LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices

Reply
 
Search this Thread
Old 03-20-2014, 10:53 PM   #1
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 129

Rep: Reputation: 33
[Security] Windigo malware and SSH client compromised


Hi folks,

As you may have noticed, 10K Linux servers has been hit by a sophisticated malware aimed at various Linux components like :

Apache
Lighttpd
SSH client

More informations can be found here :

http://arstechnica.com/security/2014...-and-exploits/

The infected marchines are the Linux servers most of the time.

But since Slackware provides both an SSH daemon and client, it's worth checking if your desktop-oriented box is compromised.

On the same article, a bash command is advised to be ran on your Linux machines regardless of the distribution you are using :

Code:
 $ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
As you can see, this code, test whether the ssh client has a "-G" argument. This particular argument doesn't exist on a stock OpenSSH client and is added by the said malware.

I will run this command tommorow and give you the result on my laptop box.

Actually, there's no known way to entirely scan a compromised machine. Which leads you straight to the re-install

Note : If you have uninstalled the OpenSSH client from Slackware or any other distro that you might use, the command will return "System infected" anyway, but it will be a false positive in this case.

Feel free to post your result here
 
Old 03-21-2014, 04:46 AM   #2
jtsn
Member
 
Registered: Sep 2011
Location: Europe
Distribution: Slackware
Posts: 800

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
First: Never execute copy & pasted shell commands from the web without understanding them.

Quote:
Originally Posted by Nh3xus View Post
Actually, there's no known way to entirely scan a compromised machine. Which leads you straight to the re-install
If you are unsure whether a system is compromised or not, then it is already compromised. So you can go directly to re-installing. You don't need to check, if your ssh understands option '-G' by accident.

Security works by establishing an uninterrupted chain of trust from the fresh install to the current state of machine and depends on your ability to verify it ("known-good"). If you don't have that, then your security is already broken.
 
1 members found this post helpful.
Old 03-22-2014, 09:58 AM   #3
Nh3xus
Member
 
Registered: Jan 2013
Location: France
Distribution: Slackware 14.1 32 bits
Posts: 129

Original Poster
Rep: Reputation: 33
Hi,

I'm aware that running unknown commands is a big no-no.

I've not fully grasped the meaning of your "chain of trust".

To me, you meant that you must trust both the administrator and the end users of a Linux machine for keeping it secure.

If I'm somehow wrong with the statement above, can you link me a website or a book that talk about security of a Unix/Unix-like machine ?

In my case, I'm both the admin and the only user of a Linux based laptop that don't run any kind of web services.

Thanks you for your answer, it's really helping me to undestand the ins and outs of the security in IT.

I'm still a student in the IT field.
 
Old 03-22-2014, 10:23 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by jtsn View Post
If you are unsure whether a system is compromised or not, then it is already compromised.
If you are unsure about the integrity of a system then verify it. Only two outcomes: a system is either compromised or it isn't.


Quote:
Originally Posted by jtsn View Post
So you can go directly to re-installing.
No. Verify the system then investigate.


Quote:
Originally Posted by jtsn View Post
You don't need to check, if your ssh understands option '-G' by accident.
Yes you do: you should find the infection vector.
Without knowing how the perp got in you may be exposing the same loophole again and again.
 
5 members found this post helpful.
Old 03-22-2014, 10:57 AM   #5
hitest
Senior Member
 
Registered: Mar 2004
Location: Prince Rupert, B.C., Canada
Distribution: Slackware, OpenBSD
Posts: 4,138

Rep: Reputation: 523Reputation: 523Reputation: 523Reputation: 523Reputation: 523Reputation: 523
I guess I'm more paranoid than most. I don't run SSH on my boxes. I recently updated to the most recent version of rkhunter, version 1.4.2. I scan for root kits.
 
Old 03-22-2014, 07:50 PM   #6
metaschima
Member
 
Registered: Dec 2013
Distribution: Slackware
Posts: 955

Rep: Reputation: Disabled
You should run ssh only if you need it. If you don't need it, then don't run it. If you do run it, then keep it up to date and take extra precautions.
 
Old 03-27-2014, 04:15 PM   #7
jtsn
Member
 
Registered: Sep 2011
Location: Europe
Distribution: Slackware
Posts: 800

Rep: Reputation: 354Reputation: 354Reputation: 354Reputation: 354
Quote:
Originally Posted by unSpawn View Post
If you are unsure about the integrity of a system then verify it. Only two outcomes: a system is either compromised or it isn't.
But you don't ask the malware itself, if your OS compromised. You verify it with a proven method, like using cryptographic checksums and compare them to the known-good state.

Quote:
Yes you do: you should find the infection vector.
You don't do that by executing 'ssh -G' on the infected installation, but by analysing a post-mortem image after taking down the compromised machine.
 
Old 03-27-2014, 05:28 PM   #8
Lufbery
Senior Member
 
Registered: Aug 2006
Location: Harrisburg, PA
Distribution: Slackware 64 14.0
Posts: 1,142
Blog Entries: 29

Rep: Reputation: 119Reputation: 119
Okay, so I just downloaded and reinstalled the openssh Slackware package for Slackware 14.0 and it still shows up as infected.

Does that mean that the Slackware packages are compromised or is something else going on?
 
Old 03-27-2014, 06:46 PM   #9
55020
Member
 
Registered: Sep 2009
Location: Yorks. W.R. 167397
Distribution: Slackware
Posts: 311
Blog Entries: 4

Rep: Reputation: 295Reputation: 295Reputation: 295
Quote:
Originally Posted by Lufbery View Post
Okay, so I just downloaded and reinstalled the openssh Slackware package for Slackware 14.0 and it still shows up as infected. Does that mean that the Slackware packages are compromised or is something else going on?
Well, it might be a false positive. What are you doing to check? The original paper is here, work your way through Appendix 1 section A1.1.

Cleanup is described in Appendix 2. Unfortunately much more is entailed than just reinstalling openssh. To quote the paper:

Quote:
In order to install Linux/Ebury on a system, the malware operators need root access. With this level of access, anything is possible. This is why we advise anyone infected to completely wipe their servers and rebuild them from scratch using a verified source. Thatís the only way to make sure to get rid of this threat.
It's not just openssh that would need to be reinstalled: it's also keyutils, httpd, bind, and possibly more.

But the next bit is *much* more important:

Quote:
Most importantly, assume that administrator and user credentials have been compromised. Because of this, we advise anyone infected to reset all user and administrator credentials from known clean machines and put a measure in place to prevent users from resetting their passwords to their original ones.

It is important to realize that Linux/Ebury stole the credentials of all login attempts made on an infected server (successful or not). Additionally, it also steals credentials of connections originating from that server, through a trojanized ssh binary, meaning that anyone using the server as an SSH relay will also have the credentials to other servers stolen. Furthermore, ssh and ssh-add will steal passphrases that unlock SSH keys and will save in memory the unencrypted SSH keys so they can be retrieved later by the malware operators. This credential stealing infrastructure is very comprehensive and this is why we advise that infected organizations should take this very seriously and reconsider their server authentication mechanisms."
So they would have your passwords and keys, and can just reach in and re-pwn you if you haven't changed them

I really hope for your sake it's some sort of false positive
 
Old 03-27-2014, 07:42 PM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,984
Blog Entries: 54

Rep: Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742Reputation: 2742
Quote:
Originally Posted by jtsn View Post
But you don't ask the malware itself, if your OS compromised. You verify it with a proven method, like using cryptographic checksums and compare them to the known-good state.
Thanks, I'll mark that as informative. But it's what I have advocated always. *And do feel free to lecture me but please not on the basics: I've been performing incident response here a wee bit longer than you :-]


Quote:
Originally Posted by jtsn View Post
You don't do that by executing 'ssh -G' on the infected installation, but by analysing a post-mortem image after taking down the compromised machine.
While I personally avoid disturbing a (presumed) compromised system it seems some advocate different standards... That said anyone who has done forensics in the field knows you don't always have the luxury of a cold copy of a corpse to work on. In that case the strategy may change and well include executing suchlike commands on a Live system.
 
Old 03-27-2014, 08:21 PM   #11
ReaperX7
Senior Member
 
Registered: Jul 2011
Distribution: LFS-SVN, Slackware-14.1, PCBSD-10.0
Posts: 2,849
Blog Entries: 15

Rep: Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742Reputation: 742
RKhunter, chkrootkit, and clamav are all available for Linux servers and clients, and should have the proper definitions to combat such malware. Plus you should also be runnign as a User and not root to prevent certain malware from executing. You can always also simply uninstall the OpenSSH package and re-install it also if it becomes infected and clear the system temp files and other cache.
 
Old 03-27-2014, 08:50 PM   #12
Lufbery
Senior Member
 
Registered: Aug 2006
Location: Harrisburg, PA
Distribution: Slackware 64 14.0
Posts: 1,142
Blog Entries: 29

Rep: Reputation: 119Reputation: 119
Quote:
Originally Posted by 55020 View Post
Well, it might be a false positive. What are you doing to check? The original paper is here, work your way through Appendix 1 section A1.1.
It looks like a false positive. Simply typing ssh -G gives this:

Code:
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-e escape_char] [-F configfile]
           [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport]
           [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
           [-R [bind_address:]port:host:hostport] [-S ctl_path]
           [-W host:port] [-w local_tun[:remote_tun]]
           [user@]hostname [command]
For some reason, the command with the grep doesn't work for me.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HOWTO : Disable Reverse Name Resolution Security Procedure at SSH Client End harmandeep Linux - Server 2 10-06-2011 04:28 PM
Gmail and winnow.compromised.ts.jsexploit.5.UNOFFICIAL malware lahqash Linux - Security 9 05-13-2010 05:45 AM
Security of ~/.ssh ?? for client end ? michael_util Linux - Security 1 02-09-2005 08:40 PM
Ssh Compromised!!???help!!! Savedadogs Linux - Security 12 02-10-2004 12:48 AM


All times are GMT -5. The time now is 04:29 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration