[Security] Windigo malware and SSH client compromised
SlackwareThis Forum is for the discussion of Slackware Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
First: Never execute copy & pasted shell commands from the web without understanding them.
Originally Posted by Nh3xus
Actually, there's no known way to entirely scan a compromised machine. Which leads you straight to the re-install
If you are unsure whether a system is compromised or not, then it is already compromised. So you can go directly to re-installing. You don't need to check, if your ssh understands option '-G' by accident.
Security works by establishing an uninterrupted chain of trust from the fresh install to the current state of machine and depends on your ability to verify it ("known-good"). If you don't have that, then your security is already broken.
Okay, so I just downloaded and reinstalled the openssh Slackware package for Slackware 14.0 and it still shows up as infected. Does that mean that the Slackware packages are compromised or is something else going on?
Well, it might be a false positive. What are you doing to check? The original paper is here, work your way through Appendix 1 section A1.1.
Cleanup is described in Appendix 2. Unfortunately much more is entailed than just reinstalling openssh. To quote the paper:
In order to install Linux/Ebury on a system, the malware operators need root access. With this level of access, anything is possible. This is why we advise anyone infected to completely wipe their servers and rebuild them from scratch using a verified source. Thatís the only way to make sure to get rid of this threat.
It's not just openssh that would need to be reinstalled: it's also keyutils, httpd, bind, and possibly more.
But the next bit is *much* more important:
Most importantly, assume that administrator and user credentials have been compromised. Because of this, we advise anyone infected to reset all user and administrator credentials from known clean machines and put a measure in place to prevent users from resetting their passwords to their original ones.
It is important to realize that Linux/Ebury stole the credentials of all login attempts made on an infected server (successful or not). Additionally, it also steals credentials of connections originating from that server, through a trojanized ssh binary, meaning that anyone using the server as an SSH relay will also have the credentials to other servers stolen. Furthermore, ssh and ssh-add will steal passphrases that unlock SSH keys and will save in memory the unencrypted SSH keys so they can be retrieved later by the malware operators. This credential stealing infrastructure is very comprehensive and this is why we advise that infected organizations should take this very seriously and reconsider their server authentication mechanisms."
So they would have your passwords and keys, and can just reach in and re-pwn you if you haven't changed them
I really hope for your sake it's some sort of false positive
But you don't ask the malware itself, if your OS compromised. You verify it with a proven method, like using cryptographic checksums and compare them to the known-good state.
Thanks, I'll mark that as informative. But it's what I have advocated always. *And do feel free to lecture me but please not on the basics: I've been performing incident response here a wee bit longer than you :-]
Originally Posted by jtsn
You don't do that by executing 'ssh -G' on the infected installation, but by analysing a post-mortem image after taking down the compromised machine.
While I personally avoid disturbing a (presumed) compromised system it seems some advocate different standards... That said anyone who has done forensics in the field knows you don't always have the luxury of a cold copy of a corpse to work on. In that case the strategy may change and well include executing suchlike commands on a Live system.
RKhunter, chkrootkit, and clamav are all available for Linux servers and clients, and should have the proper definitions to combat such malware. Plus you should also be runnign as a User and not root to prevent certain malware from executing. You can always also simply uninstall the OpenSSH package and re-install it also if it becomes infected and clear the system temp files and other cache.