[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange network activity after updates

On Sat, 04 Aug 2012, Camaleón wrote:
> On Sat, 04 Aug 2012 17:40:53 -0300, Henrique de Moraes Holschuh wrote:
> > On Sat, 04 Aug 2012, Camaleón wrote:
> >> > I know the constant connection is a multicast address, but what is
> >> > this other stuff? It looks like something is broken/misconfigured or
> >> > an outright hack of the Debian repository has occurred and many
> >> > Debian systems are now part of a botnet.
> >> 
> >> Linux as part of a botnet? That's a good one :-P
> > 
> > Now, here I will have to step in.  No, it is not a good one.  Linux
> > nodes _are_ commonly co-opted to act as C&C for botnets.  And
> > browser-based ephemeral botnet nodes (in javascript, installed by
> > drive-by attacks) DO work in Linux.
> I've never read about linux boxes being used as bots, can you please 
> indicate any report/stats about that fact?

We've cleaned up a few work.  We are not sure how the payload got in
(best guess: browser).  I am not allowed to disclose any more data than

Still, now that you have heard about it, you can satisfy your curiosity
by doing the searches yourself.  And javascript botnets work in Linux,
as I said (but they're a bit more ephemeral most of the time).

> (and please, do not put linux *servers* in the same bag, I speak here 
> about linux *desktops* not computers with opened ports and running out-of-
> date and unpatched software)

There isn't that much difference between linux servers and desktops.
Desktops are often just as out-of-date as your typical badly
administered server, and also have open ports.  And there are no polite
words appropriate to describe the browser security and security model,
especially if you factor in plugins.

> >> > My Debian box is staying offline until I find out what is going on.
> >> 
> >> That's sounds a bit radical :-o
> > 
> > It is actually a very responsible way of handling it.
> With the given data? Running Debian? Behind a home router which usually 
> come by default with NAT and firewall enabled? I don't think so. Really.

Well, that's your prerrogative.  He has already detected weird
behaviour.  In MY book, that means you consider it compromised until
further data, and you try to protect yourself and others by keeping it
contained until you know more.

  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh

Reply to: