Re: Strange network activity after updates

To: debian-user@lists.debian.org
Subject: Re: Strange network activity after updates
From: Henrique de Moraes Holschuh <hmh@debian.org>
Date: Sat, 4 Aug 2012 19:48:35 -0300
Message-id: <[🔎] 20120804224834.GA25201@khazad-dum.debian.net>
In-reply-to: <[🔎] jvk2fk$dtf$10@dough.gmane.org>
References: <[🔎] 1344016574.51012.YahooMailNeo@web126102.mail.ne1.yahoo.com> <[🔎] jvjurj$dtf$6@dough.gmane.org> <[🔎] 20120804204053.GA13433@khazad-dum.debian.net> <[🔎] jvk2fk$dtf$10@dough.gmane.org>

On Sat, 04 Aug 2012, Camaleón wrote:
> On Sat, 04 Aug 2012 17:40:53 -0300, Henrique de Moraes Holschuh wrote:
> > On Sat, 04 Aug 2012, Camaleón wrote:
> >> > I know the constant connection is a multicast address, but what is
> >> > this other stuff? It looks like something is broken/misconfigured or
> >> > an outright hack of the Debian repository has occurred and many
> >> > Debian systems are now part of a botnet.
> >> 
> >> Linux as part of a botnet? That's a good one :-P
> > 
> > Now, here I will have to step in.  No, it is not a good one.  Linux
> > nodes _are_ commonly co-opted to act as C&C for botnets.  And
> > browser-based ephemeral botnet nodes (in javascript, installed by
> > drive-by attacks) DO work in Linux.
> 
> I've never read about linux boxes being used as bots, can you please 
> indicate any report/stats about that fact?

We've cleaned up a few work.  We are not sure how the payload got in
(best guess: browser).  I am not allowed to disclose any more data than
this.

Still, now that you have heard about it, you can satisfy your curiosity
by doing the searches yourself.  And javascript botnets work in Linux,
as I said (but they're a bit more ephemeral most of the time).

> (and please, do not put linux *servers* in the same bag, I speak here 
> about linux *desktops* not computers with opened ports and running out-of-
> date and unpatched software)

There isn't that much difference between linux servers and desktops.
Desktops are often just as out-of-date as your typical badly
administered server, and also have open ports.  And there are no polite
words appropriate to describe the browser security and security model,
especially if you factor in plugins.

> >> > My Debian box is staying offline until I find out what is going on.
> >> 
> >> That's sounds a bit radical :-o
> > 
> > It is actually a very responsible way of handling it.
> 
> With the given data? Running Debian? Behind a home router which usually 
> come by default with NAT and firewall enabled? I don't think so. Really.

Well, that's your prerrogative.  He has already detected weird
behaviour.  In MY book, that means you consider it compromised until
further data, and you try to protect yourself and others by keeping it
contained until you know more.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to:

Follow-Ups:
- Re: Strange network activity after updates
  - From: Camaleón <noelamac@gmail.com>

References:
- Strange network activity after updates
  - From: Paul Zimmerman <aiwanar@yahoo.com>
- Re: Strange network activity after updates
  - From: Camaleón <noelamac@gmail.com>
- Re: Strange network activity after updates
  - From: Henrique de Moraes Holschuh <hmh@debian.org>
- Re: Strange network activity after updates
  - From: Camaleón <noelamac@gmail.com>

Prev by Date: Re: installing source packages from snapshot.debian.org with apt-get source
Next by Date: [OT] Who's interested in project management & collaboration tools? And...
Previous by thread: Re: Strange network activity after updates
Next by thread: Re: Strange network activity after updates
Index(es):
- Date
- Thread