On Sat, 04 Aug 2012 19:48:35 -0300, Henrique de Moraes Holschuh wrote: > On Sat, 04 Aug 2012, Camaleón wrote:
>> I've never read about linux boxes being used as bots, can you please >> indicate any report/stats about that fact? > > We've cleaned up a few work. We are not sure how the payload got in > (best guess: browser). I am not allowed to disclose any more data than > this. What?! Are you saying you have been tracking (or are aware of) these kind of security flaws which is being actively exploited in Linux but can't comment on? If that's true, that's a very serious situation. As I said, I don't know of any malware that can be exploited in that way under the linux ecosystem. > Still, now that you have heard about it, you can satisfy your curiosity > by doing the searches yourself. And javascript botnets work in Linux, > as I said (but they're a bit more ephemeral most of the time). Papers, please. I ask because I'm subscribed to security bulletins and have not clue about what you are saying. The last "malware" I read about were targeted to MacOS systems (flashback and oscrisis) but they were, IIRC: - A trojan (data stealing) - It benefited from an old (vulnerable) java version This effectively means the malware profited not from an OS vulnerability but a JRE flaw. Beyond this, I'm not aware of any treat that makes linux systems become part of a botnet so I will thank any additional information you can provide in this regard. >> (and please, do not put linux *servers* in the same bag, I speak here >> about linux *desktops* not computers with opened ports and running >> out-of- date and unpatched software) > > There isn't that much difference between linux servers and desktops. > Desktops are often just as out-of-date as your typical badly > administered server, and also have open ports. And there are no polite > words appropriate to describe the browser security and security model, > especially if you factor in plugins. There are many differences between them. First, a server is usually managed by people that knows how this stuff works (thus, care about security and having up-to-date systems, there are exceptions, I know) while desktop users rely on their OS to take care about the usual flaws (updating routines should ensure they run the latest and patched software). Second, a server does usually have to open and forward ports into local machines and this is not always done with a proper firewall in front of the machines neither having IPS systems. A usual desktop comes with no open ports at all and firewall is enabled from the DSL modem/router appliance. There are still the plugins problematic, I accept that, but I still have not read a single report about a linux user being infected when browsing the web, of course, not from WINE+internet explorer but from their usual tools (Debian+firefox/Chrome...). >> >> > My Debian box is staying offline until I find out what is going >> >> > on. >> >> >> >> That's sounds a bit radical :-o >> > >> > It is actually a very responsible way of handling it. >> >> With the given data? Running Debian? Behind a home router which usually >> come by default with NAT and firewall enabled? I don't think so. >> Really. > > Well, that's your prerrogative. He has already detected weird > behaviour. In MY book, that means you consider it compromised until > further data, and you try to protect yourself and others by keeping it > contained until you know more. I wouldn't consider "weird behaviour" a connection from/to SSDP and Google machines. And while removing the link from the "suspicious" system that's under investigaction will "solve" the spurious network activity you neither can run more tests on it to discover what are those coming. Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/jvlioq$kog$4...@dough.gmane.org
