infected?
Kernel? Then highly unlikely with how it works with link above as it is explained.
.

Re: Linux servers hit by Malware

Posted: 19 Mar 2014 19:49
by zerozero
gene
i don't know from where you got that code string and exactly what it should check but the results here are different;
and in different systems:
vanilla X-64bit fully updated

Code: Select all

Calculating upgrade... Done
The following package was automatically installed and is no longer required:
  libdee-1.0-4
Use 'apt-get autoremove' to remove it.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
zerozero@x64:~$ inxi -Sxr
System:    Host: x64 Kernel: 3.11-2-amd64 x86_64 (64 bit, gcc: 4.8.2) 
           Desktop: Xfce 4.10.2 (Gtk 2.24.18) Distro: SolydXK 1 testing
Repos:     Active apt sources in file: /etc/apt/sources.list
           deb http://packages.solydxk.com/production/ solydxk main upstream import kdenext
           deb http://debian.solydxk.com/production testing main contrib non-free
           deb http://debian.solydxk.com/production/multimedia testing main non-free
           deb http://debian.solydxk.com/security testing/updates main contrib non-free
           deb http://community.solydxk.com/production/ solydxk main
zerozero@x64:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System clean
zerozero@x64:~$ 
my main system

Code: Select all

Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
  libevent-2.0-5 libsamplerate0:i386 libspeexdsp1:i386
Use 'apt-get autoremove' to remove them.
The following packages will be upgraded:
  firefox
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/30.9 MB of archives.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] n
Abort.
zerozero@home ~ $ inxi -Sxr
System:    Host: home Kernel: 3.11-2-amd64 x86_64 (64 bit gcc: 4.8.2) Desktop: KDE 4.12.1 (Qt 4.8.6) 
           Distro: SolydXK 1 testing 
Repos:     Active apt sources in file: /etc/apt/sources.list
           deb http://packages.solydxk.com/testing/ solydxk main upstream import kdenext
           deb http://community.solydxk.com/testing/ solydxk main
           deb http://debian.solydxk.com/testing/ testing main contrib non-free
           deb http://debian.solydxk.com/testing/multimedia/ testing main non-free
           deb http://debian.solydxk.com/security/ testing/updates main contrib non-free
           deb-src http://packages.solydxk.com/testing/ solydxk main upstream import kdenext
           deb-src http://community.solydxk.com/testing/ solydxk main
           deb-src http://debian.solydxk.com/testing/ testing main contrib non-free
           deb-src http://debian.solydxk.com/testing/multimedia/ testing main non-free
           deb-src http://debian.solydxk.com/security/ testing/updates main contrib non-free
           deb http://download.virtualbox.org/virtualbox/debian/ wheezy contrib
           Active apt sources in file: /etc/apt/sources.list.d/google-talkplugin.list
           deb http://dl.google.com/linux/talkplugin/deb/ stable main
           Active apt sources in file: /etc/apt/sources.list.d/sid.list
           deb http://ftp.debian.org/debian unstable main contrib non-free
           Active apt sources in file: /etc/apt/sources.list.d/snapper.list
           deb http://download.opensuse.org/repositories/filesystems:snapper/Debian_7.0/ /
zerozero@home ~ $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System clean
zerozero@home ~ $ 

Re: Linux servers hit by Malware

Posted: 19 Mar 2014 19:50
by GeneC
Hi orb... :)

I dont quite understand it either. Above my head. Just startled to see the 'infected' result... :o That never makes you feel to comfotable and secure.

[rimg]http://www.paulickreport.com/wp-content ... -Entry.jpg[/rimg]

Its gotta be the kernel.

Code: Select all

gene@solydx:~$ inxi -F
System:    Host: solydx Kernel: 3.11-2-amd64 x86_64 (64 bit) Desktop: Xfce 4.10.2 Distro: SolydXK 1 testing
Machine:   Mobo: ASUSTeK model: M4A88TD-M/USB3 version: Rev X.0x Bios: American Megatrends version: 1501 date: 08/09/2012

Re: Linux servers hit by Malware

Posted: 19 Mar 2014 19:55
by GeneC
zerozero wrote:gene
i don't know from where you got that code string and exactly what it should check but the results here are different;

Hi 'zz'... :D

Got it here..(down near the bottom)

http://arstechnica.com/security/2014/03 ... -exploits/
People who want to know if the servers they operate are affected in the Windigo campaign can run the following command:

Code: Select all

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

Re: Linux servers hit by Malware

Posted: 19 Mar 2014 19:58
by GeneC
This is a brand new (today) install of solydx-64bit? I added some stuff but nothing I dont have in my other two (uninfected) systems, actually a lot less added?

Re: Linux servers hit by Malware

Posted: 19 Mar 2014 20:11
by GeneC
OK. Things look fine now. Not quite sure what I did that rectified the situation but now getting System clean

Code: Select all

gene@solydx:~$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System clean
I removed then re installed ssh files

Code: Select all

openssh-blacklist
openssh-blacklist-extra
openssh-client
ran

Code: Select all

sudo update-initramfs -u && sudo update-grub
Have no idea why that changed things. Thinking it was just a flase alarm. Sorry folks...
All is fine in SolydX land... ;)

Re: Linux servers hit by Malware

Posted: 09 Dec 2014 16:29
by MAYBL8
Here is another article on Linux Malware.
It doesn't look like it would be much of a threat to Desktop or Laptop users:
http://www.zdnet.com/article/two-stealt ... TRE17cfd61