Re: Strange network activity after updates
On Sat, 04 Aug 2012 19:48:35 -0300, Henrique de Moraes Holschuh wrote:
> On Sat, 04 Aug 2012, Camaleón wrote:
>> I've never read about linux boxes being used as bots, can you please
>> indicate any report/stats about that fact?
>
> We've cleaned up a few work. We are not sure how the payload got in
> (best guess: browser). I am not allowed to disclose any more data than
> this.
What?! Are you saying you have been tracking (or are aware of) these kind
of security flaws which is being actively exploited in Linux but can't
comment on? If that's true, that's a very serious situation. As I said, I
don't know of any malware that can be exploited in that way under the
linux ecosystem.
> Still, now that you have heard about it, you can satisfy your curiosity
> by doing the searches yourself. And javascript botnets work in Linux,
> as I said (but they're a bit more ephemeral most of the time).
Papers, please. I ask because I'm subscribed to security bulletins and
have not clue about what you are saying. The last "malware" I read about
were targeted to MacOS systems (flashback and oscrisis) but they were,
IIRC:
- A trojan (data stealing)
- It benefited from an old (vulnerable) java version
This effectively means the malware profited not from an OS vulnerability
but a JRE flaw.
Beyond this, I'm not aware of any treat that makes linux systems become
part of a botnet so I will thank any additional information you can
provide in this regard.
>> (and please, do not put linux *servers* in the same bag, I speak here
>> about linux *desktops* not computers with opened ports and running
>> out-of- date and unpatched software)
>
> There isn't that much difference between linux servers and desktops.
> Desktops are often just as out-of-date as your typical badly
> administered server, and also have open ports. And there are no polite
> words appropriate to describe the browser security and security model,
> especially if you factor in plugins.
There are many differences between them.
First, a server is usually managed by people that knows how this stuff
works (thus, care about security and having up-to-date systems, there are
exceptions, I know) while desktop users rely on their OS to take care
about the usual flaws (updating routines should ensure they run the
latest and patched software).
Second, a server does usually have to open and forward ports into local
machines and this is not always done with a proper firewall in front of
the machines neither having IPS systems. A usual desktop comes with no
open ports at all and firewall is enabled from the DSL modem/router
appliance.
There are still the plugins problematic, I accept that, but I still have
not read a single report about a linux user being infected when browsing
the web, of course, not from WINE+internet explorer but from their usual
tools (Debian+firefox/Chrome...).
>> >> > My Debian box is staying offline until I find out what is going
>> >> > on.
>> >>
>> >> That's sounds a bit radical :-o
>> >
>> > It is actually a very responsible way of handling it.
>>
>> With the given data? Running Debian? Behind a home router which usually
>> come by default with NAT and firewall enabled? I don't think so.
>> Really.
>
> Well, that's your prerrogative. He has already detected weird
> behaviour. In MY book, that means you consider it compromised until
> further data, and you try to protect yourself and others by keeping it
> contained until you know more.
I wouldn't consider "weird behaviour" a connection from/to SSDP and
Google machines. And while removing the link from the "suspicious" system
that's under investigaction will "solve" the spurious network activity
you neither can run more tests on it to discover what are those coming.
Greetings,
--
Camaleón
Reply to: