Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I got a e-mail this morning from Kinko's, whom I have never done any business with. Anyway it contained a file, test.src , which wanted root access. I said NOPE, of course. I sent a e-mail to the address listed on the Kinko's website with some of the info about the e-mail. I figure they at least deserve to know that someone working there or someone who hacked into there system is sending files.
Is this a virus? It is listed with Symantic as one.
Weird. Dunno anything about it, but I do know that it's ridiculously easy to spoof e-mail "from" addresses, so it doesn't necessarily mean that anyone has "hacked" Kinko's.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
MyDoom is currently on track to out-perform Sobig.F in propagation. It's a blended threat, and polymorphic. There are some reports that, in addition to installing a backdoor and harvesting e-mail addresses to spam, it may install a keystroke logger. It seems that the major AV vendors are in disagreement about whether there is a keystroke logger or not.
Well I hope Kinkos will check and see if the person that I got e-mail from is infected somehow. I still don't know how they got my e-mail address though. I'm disabled and I have a friend that will let me use his printing press if I needed something printed. Yep, I can run a printing press. Just have to get the water and ink juuuuusssttt right for it to be pretty.
Of course, they may have been spoofed too but either way I think they should know about the situation.
If Bill Gates and his crappie OS was not around, these viruses would have a short life.
It's likely that the email didn't even come from Kinkos. The myDoom worm has it's own mass-mailing engine that forges the From section of the email. Makes it more difficult to track down who really is infected, because the email may not have really been sent by the person it says it's "From". All it takes is someone to get infected who has both your email as well as Kinko's on there system. When the worm starts cranking out emails, it uses email addresses it finds on that computer as the From portion. In fact, it's highly probable that other people are receiving emails containing the worm that are forged to look like you sent them. The last few worms/virus have used this "feature".
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Systems Not Affected: DOS, Linux, Macintosh, OS/2, UNIX, Windows 3.x
What is NOT vulnerable are the wonderful *nix systems we use :}
But those new cutesy GUI systems that M$ has sold to the non-thinking public are the ones
which will crash and burn! Reason number 345,557,989 to migrate to Linux :} That's it guys,
just point-and-click :} Yet another reason NOT to "make Linux easy to use like Windoze."
n. worm:
Computer Science. A malicious program that replicates itself until it fills all of the storage space on a drive or network.
Which is another good reason to create a /tmp partition and keep it's size down.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
To believe that Linux is less vulnerable to automate malicious code than Windows would be fallacious. The only reason it hasn't been aggressively attacked to the extent that Windows has is because it's not as standardized. Believe me, when there are vulnerabilities (like the recent kernel vulns) that can be exploited and all or most distros, people can and do attack.
Don't expect switching to Linux will raise your pet rabbit from the grave, get your a girlfriend, buy you a sports car, etc... It's not a wonder-pill.
Originally posted by chort To believe that Linux is less vulnerable to automate malicious code than Windows would be fallacious. The only reason it hasn't been aggressively attacked to the extent that Windows has is because it's not as standardized. Believe me, when there are vulnerabilities (like the recent kernel vulns) that can be exploited and all or most distros, people can and do attack.
Linux is less vulnerable to these specific zipped executables in mention, and that is not fallacious. There is a distinct difference between a kernel vulnerability and this worm. I don't think unfounded fear should be spread among the community without some details. This is how the worm in question works
Quote:
When W32.Novarg.A@mm is executed, it does the following:
1. Creates the following files:
* %System%\Shimgapi.dll: Shimgapi.dll acts as a proxy server, opening TCP listening ports in the range of 3127 to 3198. The backdoor also has the ability to download and execute arbitrary files.
* %Temp%\Message: This file contains random letters and is displayed using Notepad.
* %System%\Taskmon.exe:
Correct me if I'm wrong, but that makes it impossible to execute on a Linux box.
As for the rest of your comments, they're not worthy of response.
Chort, Some information you should know. Windows is the non-standards compliant OS which causes it's open door security (but nobody is supposed to know where these doors are, you see)....
Also compare the time between discovery, fix and distribution of the fix for the kernel compared to the fixes from Microsoft, the most used (which you probably meant rather than standard) OS.
Originally posted by chort To believe that Linux is less vulnerable to automate malicious code than Windows would be fallacious. The only reason it hasn't been aggressively attacked to the extent that Windows has is because it's not as standardized. Believe me, when there are vulnerabilities (like the recent kernel vulns) that can be exploited and all or most distros, people can and do attack.
Don't expect switching to Linux will raise your pet rabbit from the grave, get your a girlfriend, buy you a sports car, etc... It's not a wonder-pill.
Just for a bit more information, when I clicked on the attachment, it asked for root access. I said NO. That settled it. In windoze, it would not have even asked. It would have just installed itself and that would have been that. Linux is much more secure than windoze will ever even dream of being. Windoze is like putting a screen door on a submarine with no solid door to back up that screen door. There are too many holes to plugs and bubble gum won't work either.
That thing may not have came from kinkos but there may be someone there that got it and it sent mine from their rig. By telling them, they may find that out before it spreads over the rest of their network, which I'm sure is pretty big. Either way, I would want someone to tell me if I sent them one. This is the source info from the e-mail, I changed my address and made the sending address so it won't look like one, just in case:
Code:
Return-Path: <mark.tully<at>kinkos.com>
Received: from psmtp.com (exprod6mx109.postini.com [12.158.36.93])
by ns0.*****.*** (8.9.3/8.9.3) with SMTP id KAA04092
for <Sorry, took this part out :)>; Tue, 27 Jan 2004 10:41:21 -0600
From: mark.tully<at>kinkos.com
Message-Id: <200401271641.KAA04092@ns0.*****.***>
Received: from source ([207.181.43.20]) by exprod6mx109.postini.com ([12.158.35.251]) with SMTP;
Tue, 27 Jan 2004 09:43:14 MST
To:
Subject: Mail Delivery System
Date: Tue, 27 Jan 2004 10:45:59 -0600
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0011_E67F560D.26EE0C4B"
X-Priority: 3
X-MSMail-Priority: Normal
Status: R
X-Status: N
X-KMail-EncryptionState:
X-KMail-SignatureState:
This is a multi-part message in MIME format.
------=_NextPart_000_0011_E67F560D.26EE0C4B
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
•i:vw™?S#hhŸ.$[\\}NM„‹o’|f]%5–:H”57;Žnyr5“(a…H9g˜
_[Uu
7‘‹Yۻ2zr$x„„zcrjS“-h%
iN‚surDҾ0ɿj
N—
–œ>H_/Au5ž>›‰K0…fTh%aah“wbf}E(Ÿf
4e˜K9(3L”PŠ–(GEgb
d5b;kgI
$c˜_G1‚P&K
>;"3^Ehk.:7xFa_3潩{R8$œ{Gw:n;
{JU]]ZȷMó~#ߏEVyq
•3Y>F>‹Ep—q6Œ
M.>A[ˆJ!e;P
1K;ˆ uI-OŸJ\E55Tm›{z‡JT#šY\4”›‰“^N2cZRSEˆxh'BEC(kOBA#[<ɷGRC^(TN<a<–•nAͻHh
(YK 3H:’J9
------=_NextPart_000_0011_E67F560D.26EE0C4B
Content-Type: application/octet-stream;
name="test.scr"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="test.scr"
I sent that part to them so they can see the info too. It may help them to see if it really came from them or not.
I'm SURE glad I use ONLY Linux. Notice Linux is a capitol L and windoze does not. He don't deserve being capitolized. Linus did good in my opinion.
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660
Rep:
Ahem, I suggest you reread my sig line and look at the credentials again. Then, take a look at some of my 700 odd other posts... OK, satisfied?
Now, it's blatantly obvious that a Win32 exploit will not work on Linux ELF (unless you have some really tightly integrated WINE clone, in which case, you sould have known better).
Now, go back and read what I said again and drop the Linux Zealot Jihad attitude. What I said was, in essence "you don't see more Linux attacks because it's difficult to write an exploit that will work on a large number of Linux boxes". The reason why it's difficult to write a mass-worm for Linux is because the distributions are so fragmented and often have very different default kernels, not to mention userland...
By the way, there have been a few Linux worms, they just didn't stir up the publicity in the media because, well, hardly anyone (comparitively speaking) uses Linux (and especially not clueless home users, who are the type of people who watch the news and cowar in fear).
By the way, you're right it's not fair to compare a few kernel vulnerabilities to an application vulnerability.. What about the thousands of security flaws in Mozilla and Opera? What about Sendmail and it's streak of better than one major exploit per year? What about BIND and it's many security flaws? What about NFS and it's weak authentication? I could go on forever.
The point is you're not looking at things objectively. As a security professional, it's my job (and signed duty, according to the (ISC)^2 code of ethics), to advise people objectively on security issues. That means not playing "OS bigot" and not misleading people with hearsay.
The point is there are probably just as many rooted Linux boxes out there right now as compromised Windows boxes. I work in e-mail security and part of my job is to trace e-mail attacks and spam floods. Just as many of these "spam bot" compromised boxes on broadband networks are running Linux as Windows.
So what went wrong? Very simple: Linux admins are just as lazy, if not more-so than Windows admins (at least right now). Most Windows admins realize their software is horrible unsafe and they check regularly for the latest Microsoft patches, then sechedule emergency maintenance to install them. People convert to Linux and think they are some how immune from harm, so they don't bother patching anything or hardening their systems. As a result there are hundreds of active PHP, CGI, SSH, SSL, etc, etc exploits available that do work on unprotected Linux boxes. A simple check on Netcraft will reveal that the vast majority of sites have not upgraded to OpenSSL 0.9.7c to stave off heap overflow vulnerabilities.
Security is 90% the admin and 10% the platform. If you trust your platform, well... you're in trouble.
Why do you insist on kinko's (whatever it is) being involved in sending you that letter?
It is highly possible that none of their computers is infected. Is not that much more likely that their e-mail address (like yours) was simply in the address book of an infected computer anywhere on the world?
I would not bother kinko's with a useless letter, I would rather check the mail header carefully: envelope from; what was its route to you. But it will not show you the real sender, either, it can only prove that kinko's could not send it, since they use a different mail server/relay.
I know that someone may have spoofed their address but I still wanted them to know that something appeared to come from them. They should know that in case they start getting a lot of nasty grams about the problem. I would want to know if someone spoofed my e-mail address, rope and tree come to mind here. I was very nice about it. I know they may have absolutely nothing to do with it.
It is also possible, though not likely, that someone on their system got infected and was sent from the system. In that case they can track down that system, and the rest of their systems, to see if it is infected and remove the bug. If they have a network of systems and one is infected, they may need to check them all and update their software.
chort, not a insult here but if Linux was as easy to bust into as windoze, we may not even have a internet. I am open minded and have read a lot of your posts. I didn't even know Linux existed a few years ago and I still thought windoze security sucked. Linux does have different setups but if there was a msblaster type virus for Linux and it spread and infected the same way, we would have big trouble. Windoze keeps it's code to close to the vest for people to help keep the software secure. They have shown repeatedly that they can't make it secure. They fix one bug just to find ten more that fix made.
There is a LOT of LInux systems out there and the are the backbone of the net. If all the Linux boxes were brought to their knees the way some windoze systems are during these attacks, the net would grind to almost a halt. My ISP and their ISP uses Linux. The ones above them appear to use Linux too.
Yes Linux is affected by these bugs because of the increase in traffic by the bugs, especially mail servers, but at least they are not infected by them. It is just because they can't handle the load. Kind of like the grid during the blackout in New York area. Just one system messed up but it brought down the rest because it couldn't transfer the load around to keep things going. It is not Linux's fault windoze gets infected.
I'm not a security expert. I'm disabled as a matter of fact, but windoze is not as secure as Linux. If that were not true, I would have that thing on my rig right now. It tried to install but it couldn't. Linux worked for me at least. It is also not the first one that I got through the e-mail. No infection yet.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
