Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Thread Tools Display Modes
  #1   (View Single Post)  
Old 18th March 2014
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,786
Default 10,000 Linux servers hit by malware serving tsunami of spam and exploits

From http://arstechnica.com/security/2014...-and-exploits/

Researchers have documented an ongoing criminal operation infecting more than 10,000 Unix and Linux servers with malware that sends spam and redirects end users to malicious Web pages.

Windigo, as the attack campaign has been dubbed, has been active since 2011 and has compromised systems belonging to the Linux Foundation's kernel.org and the developers of the cPanel Web hosting control panel, according to a detailed report published Tuesday by researchers from antivirus provider Eset. During its 36-month run, Windigo has compromised more than 25,000 servers with robust malware that sends more than 35 million spam messages a day and exposes Windows-based Web visitors to drive-by malware attacks. It also feeds people running any type of computer banner ads for porn services.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 22nd March 2014
comet--berkeley comet--berkeley is offline
Real Name: Richard
Package Pilot
Join Date: Apr 2009
Location: California
Posts: 157

The report from Eset is an interesting read.


The report explains what happened in the kernel.org attack in 2011, but Linux was not
the only system attacked.

From page 4 of the report:
A wide range of operating system have been compromised by the attackers; Apple OS X, OpenBSD, FreeBSD, Microsoft Windows (through Cygwin) and Linux, including Linux on the ARM architecture.
No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged. We conclude that password-authentication on servers should be a thing of the past.
From page 67 (Appendix 3) of the report:
Here are a few simple recommendations in order to protect yourself from this collection of threats:
  • Disable direct root login in your OpenSSH daemon
    (PermitRootLogin no in /etc/ssh/sshd_config)
  • Disable password-based logins and use an SSH key
  • Use SSH Agent Forwarding to SSH from servers to servers instead of copying your SSH private keys on servers. On GNU/Linux use ssh-agent or GnomeKeyring with ForwardAgent yes under a trusted Host entry in your .ssh/config file. On Windows PuTTY's Pageant supports SSH Agent Forwarding
  • Use two-factor authentication on your servers
  • Use an up to date antivirus solution

Last edited by comet--berkeley; 23rd March 2014 at 07:24 PM. Reason: grammar and spelling
Reply With Quote
  #3   (View Single Post)  
Old 23rd March 2014
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Tcpdump Spy
Join Date: Apr 2008
Location: Indonesia
Posts: 2,236

Use two-factor authentication on your servers
Isn't using publickey Authentication where your key has a pass{word,phrase} effectively a two-factor authentication method? You need too *have* the key, and *know* the password.

Popular tools like the Google Authenticator seem overly complex to me, not to mention that they seem to rely on an external service & a smartphone...
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #4   (View Single Post)  
Old 23rd March 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 7,471

Yes, if a passphrase is selected, then SSH PKA can provide two-factor authentication. But passphrases are optional. Their use must be enforced by policy.

Any system that requres a user to authenticate two different ways -- a) something they have, combined with b) something they know -- are two-factor authentication methods. Other examples: RSA key fobs that provide changing sequences combined with a user PIN. Web applications that require both a client X.509 certificate and a password/passphrase. VPN clients that require workstation certificates combined with a password/passphrase.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo XSS exploits going for $700 J65nko News 1 28th November 2012 07:19 PM
DNS Security: Old Vulnerabilities, New Exploits with Cricket Liu crayoxide Off-Topic 8 23rd July 2008 08:09 AM
URL evaluation tools to determine if serving malware dk_netsvil Off-Topic 0 30th June 2008 04:55 PM
Serving 2 domains through firewall using a Jail? krreagan General software and network 1 4th May 2008 09:38 PM

All times are GMT. The time now is 05:16 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick