LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware
User Name
Password
Slackware This Forum is for the discussion of Slackware Linux.

Notices


Reply
  Search this Thread
Old 09-09-2019, 02:03 AM   #1
Totoro-kun
Member
 
Registered: Nov 2010
Location: Kaunas, Lithuania
Distribution: Slackware
Posts: 227

Rep: Reputation: 116Reputation: 116
Linux Ransomware (Lilu) spreading.


Hello,

I know I am a bit late with the news. Most of you have already known about this from other sources (fossbytes, ZDnet, reddit, etc).

Looks like the main culprit is Exim, hackers have used it's security vulnerability to gain root access:
https://www.openwall.com/lists/oss-s...y/2019/09/04/1

We don't really use Exim on Slackware, but there is a SlackBuild available (which probably should be monitored for updates).

Another possible treat, like usual, would be outdated WordPress installations/plugins.

~6k Linux servers word wide is not a huge number, still, hope no sites on Slackware servers gets encrypted :-)

Sources:
[fossbytes.com] lilocked-ransomware-infected-linux-servers

[zdnet.com] thousands-of-servers-infected-with-new-lilocked-lilu-ransomware

[reddit.com] thousands_of_servers_infected_with_new_lilocked

[cybersecurity-insiders.com] lilocked-ransomware-hits-linux-servers

Last edited by Totoro-kun; 09-09-2019 at 08:00 AM.
 
Old 09-09-2019, 02:57 AM   #2
Lysander666
Senior Member
 
Registered: Apr 2017
Location: The Underearth
Distribution: Slackware
Posts: 1,803
Blog Entries: 3

Rep: Reputation: 1892Reputation: 1892Reputation: 1892Reputation: 1892Reputation: 1892Reputation: 1892Reputation: 1892Reputation: 1892Reputation: 1892Reputation: 1892Reputation: 1892
That photo on the Cybersecurity Insiders article is great.

I use Wordpress but the web version, [wordpress.com] so I don't imagine I'd have any issues.
 
Old 09-09-2019, 07:57 AM   #3
Totoro-kun
Member
 
Registered: Nov 2010
Location: Kaunas, Lithuania
Distribution: Slackware
Posts: 227

Original Poster
Rep: Reputation: 116Reputation: 116
Yeah, it's so great, that they seem to be using it for every ransomware related article :-)
 
1 members found this post helpful.
Old 09-09-2019, 01:57 PM   #4
crts
Senior Member
 
Registered: Jan 2010
Posts: 1,751

Rep: Reputation: 548Reputation: 548Reputation: 548Reputation: 548Reputation: 548Reputation: 548
Quote:
Originally Posted by Lysander666 View Post
That photo on the Cybersecurity Insiders article is great.
I particularly like how the ransom software is apparently able to control the ambient lighting in order to set the victim in the right mood to being "ransom-wared" :-).
 
1 members found this post helpful.
Old 09-09-2019, 06:12 PM   #5
TheRealGrogan
Member
 
Registered: Oct 2010
Location: Ontario, Canada
Distribution: Slackware, Manjaro (for gaming)
Posts: 129

Rep: Reputation: 106Reputation: 106
Yeah... isn't exim a piece of work. I have a server with WHM/Cpanel and that uses exim for the MTA. I just got hacked because of exim ~3 months ago within a few days of that exploit being known. It wasn't ransomware I got hit with, but cryptocurrency mining.

The exim packages are Cpanel specific, so you don't get that particular rpm from the package repos, only through cpanel upgrades. I did not make that mistake this time, the current exim vulnerability is utterly ridiculous.

Not to be ignored for one day.
 
1 members found this post helpful.
Old 09-09-2019, 08:09 PM   #6
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Ubuntu MATE, Mageia, and whatever VMs I happen to be playing with
Posts: 15,326
Blog Entries: 25

Rep: Reputation: 4391Reputation: 4391Reputation: 4391Reputation: 4391Reputation: 4391Reputation: 4391Reputation: 4391Reputation: 4391Reputation: 4391Reputation: 4391Reputation: 4391
I suggest you ask the mods to move this thread to Linux-General. I think it deserves the higher level of visibility it might get there.
 
1 members found this post helpful.
Old 09-09-2019, 09:31 PM   #7
Jan K.
Member
 
Registered: Apr 2019
Location: Esbjerg
Distribution: slackware...
Posts: 54

Rep: Reputation: 24
Quote:
It also mentions that the ransomware managed to get root access to servers by unknown means.
Those unknown means are the interesting part... the access and actions performed surely should have been caught immidiatly.

Why didn't it raise an alarm?
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Certified Ethical Hacker website caught spreading crypto ransomware LXer Syndicated Linux News 0 03-24-2016 09:57 PM
LXer: Locky Ransomware Spreading in Massive Spam Attack LXer Syndicated Linux News 0 03-17-2016 06:32 PM
LXer: Scared Microsoft just spreading Linux patent FUD LXer Syndicated Linux News 0 05-14-2007 06:31 AM
LXer: SUSE Linux Enterprise Desktop 10 for Spreading the Linux Cure LXer Syndicated Linux News 0 07-18-2006 12:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware

All times are GMT -5. The time now is 12:56 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration