Re: Strange network activity after updates
On Sun, 05 Aug 2012 11:51:53 -0300, Henrique de Moraes Holschuh wrote:
> On Sun, 05 Aug 2012, Camaleón wrote:
>> > We've cleaned up a few work. We are not sure how the payload got in
>> > (best guess: browser). I am not allowed to disclose any more data
>> > than this.
>>
>> What?! Are you saying you have been tracking (or are aware of) these
>> kind of security flaws which is being actively exploited in Linux but
>> can't
>
> Hmm... I keep telling you this is nothing new, you just don't believe
> me.
I'm not a good believer, I prefer a report to read :-)
> Ask people who work with large number of Linux desktops in a corporate
> network, they will tell you the same thing. It is *uncommon* (when
> compared to attacks against windows), but not unheard of by any means.
Again, I work in a business environment and have never read on the
problem you are telling about. Neither I know of any threat that affects
linux directly (OS flaw) or indirectly (by third-part addon, like JRE,
Adobe Reader or Adobe Flash) and that is being exploited with success.
On the contrary, I know that linux servers are being successfully
attacked on every day basis :-)
>> don't know of any malware that can be exploited in that way under the
>> linux ecosystem.
>
> Please update your expectatives. This has not been true for a long
> while, although it is easier to find the proof-of-concept reports than
> the real thing. Not for much longer, though, there are downsides for
> the increased popularity of Linux desktops.
Yes, I know that linux is not unbreakable but until now I've not seen a
report about a flaw of that nature. Yes, I know it can be done but far
from being massively exploitable nor as wide as the windows attacks are.
That's why I'm very reticent of seeing a linux desktop as a part of a bot
network.
>> Papers, please. I ask because I'm subscribed to security bulletins and
>
> I wouldn't know of any released papers, I don't pay much attention to
> anything but crypto and communications security in the academic circles.
Well, it would be very interesting to know more about the current threats
affecting linux, don't you think?
>> This effectively means the malware profited not from an OS
>> vulnerability but a JRE flaw.
>
> Or Adobe Flash flaw, or whatever. It doesn't matter much in practice,
> the end result is a compromised box that needs to be contained and
> scrubbed clean.
It do matter. It matters a lot. A good OS design can do more for stopping/
avoiding that kind of attacks that a poorly or flawlessly designed OS.
>> First, a server is usually managed by people that knows how this stuff
>
> This is not true anymore.
Sure it is. Only a fool company will put in charge of its assets a person
that only knows about Excel spreadsheets, don't you think?
>> works (thus, care about security and having up-to-date systems, there
>> are
>
> IME, this is not "exactly true", to put it mildly. YMMV.
>
>> > Well, that's your prerrogative. He has already detected weird
>> > behaviour. In MY book, that means you consider it compromised until
>> > further data, and you try to protect yourself and others by keeping
>> > it contained until you know more.
>>
>> I wouldn't consider "weird behaviour" a connection from/to SSDP and
>> Google machines. And while removing the link from the "suspicious"
>> system
>
> A continuous stream to SSDP is weird, yes.
That would depend on the run services and what kind of devices the user
has in his network. Anyway, the mere presence of network traffic on that
port does not indicate "per se" a more serious problem, although I indeed
would worry to see an outgoing connection to a remote server port
(tcp/80), for instance.
> Whether it is the result of a bug or something else, we don't know. I
> am still waiting for the packet dumps.
Sure, that's what I said from the beginning: more information is
needed :-)
Greetings,
--
Camaleón
Reply to: