My openSUSE machine has a Trojan...

classic Classic list List threaded Threaded
28 messages Options
12
Reply | Threaded
Open this post in threaded view
|

My openSUSE machine has a Trojan...

Roger Oberholtzer-2
http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html

I think I have disabled it (not with the suggested tips as maybe a
newer version is more creative about restarting). Anyone else ever
have this critter? Ours arrived today and did make the network iffy.

I am not certain how it got installed. Popular wisdom is that it is
via a ssh root login. I cannot think I have ever used a password with
ssh. And I only ssh in as a user and then su to root. I guess I should
disable root login via ssh, even if I don't use it (meaning: how did
they manage to get the root password?)

--
Roger Oberholtzer
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Per Jessen
Roger Oberholtzer wrote:

>
http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html

>
> I think I have disabled it (not with the suggested tips as maybe a
> newer version is more creative about restarting). Anyone else ever
> have this critter? Ours arrived today and did make the network iffy.
>
> I am not certain how it got installed. Popular wisdom is that it is
> via a ssh root login. I cannot think I have ever used a password with
> ssh. And I only ssh in as a user and then su to root. I guess I should
> disable root login via ssh, even if I don't use it (meaning: how did
> they manage to get the root password?)

Have you checked with rootkit hunter?
Check your logs for ssh logins from unknown IP-addresses.
If you allow ssh login with password, use fail2ban or firewall to squash
brute force attacks.



--
Per Jessen, Zürich (8.9°C)
http://www.dns24.ch/ - your free DNS host, made in Switzerland.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Roger Oberholtzer-2
On Wed, Nov 11, 2015 at 10:00 AM, Per Jessen <[hidden email]> wrote:

> Have you checked with rootkit hunter?

I tried chkrootkit and it found nothing. But I do not think it is a
very thorough check.

> Check your logs for ssh logins from unknown IP-addresses.
> If you allow ssh login with password, use fail2ban or firewall to squash
> brute force attacks.

I think I will investigate removing ssh login with password. I am
pretty much the only one using ssh in to this machine, and I have
exchanged keys so I do not use a password. But I have not disabled
password use. There are always ssh attempts in the system log. Since I
do not know from where I will use ssh, it is unclear how I could
restrict the attempts.

--
Roger Oberholtzer
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Bernhard Voelker
On 11/11/2015 10:27 AM, Roger Oberholtzer wrote:
> [...]. Since I
> do not know from where I will use ssh, it is unclear how I could
> restrict the attempts.

As Per wrote, you could use something like fail2ban.  Tools like
that are watching the syslog, and block offending IPs for a certain
time.

I've written my own version doing something similar, which does:
* limit the number of login attempts per minute per firewall,
* block IPs which try to login as root,
* block IPs which try to login as a non-"AllowUser"
* block IPs which try using a wrong password >2-3 times
* block IPs which otherwise produce strange sshd log entries
Blocking lasts for a certain time, and seems to be quite effective.

As a general hint, you could also do:
* use a different sshd port,
* disallow password logins,
* permit only a non-privileged user.

Have a nice day,
Berny
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Roger Oberholtzer-2
I might add that this is an openSUSE 10.0 system. I has been working
great. It just runs and runs and runs. All it really does is redirect
some ports to internal machines and provide a bit of ftp storage for
clients. I have been meaning to update it to a newer openSUSE. In
fact, a replacement machine sits in my room. But, if it ain't
broken... Of course, our company has an external audit of the state of
our internet access, and they have been complaining that they detect
this machine is running too old software. Point taken.


--
Roger Oberholtzer
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Per Jessen
In reply to this post by Bernhard Voelker
Bernhard Voelker wrote:

> On 11/11/2015 10:27 AM, Roger Oberholtzer wrote:
>> [...]. Since I
>> do not know from where I will use ssh, it is unclear how I could
>> restrict the attempts.
>
> As Per wrote, you could use something like fail2ban.  Tools like
> that are watching the syslog, and block offending IPs for a certain
> time.
>
> I've written my own version doing something similar, which does:
> * limit the number of login attempts per minute per firewall,

Yep, I've had this in place for years.

> * block IPs which try to login as root,
> * block IPs which try to login as a non-"AllowUser"
> * block IPs which try using a wrong password >2-3 times
> * block IPs which otherwise produce strange sshd log entries
> Blocking lasts for a certain time, and seems to be quite effective.

> As a general hint, you could also do:
> * use a different sshd port,

For me, apart from disallowing login with password, this one has been
the easiest and most effective against brute force attacks so far.  I
have even thought up schemes of regularly changing the port, e.g.
according to the date or day, but it just hasn't been necessary.


--
Per Jessen, Zürich (9.9°C)
http://www.hostsuisse.com/ - dedicated server rental in Switzerland.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Per Jessen
In reply to this post by Roger Oberholtzer-2
Roger Oberholtzer wrote:

> On Wed, Nov 11, 2015 at 10:00 AM, Per Jessen <[hidden email]> wrote:
>
>> Have you checked with rootkit hunter?
>
> I tried chkrootkit and it found nothing. But I do not think it is a
> very thorough check.

It's been a logn time since I've had reason to run a check, but it
seemed pretty thorough to me:

http://rkhunter.sourceforge.net/

> I think I will investigate removing ssh login with password. I am
> pretty much the only one using ssh in to this machine, and I have
> exchanged keys so I do not use a password. But I have not disabled
> password use. There are always ssh attempts in the system log. Since I
> do not know from where I will use ssh, it is unclear how I could
> restrict the attempts.

fail2ban will help you with that.



--
Per Jessen, Zürich (10.0°C)
http://www.hostsuisse.com/ - dedicated server rental in Switzerland.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Roger Oberholtzer-2
In reply to this post by Per Jessen
On Wed, Nov 11, 2015 at 10:00 AM, Per Jessen <[hidden email]> wrote:

> Have you checked with rootkit hunter?

Interesting. I think this is the thing that has been installed:

http://sourceforge.net/p/rkhunter/patches/44/

I will have to install this and see what it finds. If I can get it to
run on openSUSE 10.0, that is...



--
Roger Oberholtzer
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Marcus Rueckert-3
In reply to this post by Roger Oberholtzer-2
On Wed, 11 Nov 2015 10:56:45 +0100
Roger Oberholtzer <[hidden email]> wrote:

> I might add that this is an openSUSE 10.0 system. I has been working
> great.

I just stopped reading there. 10.0 is out of maintenance since *years*
have it running with any kind of network connectivity is just plain
negligent.

You should take the hint and just reinstall the whole machine from
scratch and update more regularly.

    darix

--
          openSUSE - SUSE Linux is my linux
              openSUSE is good for you
                  www.opensuse.org
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Roger Oberholtzer-2
On Wed, Nov 11, 2015 at 1:45 PM, Marcus Rückert <[hidden email]> wrote:
> On Wed, 11 Nov 2015 10:56:45 +0100
> Roger Oberholtzer <[hidden email]> wrote:
>
>> I might add that this is an openSUSE 10.0 system. I has been working
>> great.
>
> I just stopped reading there. 10.0 is out of maintenance since *years*
> have it running with any kind of network connectivity is just plain
> negligent.

Not going to argue this point. Who knows when an exploit is exploited.
A week after release? A year?  Of course it never happens that
exploits are added to newer systems that did not exist in older ones.
That could never happen...

> You should take the hint and just reinstall the whole machine from
> scratch and update more regularly.

I agree. Sort of...


--
Roger Oberholtzer
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Anton Aylward-2
In reply to this post by Roger Oberholtzer-2
On 11/11/2015 04:56 AM, Roger Oberholtzer wrote:
> But, if it ain't
> broken...

Perhaps this is evidence that it is "broken".

Perhaps the fact that you are running old software that hasn't been
brought up t date to the recent patches is an adequate definition of
"broken"?


--
         A: Yes.
     >   Q: Are you sure?
     >>  A: Because it reverses the logical flow of conversation.
     >>> Q: Why is top posting frowned upon?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Roger Oberholtzer-2
On Wed, Nov 11, 2015 at 2:07 PM, Anton Aylward
<[hidden email]> wrote:
> On 11/11/2015 04:56 AM, Roger Oberholtzer wrote:
>> But, if it ain't
>> broken...
>
> Perhaps this is evidence that it is "broken".
>
> Perhaps the fact that you are running old software that hasn't been
> brought up t date to the recent patches is an adequate definition of
> "broken"?

I suspect that the way the Trojan got in was more to do with allowing
ssh logins with passwords. This configuration would have been the same
with a newer system. Installing a new version will not correct
inadequate configuration. I will take blame for that. But I am not
convinced about the age of the software leading to this. Especially as
this specific trojan does not take advantage of any such
that-is-old-and-it-has-been-fixed type of issue. It is more clever. It
exploits bad configurations. For which, once again, I take the blame.



--
Roger Oberholtzer
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Bernhard Voelker
In reply to this post by Roger Oberholtzer-2
On 11/11/2015 02:02 PM, Roger Oberholtzer wrote:

> On Wed, Nov 11, 2015 at 1:45 PM, Marcus Rückert <[hidden email]> wrote:
>> On Wed, 11 Nov 2015 10:56:45 +0100
>> Roger Oberholtzer <[hidden email]> wrote:
>>
>>> I might add that this is an openSUSE 10.0 system. I has been working
>>> great.
>>
>> I just stopped reading there. 10.0 is out of maintenance since *years*
>> have it running with any kind of network connectivity is just plain
>> negligent.
>
> Not going to argue this point. Who knows when an exploit is exploited.
> A week after release? A year?  Of course it never happens that
> exploits are added to newer systems that did not exist in older ones.
> That could never happen...

hehe, maybe 10.0 is now even too old as to be a worthwhile target
for attackers ... just kidding. ;-)

Well, as you wrote at the beginning that there's a trojan on this host,
I'd guess you'll rather immediately take it from the net and re-install
anyway.

Have a nice day,
Berny

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Anton Aylward-2
In reply to this post by Roger Oberholtzer-2
On 11/11/2015 08:15 AM, Roger Oberholtzer wrote:

> On Wed, Nov 11, 2015 at 2:07 PM, Anton Aylward
> <[hidden email]> wrote:
>> On 11/11/2015 04:56 AM, Roger Oberholtzer wrote:
>>> But, if it ain't
>>> broken...
>>
>> Perhaps this is evidence that it is "broken".
>>
>> Perhaps the fact that you are running old software that hasn't been
>> brought up t date to the recent patches is an adequate definition of
>> "broken"?
>
> I suspect that the way the Trojan got in was more to do with allowing
> ssh logins with passwords. This configuration would have been the same
> with a newer system. Installing a new version will not correct
> inadequate configuration. I will take blame for that. But I am not
> convinced about the age of the software leading to this. Especially as
> this specific trojan does not take advantage of any such
> that-is-old-and-it-has-been-fixed type of issue. It is more clever. It
> exploits bad configurations. For which, once again, I take the blame.

I will grant you that bad configurations (which probably includes lack
of or weak authentication in its multitudinous forms) is in the top 5
security failings globally.

But a walk through the CVE database will also highlight many flaws,
including ones in libraries used by otherwise OK applications, that have
been fond and addressed.

Please note that this also includes the Linux kernel, drivers and
networking code.

So your "Oh I've fixed the problem with ssh logins with passwords" is
good going but inadequate.

Rather like saying, on the Titanic, "Oh we've new supplied to lookout
with a set of binoculars...".



--
         A: Yes.
     >   Q: Are you sure?
     >>  A: Because it reverses the logical flow of conversation.
     >>> Q: Why is top posting frowned upon?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Christopher Myers
Personally, I'm thankful that Roger passed along the information about the trojan. It seems like folks are berating him a bit for something he's already acknowledged (that the system was outdated and needed upgraded.) Rather than doing that, I think it'd be better if we merely acknowledge that, and were appreciative for him passing along the information, so that we can be aware of the thing. Plus, that way in the future hopefully others wouldn't be afraid to share something they'd learned/found simply because of how others on the list might react.

Just my $.02.

Chris

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Roger Oberholtzer-2
On Wed, Nov 11, 2015 at 3:12 PM, Christopher Myers
<[hidden email]> wrote:
> Personally, I'm thankful that Roger passed along the information about the trojan.

Thanks for the support. But I am not so easily deterred! As a software
developer, I am very much aware of what the 'update to the latest
version' statement means. I also know that the latest ain't always the
greatest. On the mentioned list of corrections that one can find: when
were the mistakes that made the corrections necessary introduce in the
first place? More often than not they were introduced in a recent
previous update. Of course, software should move towards being better
and better. But that ideal is not a guarantee of what happens in
reality.

But calm down all. I do tend to run recent things almost everywhere.
The machine in question has a specific use and has been fine with
10.0. Despite the Trojan.



--
Roger Oberholtzer
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Christopher Myers
That's cool. I'm glad that you're not deterred by it, but I know a lot of folks would be, especially those new to linux. And sometimes the list can get a bit harsh without much reason, which bugs me, since this is where we come to help and be helped. I do a lot of tech support at my job, and to be honest, if I reacted the way some on the list do, I'd be fired quite quickly. So it was more of a "hey everyone, we're all humans on the other side of the screen, please try to remember that and act like you were the recipient of what you're about to type" kind of thing.

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Anton Aylward-2
In reply to this post by Christopher Myers
On 11/11/2015 09:12 AM, Christopher Myers wrote:
> Personally, I'm thankful that Roger passed along the information
> about the trojan. It seems like folks are berating him a bit for
> something he's already acknowledged (that the system was outdated and
> needed upgraded.) Rather than doing that, I think it'd be better if
> we merely acknowledge that, and were appreciative for him passing
> along the information, so that we can be aware of the thing. Plus,
> that way in the future hopefully others wouldn't be afraid to share
> something they'd learned/found simply because of how others on the
> list might react.

You mean that I might be afraid to mention, as I have in the past, such
matters as the CVE database, the Risks Digest, the NIST top 20
vulnerabilities listing, various other sources of threats and risks
information?

Its not as if the ssh/password vulnerability is new.
Roger's problem dates back to 2012 - CVE-2012-5975
http://www.securityweek.com/ssh-patches-serious-vulnerability-its-enterprise-ssh-server

http://catless.ncl.ac.uk/Risks/

And yes, there have been more :-
https://www.cvedetails.com/vulnerability-list/vendor_id-120/SSH.html
https://www.cvedetails.com/vulnerability-list/vendor_id-120/product_id-202/SSH-SSH.html


On 11/11/2015 09:20 AM, Roger Oberholtzer wrote:
>
> As a software developer, I am very much aware of what the 'update to
> the latest version' statement means ... More often than not they
> were introduced in a recent previous update. Of course, software
> should move towards being better and better.

A long, long time ago, Fredrick P Brooks wrote in a book called "The
Mythical Man Month" that each release of the OS/360 had about 200 bugs
in it.  As software grows we can expect that new generations of
programmers, less experienced, will repeat the error of their ancestors.
 That's certainly been my observation and I think its backed up by the
SANS top 20 list of vulnerabilities: Buffer overflow and SQL injection
have been to top 2 programming errors for a long time now.  You'd think
the schools that teach programming would drill such basics into the
heads to the students: "DON'T DO THIS", but no.....   And so we get
cascades of the same kind of errors, thing like mishandling of pointers
in C, year after year.  In many ways it's inherent in the economics of
programming.  To keep costs down new, inexperienced and therefore cheap
programmers are brought in and older, experienced one go off to do other
things.  Few firms can afford the intense testing that NASA has for the
deep space missions.





--
         A: Yes.
     >   Q: Are you sure?
     >>  A: Because it reverses the logical flow of conversation.
     >>> Q: Why is top posting frowned upon?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Carlos E. R.-2
On 2015-11-11 15:50, Anton Aylward wrote:

> A long, long time ago, Fredrick P Brooks wrote in a book called "The
> Mythical Man Month" that each release of the OS/360 had about 200 bugs
> in it.  As software grows we can expect that new generations of
> programmers, less experienced, will repeat the error of their ancestors.
>  That's certainly been my observation and I think its backed up by the
> SANS top 20 list of vulnerabilities: Buffer overflow and SQL injection
> have been to top 2 programming errors for a long time now.  You'd think
> the schools that teach programming would drill such basics into the
> heads to the students: "DON'T DO THIS", but no.....   And so we get
> cascades of the same kind of errors, thing like mishandling of pointers
> in C, year after year.  In many ways it's inherent in the economics of
> programming.  To keep costs down new, inexperienced and therefore cheap
> programmers are brought in and older, experienced one go off to do other
> things.  Few firms can afford the intense testing that NASA has for the
> deep space missions.

  >:-)

IMHO, many of those bugs, like buffer overflows, would be prevented by
phasing out C, and using something else that does compile and run time
time bounds checking.

C is very powerful, amongst other things, because it allows to do
anything you wish, even if it is a mistake. Kind of a very high level
assembler. With powerful CPUs we should have the computing power to
switch to other languages that do checks.

--
Cheers / Saludos,

                Carlos E. R.
                (from 13.1 x86_64 "Bottle" at Telcontar)


signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: My openSUSE machine has a Trojan...

Anton Aylward-2
In reply to this post by Christopher Myers
On 11/11/2015 09:43 AM, Christopher Myers wrote:
> That's cool. I'm glad that you're not deterred by it, but I know a
> lot of folks would be, especially those new to linux. And sometimes
> the list can get a bit harsh without much reason, which bugs me,
> since this is where we come to help and be helped.

Sadly, the media is all to happy to see the negative side of things like
Linux, and this, I think, is more discouraging than what might happen
here since things like The Washington Post already have an aura of
'respectability and hence credibility.

http://www.washingtonpost.com/sf/business/2015/11/05/net-of-insecurity-the-kernel-of-the-argument/


--
         A: Yes.
     >   Q: Are you sure?
     >>  A: Because it reverses the logical flow of conversation.
     >>> Q: Why is top posting frowned upon?

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

12