[opensuse] My openSUSE machine has a Trojan...

newer
[opensuse] Cannot boot Leap 42.1...

Roger Oberholtzer

11 Nov 2015 11 Nov '15

08:37

http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-chi... I think I have disabled it (not with the suggested tips as maybe a newer version is more creative about restarting). Anyone else ever have this critter? Ours arrived today and did make the network iffy. I am not certain how it got installed. Popular wisdom is that it is via a ssh root login. I cannot think I have ever used a password with ssh. And I only ssh in as a user and then su to root. I guess I should disable root login via ssh, even if I don't use it (meaning: how did they manage to get the root password?) -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Show replies by date

Per Jessen

11 Nov 11 Nov

09:00

Roger Oberholtzer wrote:

...

http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-chi...

...

I think I have disabled it (not with the suggested tips as maybe a newer version is more creative about restarting). Anyone else ever have this critter? Ours arrived today and did make the network iffy.

I am not certain how it got installed. Popular wisdom is that it is via a ssh root login. I cannot think I have ever used a password with ssh. And I only ssh in as a user and then su to root. I guess I should disable root login via ssh, even if I don't use it (meaning: how did they manage to get the root password?)

Have you checked with rootkit hunter? Check your logs for ssh logins from unknown IP-addresses. If you allow ssh login with password, use fail2ban or firewall to squash brute force attacks. -- Per Jessen, Zürich (8.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Roger Oberholtzer

09:27

On Wed, Nov 11, 2015 at 10:00 AM, Per Jessen wrote:

...

Have you checked with rootkit hunter?

I tried chkrootkit and it found nothing. But I do not think it is a very thorough check.

...

Check your logs for ssh logins from unknown IP-addresses. If you allow ssh login with password, use fail2ban or firewall to squash brute force attacks.

I think I will investigate removing ssh login with password. I am pretty much the only one using ssh in to this machine, and I have exchanged keys so I do not use a password. But I have not disabled password use. There are always ssh attempts in the system log. Since I do not know from where I will use ssh, it is unclear how I could restrict the attempts. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Bernhard Voelker

09:44

On 11/11/2015 10:27 AM, Roger Oberholtzer wrote:

...

[...]. Since I do not know from where I will use ssh, it is unclear how I could restrict the attempts.

As Per wrote, you could use something like fail2ban. Tools like that are watching the syslog, and block offending IPs for a certain time. I've written my own version doing something similar, which does: * limit the number of login attempts per minute per firewall, * block IPs which try to login as root, * block IPs which try to login as a non-"AllowUser" * block IPs which try using a wrong password >2-3 times * block IPs which otherwise produce strange sshd log entries Blocking lasts for a certain time, and seems to be quite effective. As a general hint, you could also do: * use a different sshd port, * disallow password logins, * permit only a non-privileged user. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Roger Oberholtzer

09:56

I might add that this is an openSUSE 10.0 system. I has been working great. It just runs and runs and runs. All it really does is redirect some ports to internal machines and provide a bit of ftp storage for clients. I have been meaning to update it to a newer openSUSE. In fact, a replacement machine sits in my room. But, if it ain't broken... Of course, our company has an external audit of the state of our internet access, and they have been complaining that they detect this machine is running too old software. Point taken. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Marcus Rückert

12:45

On Wed, 11 Nov 2015 10:56:45 +0100 Roger Oberholtzer wrote:

...

I might add that this is an openSUSE 10.0 system. I has been working great.

I just stopped reading there. 10.0 is out of maintenance since *years* have it running with any kind of network connectivity is just plain negligent. You should take the hint and just reinstall the whole machine from scratch and update more regularly. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Roger Oberholtzer

13:02

On Wed, Nov 11, 2015 at 1:45 PM, Marcus Rückert wrote:

...

On Wed, 11 Nov 2015 10:56:45 +0100 Roger Oberholtzer wrote:

...
I might add that this is an openSUSE 10.0 system. I has been working great.

I just stopped reading there. 10.0 is out of maintenance since *years* have it running with any kind of network connectivity is just plain negligent.

Not going to argue this point. Who knows when an exploit is exploited. A week after release? A year? Of course it never happens that exploits are added to newer systems that did not exist in older ones. That could never happen...

...

You should take the hint and just reinstall the whole machine from scratch and update more regularly.

I agree. Sort of... -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Bernhard Voelker

13:57

On 11/11/2015 02:02 PM, Roger Oberholtzer wrote:

...

On Wed, Nov 11, 2015 at 1:45 PM, Marcus Rückert wrote:

...
On Wed, 11 Nov 2015 10:56:45 +0100 Roger Oberholtzer wrote:

...
I might add that this is an openSUSE 10.0 system. I has been working great.

I just stopped reading there. 10.0 is out of maintenance since *years* have it running with any kind of network connectivity is just plain negligent.

Not going to argue this point. Who knows when an exploit is exploited. A week after release? A year? Of course it never happens that exploits are added to newer systems that did not exist in older ones. That could never happen...

hehe, maybe 10.0 is now even too old as to be a worthwhile target for attackers ... just kidding. ;-) Well, as you wrote at the beginning that there's a trojan on this host, I'd guess you'll rather immediately take it from the net and re-install anyway. Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Anton Aylward

13:07

On 11/11/2015 04:56 AM, Roger Oberholtzer wrote:

...

But, if it ain't broken...

Perhaps this is evidence that it is "broken". Perhaps the fact that you are running old software that hasn't been brought up t date to the recent patches is an adequate definition of "broken"? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Roger Oberholtzer

13:15

On Wed, Nov 11, 2015 at 2:07 PM, Anton Aylward wrote:

...

On 11/11/2015 04:56 AM, Roger Oberholtzer wrote:

...
But, if it ain't broken...

Perhaps this is evidence that it is "broken".

Perhaps the fact that you are running old software that hasn't been brought up t date to the recent patches is an adequate definition of "broken"?

I suspect that the way the Trojan got in was more to do with allowing ssh logins with passwords. This configuration would have been the same with a newer system. Installing a new version will not correct inadequate configuration. I will take blame for that. But I am not convinced about the age of the software leading to this. Especially as this specific trojan does not take advantage of any such that-is-old-and-it-has-been-fixed type of issue. It is more clever. It exploits bad configurations. For which, once again, I take the blame. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Anton Aylward

14:03

On 11/11/2015 08:15 AM, Roger Oberholtzer wrote:

...

On Wed, Nov 11, 2015 at 2:07 PM, Anton Aylward wrote:

...
On 11/11/2015 04:56 AM, Roger Oberholtzer wrote:

...
But, if it ain't broken...

Perhaps this is evidence that it is "broken".

Perhaps the fact that you are running old software that hasn't been brought up t date to the recent patches is an adequate definition of "broken"?

I suspect that the way the Trojan got in was more to do with allowing ssh logins with passwords. This configuration would have been the same with a newer system. Installing a new version will not correct inadequate configuration. I will take blame for that. But I am not convinced about the age of the software leading to this. Especially as this specific trojan does not take advantage of any such that-is-old-and-it-has-been-fixed type of issue. It is more clever. It exploits bad configurations. For which, once again, I take the blame.

I will grant you that bad configurations (which probably includes lack of or weak authentication in its multitudinous forms) is in the top 5 security failings globally. But a walk through the CVE database will also highlight many flaws, including ones in libraries used by otherwise OK applications, that have been fond and addressed. Please note that this also includes the Linux kernel, drivers and networking code. So your "Oh I've fixed the problem with ssh logins with passwords" is good going but inadequate. Rather like saying, on the Titanic, "Oh we've new supplied to lookout with a set of binoculars...". -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Christopher Myers

14:12

Personally, I'm thankful that Roger passed along the information about the trojan. It seems like folks are berating him a bit for something he's already acknowledged (that the system was outdated and needed upgraded.) Rather than doing that, I think it'd be better if we merely acknowledge that, and were appreciative for him passing along the information, so that we can be aware of the thing. Plus, that way in the future hopefully others wouldn't be afraid to share something they'd learned/found simply because of how others on the list might react. Just my $.02. Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Roger Oberholtzer

14:20

On Wed, Nov 11, 2015 at 3:12 PM, Christopher Myers wrote:

...

Personally, I'm thankful that Roger passed along the information about the trojan.

Thanks for the support. But I am not so easily deterred! As a software developer, I am very much aware of what the 'update to the latest version' statement means. I also know that the latest ain't always the greatest. On the mentioned list of corrections that one can find: when were the mistakes that made the corrections necessary introduce in the first place? More often than not they were introduced in a recent previous update. Of course, software should move towards being better and better. But that ideal is not a guarantee of what happens in reality. But calm down all. I do tend to run recent things almost everywhere. The machine in question has a specific use and has been fine with 10.0. Despite the Trojan. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Christopher Myers

14:43

That's cool. I'm glad that you're not deterred by it, but I know a lot of folks would be, especially those new to linux. And sometimes the list can get a bit harsh without much reason, which bugs me, since this is where we come to help and be helped. I do a lot of tech support at my job, and to be honest, if I reacted the way some on the list do, I'd be fired quite quickly. So it was more of a "hey everyone, we're all humans on the other side of the screen, please try to remember that and act like you were the recipient of what you're about to type" kind of thing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Anton Aylward

15:07

On 11/11/2015 09:43 AM, Christopher Myers wrote:

...

That's cool. I'm glad that you're not deterred by it, but I know a lot of folks would be, especially those new to linux. And sometimes the list can get a bit harsh without much reason, which bugs me, since this is where we come to help and be helped.

Sadly, the media is all to happy to see the negative side of things like Linux, and this, I think, is more discouraging than what might happen here since things like The Washington Post already have an aura of 'respectability and hence credibility. http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-k... -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Anton Aylward

14:50

On 11/11/2015 09:12 AM, Christopher Myers wrote:

...

Personally, I'm thankful that Roger passed along the information about the trojan. It seems like folks are berating him a bit for something he's already acknowledged (that the system was outdated and needed upgraded.) Rather than doing that, I think it'd be better if we merely acknowledge that, and were appreciative for him passing along the information, so that we can be aware of the thing. Plus, that way in the future hopefully others wouldn't be afraid to share something they'd learned/found simply because of how others on the list might react.

You mean that I might be afraid to mention, as I have in the past, such matters as the CVE database, the Risks Digest, the NIST top 20 vulnerabilities listing, various other sources of threats and risks information? Its not as if the ssh/password vulnerability is new. Roger's problem dates back to 2012 - CVE-2012-5975 http://www.securityweek.com/ssh-patches-serious-vulnerability-its-enterprise... http://catless.ncl.ac.uk/Risks/ And yes, there have been more :- https://www.cvedetails.com/vulnerability-list/vendor_id-120/SSH.html https://www.cvedetails.com/vulnerability-list/vendor_id-120/product_id-202/S... On 11/11/2015 09:20 AM, Roger Oberholtzer wrote:

...

As a software developer, I am very much aware of what the 'update to the latest version' statement means ... More often than not they were introduced in a recent previous update. Of course, software should move towards being better and better.

A long, long time ago, Fredrick P Brooks wrote in a book called "The Mythical Man Month" that each release of the OS/360 had about 200 bugs in it. As software grows we can expect that new generations of programmers, less experienced, will repeat the error of their ancestors. That's certainly been my observation and I think its backed up by the SANS top 20 list of vulnerabilities: Buffer overflow and SQL injection have been to top 2 programming errors for a long time now. You'd think the schools that teach programming would drill such basics into the heads to the students: "DON'T DO THIS", but no..... And so we get cascades of the same kind of errors, thing like mishandling of pointers in C, year after year. In many ways it's inherent in the economics of programming. To keep costs down new, inexperienced and therefore cheap programmers are brought in and older, experienced one go off to do other things. Few firms can afford the intense testing that NASA has for the deep space missions. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org

Carlos E. R.

15:06

On 2015-11-11 15:50, Anton Aylward wrote:

...

A long, long time ago, Fredrick P Brooks wrote in a book called "The Mythical Man Month" that each release of the OS/360 had about 200 bugs in it. As software grows we can expect that new generations of programmers, less experienced, will repeat the error of their ancestors. That's certainly been my observation and I think its backed up by the SANS top 20 list of vulnerabilities: Buffer overflow and SQL injection have been to top 2 programming errors for a long time now. You'd think the schools that teach programming would drill such basics into the heads to the students: "DON'T DO THIS", but no..... And so we get cascades of the same kind of errors, thing like mishandling of pointers in C, year after year. In many ways it's inherent in the economics of programming. To keep costs down new, inexperienced and therefore cheap programmers are brought in and older, experienced one go off to do other things. Few firms can afford the intense testing that NASA has for the deep space missions.

...

:-)

IMHO, many of those bugs, like buffer overflows, would be prevented by phasing out C, and using something else that does compile and run time time bounds checking. C is very powerful, amongst other things, because it allows to do anything you wish, even if it is a mistake. Kind of a very high level assembler. With powerful CPUs we should have the computing power to switch to other languages that do checks. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)