In days gone by they ran through the net reports of attacks They exploit a vulnerability in PHP, which allows some legitimate sites to serve fraudulent web pages and advertisements, exposing visitors to the installation of malware on their computers. These attacks take advantage of a extremely critical PHP vulnerability publicly exposed 22 months ago and for which the corresponding updates have been released.
Some have begun to insistently point out that a good part of the servers compromised in these attacks are running versions of GNU / Linux, pretending to question the security of this Operating System, but without going into details about the nature of the vulnerability or the reasons why which has happened this.
Systems with infected GNU / Linux, in all cases, they are running the Linux kernel version 2.6, released in 2007 or earlier. In no case is it mentioned the infection of systems running superior kernels or that have been duly updated; But of course, there are still administrators who think "... if it is not broken, it does not need fixing" and then these things happen.
Moreover, a recent study by security firm ESET, exposes the call in detail "Operation Windigo", in which through various attack kits, including one called Cdorked specially designed for Apache and other popular open source web servers, as well as another called SSH, have been more than 26,000 GNU / Linux systems compromised since May of last year, does this mean that GNU / Linux is no longer secure?
First of all, putting things in context, if we compare the previous numbers with the almost 2 million Windows computers compromised by the bootnet ZeroAccess Before being closed in December 2013, it is easy to conclude that, in terms of security, GNU / Linux systems are still more secure than those that use the Microsoft Operating System, but is it GNU / Linux's fault that 26,000 systems with that OS have been compromised?
As in the case of the critical PHP vulnerability discussed above, which affects systems without kernel updates, these other attacks involve systems in which the default username and / or password was not changed and which kept the ports 23 and 80 unnecessarily open; So is it really GNU / Linux's fault?
Obviously, the answer is NO, the problem is not the OS that is used, but the irresponsibility and neglect of the administrators of those systems who do not quite understand the maximum stated by the security expert Bruce Schneier that should be burned into our brains: Safety IS a process NOT a product.
It is useless if we install a proven safe system if we then leave it abandoned and do not install the corresponding updates as soon as they are released. Similarly, it is useless to keep our system updated if the authentication credentials that appear by default during installation continue to be used. In both cases, it is elementary security procedures, which are not due to repetition, are properly applied.
If you have under your care a GNU / Linux system with Apache or another open source web server and you want to check if it has been compromised, the procedure is simple. In the case of Ebury, you must open a terminal and type the following command:
ssh -G
If the answer is different from:
ssh: illegal option – G
and then the list of correct options for that command, then your system is compromised.
In the case of Cdorked, the procedure is a little more complicated. You must open a terminal and write:
curl -i http://myserver/favicon.iso | grep "Location:"
If your system was compromised, then Cdorked it will redirect the request and give you the following output:
Location: http://google.com
Otherwise, it will not return anything or a different location.
The form of disinfection may seem crude, but it is the only one proven effective: full system wipe, reinstallation from scratch and reset all credentials user and administrator from an uncommitted terminal. If it seems hard to you, consider that, had you changed the credentials promptly, you would not have compromised the system.
For a much more detailed analysis of the ways these infections operate, as well as the specific ways used to spread them and the corresponding measures to take, we suggest downloading and reading the full analysis of the "Operation Windigo" available at the following link:
Finally, a fundamental conclusion: There is no operating system guaranteed against irresponsible or careless administrators; As for security, there is always something to do, because the first and most serious mistake is to think that we have already achieved it, or do you not think so?
It's all true, people "happen", and then what happens happens. I see it daily with the issue of updates, regardless of the system (Linux, Windows, Mac, Android ...) that people do not make updates, they are lazy, they do not have time, I do not play just in case ...
And not only that, but they go from changing the default credentials or continue using passwords like "1234" and the like and then complain; and yes, you are right, no matter which OS they use, the errors are the same.
Thank you very much for stopping by and commenting ...
Excellent! very true in everything!
Thank you for your comment and for stopping by ...
A more complete command that I found in the network of a user @Matt:
ssh -G 2> & 1 | grep -e illegal -e unknown> / dev / null && echo "System clean" || echo "System infected"
Waoh! ... Much better, the command already tells you directly.
Thanks for the contribution and for stopping by.
I fully agree with you, security is a continuous improvement!
Excellent article!
Thank you very much for the comment and for stopping by ...
Very true, it is an ant job where you always have to be checking and taking care of security.
Good article, just last night my partner was telling me about the Windigo operation that he read in the news: "not that Linux is invulnerable to infections", and he was saying that it depended on many things, not only if Linux is or unsure.
I'm going to recommend that you read this article, even if you don't understand any technicalities XD
Unfortunately that is the impression left by these types of news, which in my opinion are intentionally misrepresented, luckily your partner at least commented to you, but now prepare for a round of questions after the article is read.
Thank you very much for the comment and for stopping by ...
Very good article, Charlie. Thanks for taking your time.
Thank you for stopping by and for your comment ...
very good article!
hug, pablo.
Thank you very much Pablo, a hug ...
Grateful for the information you publish, and in full agreement with the criteria explained, by the way a very good reference to Schneier's article "Safety IS a process NOT a product".
Greetings from Venezuela. 😀
Thanks to you for commenting and for stopping by.
Good!
First of all, excellent contribution !! I have read it and it has been really interesting, I completely agree with your opinion that security is a process, not a product, it depends on the System administrator, that it is worth having a super secure system if you leave it there without updating it. and without even changing the default credentials?
I take this opportunity to ask you a question if you don't mind, I hope you don't mind answering.
Look, I'm really very excited about this security topic and I would like to learn more about security in GNU / Linux, SSH and GNU / Linux in general, come on, if it's not a bother, could you recommend me? something to start with? A PDF, an "index", anything that can guide a newbie would help.
Greetings and thank you very much in advance!
Operation Windigo ... Until recently I realized this situation, we all know that security in GNU / Linux is more than all the responsibility of the administrator. Well, I still do not understand how my system was compromised, that is, "System Infected" if I have not installed anything in the system that is not directly from the support, and actually if it has been a week since I have installed Linux Mint, and only I have installed lm-sensors, Gparted and laptop mode tools, so it seems strange to me that the system has been infected, now I have to remove it completely and reinstall. Now I have a big question about how to protect the system since it was infected and I don't even know how haha… Thanks
thanks for the info.
It is always important to have security mechanisms like the one outlined in the article and more when it comes to taking care of the family, but if you want to see all the options offered by the market in this regard, I invite you to visit http://www.portaldeseguridad.es/