LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 11-17-2013, 08:27 AM   #1
normanlinux
Member
 
Registered: Apr 2013
Location: S.E. England
Distribution: Arch
Posts: 161

Rep: Reputation: Disabled
Linux backdoor problem reported by Symantec


This thread onn the LinkedIn Forums references an article from Symantec on a Linux backdoor exploit.

http://www.symantec.com/connect/blog...ion-protocol#!

Last edited by unSpawn; 11-17-2013 at 08:55 AM. Reason: //Corrected link to point to web log directly.
 
Old 11-17-2013, 11:14 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Thanks for sharing. Apart from thoughts about the time line (the breach apparently happened in May of this year, so even if it was the end of May it still took Symantec about twenty days to share this nfo publicly in June and what's the use of web logging about it five months afterwards in November?..) and the web log post itself (it perfectly "protects" Symantecs assets by sharing absolutely nothing like not even a hash or shared library name) this shared library injection would still require an infection vector (the linked write up says "The Trojan may be installed by another threat.") meaning investing in prevention (hardening and auditing) should still pay off.
 
Old 11-18-2013, 04:13 AM   #3
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Rep: Reputation: 14
I don't think it can be done without the help of someone from the inside. Anyone can't just pipe in to the SSH, and when its written over there that THEY analysed the protected environment over there, why did't the IDS or firewall detected anything, how is it possible ? I mean how can some one gains the root access(in a protected network) and then modifies the SSH library. Apart from this, there is not much evidence that explains it perfectly.
 
Old 11-18-2013, 04:18 AM   #4
normanlinux
Member
 
Registered: Apr 2013
Location: S.E. England
Distribution: Arch
Posts: 161

Original Poster
Rep: Reputation: Disabled
I posted the link here precisely to illuminate the scaremongering of Symantec. Remember, Linux is a threat to their business model - and this is a major reason why retailers don't want to sell computers pre-configured with Linux. They make little profit on the hardware, most of it comes from the add-ons needed for Windows - none of which are needed by us.
 
Old 11-18-2013, 04:33 AM   #5
NM04
Member
 
Registered: Jan 2011
Distribution: Back Track,Fedora,centos
Posts: 240

Rep: Reputation: 14
Wink

Quote:
Originally Posted by normanlinux View Post
I posted the link here precisely to illuminate the scaremongering of Symantec. Remember, Linux is a threat to their business model - and this is a major reason why retailers don't want to sell computers pre-configured with Linux. They make little profit on the hardware, most of it comes from the add-ons needed for Windows - none of which are needed by us.
I think my previous post, in a way, justifies what you have said.

Regards,
nm
 
Old 11-19-2013, 10:53 AM   #6
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3171Reputation: 3171Reputation: 3171Reputation: 3171Reputation: 3171Reputation: 3171Reputation: 3171Reputation: 3171Reputation: 3171Reputation: 3171Reputation: 3171
Well, as they describe the exploit, attackers modified sshd to accept a particular escape-sequence.

Personally, I doubt this story. And, if it is true, it strongly implies to me "an inside job."

Sure, Symantec made its fortune by selling tools to (deliberately) non-secured Windows computers which tell you ex post facto "well, somebody just stole your horse ... again." But they do provide a fairly easily-go-to summary of known exploits (which they simply reap from other sources and then claim credit for). And, if they at least raise awareness of these issues, I guess they do some good to somebody.
 
Old 11-20-2013, 05:28 AM   #7
normanlinux
Member
 
Registered: Apr 2013
Location: S.E. England
Distribution: Arch
Posts: 161

Original Poster
Rep: Reputation: Disabled
"And, if they at least raise awareness of these issues, I guess they do some good to somebody."

Well and good but what, exactly is the issue that they are raising here? They don't say because they are scaremongering - that being their stock-in-trade
 
Old 12-03-2013, 03:12 PM   #8
drmjh
Member
 
Registered: Mar 2005
Location: North Carolina, USA
Distribution: Ubuntu
Posts: 308

Rep: Reputation: 31
SSH attack

I just read this article describing a new SSH attack.
Matthew

Nov 18, 2013
Joe Casad

Innovative back door looks like normal SSH traffic.

Security experts have announced the discovery of a Linux back door attack that they have pronounced "more sophisticated than we have seen in the past." This attack apparently breached a large hosting provider, providing access to usernames, passwords, email, financial records, and other personal information. Although some of this information was encrypted, investigators could not rule out the possible theft of encryption keys.
The attack was unique in its ability to conceal its own communication within SSH. According to the report, "...the back door did not open a network socket or attempt to connect to a command-and control server. Rather, the back door code was injected into the SSH process to monitor network traffic and look for the following sequence: colon, exclamation mark, semi-colon, period (:!;.)
The back door watches for this pattern and parses any traffic after the traffic is received. Hidden commands are encrypted using Blowfish and Base64 encoding.
According to the report, once the code is activated, the attacker can submit any command using the following syntax:
exec sh -c '[ATTACKER_COMMAND]'>/dev/null 2>/dev/null
The backdoor also supports several pre-configured commands and lets the attacker extract SSH connection data from the system.To detect the attack, search the traffic for presence of the initiation string (:!;.). The report at the Symantec site also describes a way to detect the attack through an SSHD process dump.
 
Old 12-03-2013, 05:34 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,394
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Quote:
Originally Posted by drmjh View Post
I just read this article
I've merged yours with the current thread on the same topic.
 
  


Reply

Tags
backdoor, ssh


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] RHEL 6 Symantec Liveupdate problem jimturnbull Linux - Newbie 5 08-07-2015 10:56 AM
symantec installing problem bondoq Linux - General 1 11-23-2010 07:21 AM
Symantec Net Backup Client Problem carlosinfl Red Hat 4 04-22-2009 11:39 AM
LXer: Symantec (heart) Linux? LXer Syndicated Linux News 0 03-31-2006 07:54 PM
Speech recognition for Linux - backdoor? dtee Linux - General 4 01-01-2005 06:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:54 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration