[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange network activity after updates

On Sat, 04 Aug 2012 19:48:35 -0300, Henrique de Moraes Holschuh wrote:

> On Sat, 04 Aug 2012, Camaleón wrote:

>> I've never read about linux boxes being used as bots, can you please
>> indicate any report/stats about that fact?
> We've cleaned up a few work.  We are not sure how the payload got in
> (best guess: browser).  I am not allowed to disclose any more data than
> this.

What?! Are you saying you have been tracking (or are aware of) these kind 
of security flaws which is being actively exploited in Linux but can't 
comment on? If that's true, that's a very serious situation. As I said, I 
don't know of any malware that can be exploited in that way under the 
linux ecosystem.

> Still, now that you have heard about it, you can satisfy your curiosity
> by doing the searches yourself.  And javascript botnets work in Linux,
> as I said (but they're a bit more ephemeral most of the time).

Papers, please. I ask because I'm subscribed to security bulletins and 
have not clue about what you are saying. The last "malware" I read about 
were targeted to MacOS systems (flashback and oscrisis) but they were, 

- A trojan (data stealing)
- It benefited from an old (vulnerable) java version

This effectively means the malware profited not from an OS vulnerability 
but a JRE flaw.

Beyond this, I'm not aware of any treat that makes linux systems become 
part of a botnet so I will thank any additional information you can 
provide in this regard.

>> (and please, do not put linux *servers* in the same bag, I speak here
>> about linux *desktops* not computers with opened ports and running
>> out-of- date and unpatched software)
> There isn't that much difference between linux servers and desktops.
> Desktops are often just as out-of-date as your typical badly
> administered server, and also have open ports.  And there are no polite
> words appropriate to describe the browser security and security model,
> especially if you factor in plugins.

There are many differences between them.

First, a server is usually managed by people that knows how this stuff 
works (thus, care about security and having up-to-date systems, there are 
exceptions, I know) while desktop users rely on their OS to take care 
about the usual flaws (updating routines should ensure they run the 
latest and patched software).

Second, a server does usually have to open and forward ports into local 
machines and this is not always done with a proper firewall in front of 
the machines neither having IPS systems. A usual desktop comes with no 
open ports at all and firewall is enabled from the DSL modem/router 

There are still the plugins problematic, I accept that, but I still have 
not read a single report about a linux user being infected when browsing 
the web, of course, not from WINE+internet explorer but from their usual 
tools (Debian+firefox/Chrome...).

>> >> > My Debian box is staying offline until I find out what is going
>> >> > on.
>> >> 
>> >> That's sounds a bit radical :-o
>> > 
>> > It is actually a very responsible way of handling it.
>> With the given data? Running Debian? Behind a home router which usually
>> come by default with NAT and firewall enabled? I don't think so.
>> Really.
> Well, that's your prerrogative.  He has already detected weird
> behaviour.  In MY book, that means you consider it compromised until
> further data, and you try to protect yourself and others by keeping it
> contained until you know more.

I wouldn't consider "weird behaviour" a connection from/to SSDP and 
Google machines. And while removing the link from the "suspicious" system 
that's under investigaction will "solve" the spurious network activity 
you neither can run more tests on it to discover what are those coming.



Reply to: