[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Strange network activity after updates

On Sun, 05 Aug 2012, Camaleón wrote:
> On Sat, 04 Aug 2012 19:48:35 -0300, Henrique de Moraes Holschuh wrote:
> > On Sat, 04 Aug 2012, Camaleón wrote:
> 
> >> I've never read about linux boxes being used as bots, can you please
> >> indicate any report/stats about that fact?
> > 
> > We've cleaned up a few work.  We are not sure how the payload got in
> > (best guess: browser).  I am not allowed to disclose any more data than
> > this.
> 
> What?! Are you saying you have been tracking (or are aware of) these kind 
> of security flaws which is being actively exploited in Linux but can't 

Hmm... I keep telling you this is nothing new, you just don't believe me.

Ask people who work with large number of Linux desktops in a corporate
network, they will tell you the same thing.  It is *uncommon* (when compared
to attacks against windows), but not unheard of by any means.

> don't know of any malware that can be exploited in that way under the 
> linux ecosystem.

Please update your expectatives.  This has not been true for a long while,
although it is easier to find the proof-of-concept reports than the real
thing.  Not for much longer, though, there are downsides for the increased
popularity of Linux desktops.

> Papers, please. I ask because I'm subscribed to security bulletins and 

I wouldn't know of any released papers, I don't pay much attention to
anything but crypto and communications security in the academic circles.

> This effectively means the malware profited not from an OS vulnerability 
> but a JRE flaw.

Or Adobe Flash flaw, or whatever.  It doesn't matter much in practice, the
end result is a compromised box that needs to be contained and scrubbed
clean.

> First, a server is usually managed by people that knows how this stuff 

This is not true anymore.

> works (thus, care about security and having up-to-date systems, there are 

IME, this is not "exactly true", to put it mildly. YMMV.

> > Well, that's your prerrogative.  He has already detected weird
> > behaviour.  In MY book, that means you consider it compromised until
> > further data, and you try to protect yourself and others by keeping it
> > contained until you know more.
> 
> I wouldn't consider "weird behaviour" a connection from/to SSDP and 
> Google machines. And while removing the link from the "suspicious" system 

A continuous stream to SSDP is weird, yes.  Whether it is the result of a
bug or something else, we don't know.  I am still waiting for the packet
dumps.

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh
Reply to: