LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   [Security] Windigo malware and SSH client compromised (http://www.linuxquestions.org/questions/slackware-14/%5Bsecurity%5D-windigo-malware-and-ssh-client-compromised-4175498924/)

Nh3xus 03-20-2014 10:53 PM

[Security] Windigo malware and SSH client compromised
 
Hi folks,

As you may have noticed, 10K Linux servers has been hit by a sophisticated malware aimed at various Linux components like :

Apache
Lighttpd
SSH client

More informations can be found here :

http://arstechnica.com/security/2014...-and-exploits/

The infected marchines are the Linux servers most of the time.

But since Slackware provides both an SSH daemon and client, it's worth checking if your desktop-oriented box is compromised.

On the same article, a bash command is advised to be ran on your Linux machines regardless of the distribution you are using :

Code:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
As you can see, this code, test whether the ssh client has a "-G" argument. This particular argument doesn't exist on a stock OpenSSH client and is added by the said malware.

I will run this command tommorow and give you the result on my laptop box.

Actually, there's no known way to entirely scan a compromised machine. Which leads you straight to the re-install :(

Note : If you have uninstalled the OpenSSH client from Slackware or any other distro that you might use, the command will return "System infected" anyway, but it will be a false positive in this case.

Feel free to post your result here :)

jtsn 03-21-2014 04:46 AM

First: Never execute copy & pasted shell commands from the web without understanding them.

Quote:

Originally Posted by Nh3xus (Post 5138467)
Actually, there's no known way to entirely scan a compromised machine. Which leads you straight to the re-install

If you are unsure whether a system is compromised or not, then it is already compromised. So you can go directly to re-installing. You don't need to check, if your ssh understands option '-G' by accident.

Security works by establishing an uninterrupted chain of trust from the fresh install to the current state of machine and depends on your ability to verify it ("known-good"). If you don't have that, then your security is already broken.

Nh3xus 03-22-2014 09:58 AM

Hi,

I'm aware that running unknown commands is a big no-no.

I've not fully grasped the meaning of your "chain of trust".

To me, you meant that you must trust both the administrator and the end users of a Linux machine for keeping it secure.

If I'm somehow wrong with the statement above, can you link me a website or a book that talk about security of a Unix/Unix-like machine ?

In my case, I'm both the admin and the only user of a Linux based laptop that don't run any kind of web services.

Thanks you for your answer, it's really helping me to undestand the ins and outs of the security in IT.

I'm still a student in the IT field. :)

unSpawn 03-22-2014 10:23 AM

Quote:

Originally Posted by jtsn (Post 5138589)
If you are unsure whether a system is compromised or not, then it is already compromised.

If you are unsure about the integrity of a system then verify it. Only two outcomes: a system is either compromised or it isn't.


Quote:

Originally Posted by jtsn (Post 5138589)
So you can go directly to re-installing.

No. Verify the system then investigate.


Quote:

Originally Posted by jtsn (Post 5138589)
You don't need to check, if your ssh understands option '-G' by accident.

Yes you do: you should find the infection vector.
Without knowing how the perp got in you may be exposing the same loophole again and again.

hitest 03-22-2014 10:57 AM

I guess I'm more paranoid than most. I don't run SSH on my boxes. I recently updated to the most recent version of rkhunter, version 1.4.2. I scan for root kits.

metaschima 03-22-2014 07:50 PM

You should run ssh only if you need it. If you don't need it, then don't run it. If you do run it, then keep it up to date and take extra precautions.

jtsn 03-27-2014 04:15 PM

Quote:

Originally Posted by unSpawn (Post 5139290)
If you are unsure about the integrity of a system then verify it. Only two outcomes: a system is either compromised or it isn't.

But you don't ask the malware itself, if your OS compromised. You verify it with a proven method, like using cryptographic checksums and compare them to the known-good state.

Quote:

Yes you do: you should find the infection vector.
You don't do that by executing 'ssh -G' on the infected installation, but by analysing a post-mortem image after taking down the compromised machine.

Lufbery 03-27-2014 05:28 PM

Okay, so I just downloaded and reinstalled the openssh Slackware package for Slackware 14.0 and it still shows up as infected.

Does that mean that the Slackware packages are compromised or is something else going on?

55020 03-27-2014 06:46 PM

Quote:

Originally Posted by Lufbery (Post 5142494)
Okay, so I just downloaded and reinstalled the openssh Slackware package for Slackware 14.0 and it still shows up as infected. Does that mean that the Slackware packages are compromised or is something else going on?

Well, it might be a false positive. What are you doing to check? The original paper is here, work your way through Appendix 1 section A1.1.

Cleanup is described in Appendix 2. Unfortunately much more is entailed than just reinstalling openssh. To quote the paper:

Quote:

In order to install Linux/Ebury on a system, the malware operators need root access. With this level of access, anything is possible. This is why we advise anyone infected to completely wipe their servers and rebuild them from scratch using a verified source. Thatís the only way to make sure to get rid of this threat.
It's not just openssh that would need to be reinstalled: it's also keyutils, httpd, bind, and possibly more.

But the next bit is *much* more important:

Quote:

Most importantly, assume that administrator and user credentials have been compromised. Because of this, we advise anyone infected to reset all user and administrator credentials from known clean machines and put a measure in place to prevent users from resetting their passwords to their original ones.

It is important to realize that Linux/Ebury stole the credentials of all login attempts made on an infected server (successful or not). Additionally, it also steals credentials of connections originating from that server, through a trojanized ssh binary, meaning that anyone using the server as an SSH relay will also have the credentials to other servers stolen. Furthermore, ssh and ssh-add will steal passphrases that unlock SSH keys and will save in memory the unencrypted SSH keys so they can be retrieved later by the malware operators. This credential stealing infrastructure is very comprehensive and this is why we advise that infected organizations should take this very seriously and reconsider their server authentication mechanisms."
So they would have your passwords and keys, and can just reach in and re-pwn you if you haven't changed them :(

I really hope for your sake it's some sort of false positive :(

unSpawn 03-27-2014 07:42 PM

Quote:

Originally Posted by jtsn (Post 5142467)
But you don't ask the malware itself, if your OS compromised. You verify it with a proven method, like using cryptographic checksums and compare them to the known-good state.

Thanks, I'll mark that as informative. But it's what I have advocated always. *And do feel free to lecture me but please not on the basics: I've been performing incident response here a wee bit longer than you :-]


Quote:

Originally Posted by jtsn (Post 5142467)
You don't do that by executing 'ssh -G' on the infected installation, but by analysing a post-mortem image after taking down the compromised machine.

While I personally avoid disturbing a (presumed) compromised system it seems some advocate different standards... That said anyone who has done forensics in the field knows you don't always have the luxury of a cold copy of a corpse to work on. In that case the strategy may change and well include executing suchlike commands on a Live system.

ReaperX7 03-27-2014 08:21 PM

RKhunter, chkrootkit, and clamav are all available for Linux servers and clients, and should have the proper definitions to combat such malware. Plus you should also be runnign as a User and not root to prevent certain malware from executing. You can always also simply uninstall the OpenSSH package and re-install it also if it becomes infected and clear the system temp files and other cache.

Lufbery 03-27-2014 08:50 PM

Quote:

Originally Posted by 55020 (Post 5142517)
Well, it might be a false positive. What are you doing to check? The original paper is here, work your way through Appendix 1 section A1.1.

It looks like a false positive. Simply typing ssh -G gives this:

Code:

ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
          [-D [bind_address:]port] [-e escape_char] [-F configfile]
          [-I pkcs11] [-i identity_file]
          [-L [bind_address:]port:host:hostport]
          [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
          [-R [bind_address:]port:host:hostport] [-S ctl_path]
          [-W host:port] [-w local_tun[:remote_tun]]
          [user@]hostname [command]

For some reason, the command with the grep doesn't work for me.


All times are GMT -5. The time now is 02:47 AM.