Re: Equivalent cleaning program in Linux?

On Sat, 13 Sep 2008, in the Usenet newsgroup alt.os.linux, in article
<QqqdnRlOjeDckVHVnZ2dnUVZ_gGdnZ2d@xxxxxxxxxxx>, sk8r-365 wrote:

Canned made a definite or systematic statement of:

I'm disagree. It's sounds like linux don't have malware problem, but
you're wrong.

Quite correct - there are some nasties out there targeting Linux (and
some of the *BSDs - but that's another story).

There is also viruses that can infected elf binaries.

I'm not sure any of those are current

So washing and cleaning software is NOT exclusively for windows.

Here, I disagree. These kind of solutions depend on the malware being
unchanged from that sample that the anti-malware company analyzed. It's
like the windoze wannabe tools "chkrootkit" (http://www.chkrootkit.org)
and "rkhunter" (http://www.rootkit.nl) looking for the "55808" worm.
Both piece of sh!t "tools" search for a file named "/tmp/.../a" or
"/tmp/.../r". Now who would POSSIBLY think that the malware author
might change the filename to something really different like... I
dunno, maybe "/tmp/.../b". Guess what - neither tool would detect the
worm (which originally dates from mid-2003) if that change were made.

Linux users also has to be careful,

Computer users really have to stop being so ST00P1D! Keeping your
system[s] up-to-date is a major factor, as is NOT being intrigued by
the true story of snow white and the seven dwarves. This isn't a new
concept by any stretch of the imagination. Here's a snippet from a 1998
CERT posting (CS-98.06 June 11, 1998):

3. Root Compromises

We continue to receive daily reports of sites that have suffered a
root compromise. Many of these compromises can be traced to systems
that are unpatched or misconfigured, which the intruders exploit
using well-known vulnerabilities for which CERT advisories have
been published.

Cite, please. Especially any active, in the wild, Linux virus.

Hit your favorite search engine, and look for the keywords "Linux" and
"phalanx"

SSH Key-based Attacks

added August 26, 2008 at 03:41 pm | updated August 27, 2008 at 03:41 pm

US-CERT is aware of active attacks against linux-based computing
infrastructures using compromised SSH keys. The attack appears to
initially use stolen SSH keys to gain access to a system, and then
uses local kernel exploits to gain root access. Once root access has
been obtained, a rootkit known as "phalanx2" is installed.
Phalanx2 appears to be a derivative of an older rootkit named "phalanx".
Phalanx2 and the support scripts within the rootkit, are configured to
systematically steal SSH keys from the compromised system. These SSH
keys are sent to the attackers, who then use them to try to compromise
other sites and other systems of interest at the attacked site.

Not really a virus, but a problem none-the-less. If you look in the
Usenet newsgroup 'comp.os.linux.security' around the 27th of last month
(you seem to be using giganews - try going back to article number 85037)
John Davis (author of slrn) posted an article in which he stated that
chkrootkit didn't detect this root kit (surprise, surprise). That post
included a URL to a script he created that was able to detect the
'phalanx2' rootkit. He's using a somewhat different technique from the
hints mentioned by CERT

If you want a _list_ of malware that has targeted Linux (and other *nix)
in the past, download either of those two windoze-wannabe anti-malware
"tools" (chkrootkit or rkhunter) noted above, and see what they _claim_
to be able to detect.

Old guy
.

Relevant Pages

  • US-Cert Update on New Attacks on Computer Infrastructure
    ... SSH Key-based Attacks ... infrastructures using compromised SSH keys. ... Phalanx2 appears to be a derivative of an older rootkit named "phalanx". ... If a compromise is confirmed, ...
    (microsoft.public.security)
  • Re: US-Cert Update on New Attacks on Computer Infrastructure
    ... SSH Key-based Attacks ... infrastructures using compromised SSH keys. ... Phalanx2 appears to be a derivative of an older rootkit named "phalanx". ... If a compromise is confirmed, ...
    (microsoft.public.security)
  • Re: US-Cert Update on New Attacks on Computer Infrastructure
    ... US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. ... The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. ... Once root access has been obtained, a rootkit known as "phalanx2" is installed. ... These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site. ...
    (microsoft.public.security)
  • Re: A serious threat to our national security
    ... | 'Legit' website compromises reach epidemic proportions ... | Once upon a time surfers could stay unmolested by malware by staying ... ScanSafe blames the increase on attacks that have ... ScanSafe reports a 220 per cent increase in the amount of ...
    (sci.electronics.design)
  • Re: SSH as root
    ... SSH keys can be a bad thing... ... on a system if someone compromises it. ... Server administration, security, programming, consulting. ... Subject: SSH as root ...
    (SSH)
Loading