Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
The malware in this case is a trojan. While an AV software may have alerted the admin, it was the admin the first place that installed the malware. This is why you should only use software from trusted sources.
More to the point, that's a malware that targets mostly servers by hacking OpenSSH and spreading by hand (with stolen credentials from that hacked ssh)... Actually, the first method of getting that malware would be to use an already infected system in order to login to another (uninfected?) one.. An AV would probably just alert you (if it knows about that specific malware) and at the level it's deployed, it should be presumed that the owners of the system know how to keep it safe.. Basically, the infected systems are infected because "kids" try to play to big software and completely ignore their security documentation.. There is no AV against that..
Quote:
Originally Posted by Léveillé
We realise that wiping your server and starting again from scratch is tough medicine, but if hackers have stolen or cracked your administrator credentials and had remote access to your servers, you cannot take any risks,” explains Léveillé. “Sadly, some of the victims we have been in touch with know that they are infected, but have done nothing to clean up their systems – potentially putting more internet users in the firing line.”
Last edited by Smokey_justme; 03-25-2014 at 04:01 PM.
The malware in this case is a trojan. While an AV software may have alerted the admin, it was the admin the first place that installed the malware. This is why you should only use software from trusted sources.
Actually no (the admin did not install it)
From the article: "No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged."
"They had root to the box ..." There you go. A classical penetration technique second only to exploiting Plesk.
AV algorithms could be valuable ... perhaps, very valuable ... say in a document-storage application (or a blog) to detect suspicious content before it is disseminated for public use. However, it is both snake-oil and smoke to say that such tools are "necessary" or that they "protect you" from anything at all.
For world-facing services, I used a few different techniques that rely on occasionally taking prod servers out of the LB group, doing some remote MD5/CRC checking on files/directories and some secret stuff, that lets me know if anything has changed.
The new way of doing things is to have a server that boots off of a read only BLU-RAY drive, that then brings up images in our cluster once a day. So even if you do find a way to break in, within 12 hours I will be putting out a new VM with new keys and passwords. The gold image BLURAY is modified, updated and secured on a daily basis according to security standards and alerts, in a sterile no-internet environment.
And of course the hourly AIDE checks, Firewalls, IDP appliances, and network monitoring help as well.
For world-facing services, I used a few different techniques that rely on occasionally taking prod servers out of the LB group, doing some remote MD5/CRC checking on files/directories and some secret stuff, that lets me know if anything has changed.
The new way of doing things is to have a server that boots off of a read only BLU-RAY drive, that then brings up images in our cluster once a day. So even if you do find a way to break in, within 12 hours I will be putting out a new VM with new keys and passwords. The gold image BLURAY is modified, updated and secured on a daily basis according to security standards and alerts, in a sterile no-internet environment.
And of course the hourly AIDE checks, Firewalls, IDP appliances, and network monitoring help as well.
I run ClamAV with ClamTk as my main solution with cronjobs at targeted intervals. I also have RkHunter setup equally as a supplement.
I have used BitDefender before. It's nice, but I like ClamAV's daemon modes and background scanners better.
It would be nice if GNU/Linux got On-Access/Execution scanning via ClamAV. That way it could scan binaries, libraries, and configuration files and scripts upon access and execution. I might be mistaken, but BitDefender might have this now for Gnome, Xfce, and KDE desktops via a plugin now in the latest versions, or it's just a plugin to allow alt-click scanning options for files.
GNU/Linux and *BSD are starting to become a target anymore by malware and other bad software. Would be nice to gain a solid foothold in protection before they do.
I run ClamAV with ClamTk as my main solution with cronjobs at targeted intervals. I also have RkHunter setup equally as a supplement.
I have used BitDefender before. It's nice, but I like ClamAV's daemon modes and background scanners better.
It would be nice if GNU/Linux got On-Access/Execution scanning via ClamAV. That way it could scan binaries, libraries, and configuration files and scripts upon access and execution. I might be mistaken, but BitDefender might have this now for Gnome, Xfce, and KDE desktops via a plugin now in the latest versions, or it's just a plugin to allow alt-click scanning options for files.
GNU/Linux and *BSD are starting to become a target anymore by malware and other bad software. Would be nice to gain a solid foothold in protection before they do.
Ok, let me try exemplify what security in Linux-world is focused on vs. security in other OSs
Here's a current MS Internet explorer bug: https://technet.microsoft.com/en-us/...y/2963983.aspx
Basically, it a common memory overflow bug with very bad consequences that pretty much allows a remote web-side to execute code on your computer... This is a common thing amongst browsers or even important services (in one way or the other, with different levels of severity).. In Windows, the end-user (and sometimes even the professional) is battered with third-party security products that normally intervene after the system was compromised if a known malicious code was put in there..
Actually, because in Windows, most of the systems are using a day-to-day Administrator account, that penetration can have huge consequences on the whole system and maybe the whole network.. Thus making complicated heuristic based AVs or other security tool an important must-have in order to limit such invasion...
On the other hand, on Linux systems, people use normal accounts.. The whole security concept is started and based on proactive and protective approach..
Important services that are are actually started by root, only bind ports and drop the privileges themselfs.. And the system is build in such a way that normal accounts can't install dangerous stuff like keyloggers even if they would want to without proper permissions.
There is also a limited amount of power a process has to "hide" itself.. This basically means an AV solution will only provide redundancy for a limited number of possible infections.. It also means that, on a normal desktop system, if the AV catches some infection it's almost always possible to fix the system live and the malicious code is almost always contained.. On the other hand, Linux has by default many services, and a lot of the security talk has to do with configuring those services.. All infections I've seen until now are due to misconfigurations.. Unfortunately, AVs aren't really useful in that situation..
Please keep in mind that I'm not saying similar proactive security measures can't be taken in Windows.. I'm just saying that, coming from an OS in which AV tools have such a big influence because the imposed security model of the OS has such big flaws, it can be hard to understand why AVs in Linux are implemented and mostly used in way different setups than normal, day-to-day desktops..
Actually, because in Windows, most of the systems are using a day-to-day Administrator account, that penetration can have huge consequences on the whole system and maybe the whole network..
This isn't true anymore for Windows versions newer than XP.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.