Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
There is a new blog post by Brian Krebs about how ransomware is now targetting Linux servers, and he refers to a case of a site that was attacked via a Magento vulnerability:
Quote:
This latest criminal innovation, innocuously dubbed “Linux.Encoder.1” by Russian antivirus and security firm Dr.Web, targets sites powered by the Linux operating system. The file currently has almost zero detection when scrutinized by antivirus products at Google’s Virustotal.com, a free tool for scanning suspicious files against dozens of popular antivirus products.
Typically, the malware is injected into Web sites via known vulnerabilities in site plugins or third-party software — such shopping cart programs. Once on a host machine, the malware will encrypt all of the files in the “home” directories on the system, as well backup directories and most of the system folders typically associated with Web site files, images, pages, code libraries and scripts.
I get the feeling that Krebs doesn't know much about Linux, as in when he refers to the malware needing "administrator" access to the OS to work. Aside from terminology, who runs Apache as root anyway? I would be interested in hearing from others here who have more Linux-specific experience with security on the issues related to malware that targets Linux OS.
It’s worth noting that the malware requires the compromised user account on the Linux system to be an administrator; operating Web servers and Web services as administrator is generally considered poor security form, and threats like this one just reinforce why.
Worth noting? I'd say so. It's the theme of every linux "exploit".
This reminds me of users who "fix linux problems" by chmod -R 777 everything or run everything as root.
As for backing up, there shouldn't be "getting behind". They should always be automatic.
Quote:
However, not everything worked the way it should have.
You can say that again.. the person in this example paid the decryption - reinforcing more of this in the future.
We realized that, rather than generating secure random keys and IVs, the sample would derive these two pieces of information from the libc rand() function seeded with the current system timestamp at the moment of encryption. This information can be easily retrieved by looking at the file’s timestamp. This is a huge design flaw that allows retrieval of the AES key without having to decrypt it with the RSA public key sold by the Trojan’s operator(s).
Classic. Well, this is not the first time crypto ransomware designers have done this. Clearly and luckily, most of them are amateurs.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.