You know linux is popular when . . .
I'm about to eat humble pie today. I'm pretty convinced, at this point, that I have a virus on my main machine. A Virus. On a debian box(two, actually). What the hell?!
My ISP cut my ports back, and it's probably a good idea because I'll be damned if my boxes aren't trying to connect to a strange IP. I'm investigating more...but holy cow! A linux virus!
I haven't been infected by viruses even when I used to run windows, the only virus I think I ever got was when I accidentally unzipped VIRUS.ZIP (which I had kept for AGES knowing it was a virus)...this is weeeird.
I have no idea how to protect against this other than to keep your system patched, wtf.
Could this semester get any more screwed up?
Ways to avoid this
Also, i noticed my apache logs were kind of wacky for a long time...don't ignore it when your log filels start dissapearing, or when your system starts acting slower than you'd expect.
edit: as if things couldn't get any better, apparently 250gb of my backups have vanished. They are probably still out somewhere near colfax, SK, safe and sound, but I don't think even SERVER knows where they are. That and I killed a recent backup of my to do list with a stupid UNIX mistake(tar -cvvjf filename .tar.bz2 filename doh). And now neither my regular cd burner nor meirionwen's burner works properly---i'm downloading a ubuntu ISO at the university, but this could take awhile.
edit: Found the likely entry point : I had, not too long ago, tried to do something very quickly (probably setting up ftp for my webpad!) that involved creating a username 'temp', probably with an easy to guess password. Its home directory was riddled with text files containing user/password pairs
He used ascii-formatted text cracking tools. Impressive.
"cat $1 > pass_file
echo "#=====#==================================#=====#"
echo "#Looking for -= $1 =- at speed -= $2 =-"
echo "#--- PATIENCE IS VIRTUTE... Please wait now ---#"
echo "#=====#==================================#=====#"
sleep 5
./ssh $2
echo "#=THE=#==================================#=THE=#"
echo "#=>-<=#=== !! DONE... CHOOSE AGAIN !! ===#=>-<=#"
echo "#=END=#==================================#=END=#"
"
What's also interesting is that he catted a file 'bios.txt'. Interesting, no?
"powered by stealth" #Chance
h0sty, #ame-team
Also, a list of IP addresses, in the 212.23.0.0/16 range. IP addresses my machine was to attack?
echo "${YEL}[+]${BLK}Exploiting status: 50%${YEL}[+]${WHI}"
cat 32 > pass_file
sleep 3
./ssh 270
Damn. I think I can both improve upon and learn from this guy's shell code.
1) He should really have used a loop instead of just catting and sleeping numbered files. WTF.
2) curses! sweet. Now I can probably create shell scripts using curses following their example..
My ISP cut my ports back, and it's probably a good idea because I'll be damned if my boxes aren't trying to connect to a strange IP. I'm investigating more...but holy cow! A linux virus!
I haven't been infected by viruses even when I used to run windows, the only virus I think I ever got was when I accidentally unzipped VIRUS.ZIP (which I had kept for AGES knowing it was a virus)...this is weeeird.
I have no idea how to protect against this other than to keep your system patched, wtf.
Could this semester get any more screwed up?
Ways to avoid this
- Make sure your passwords have at minnimum 3 symbols(words, letters, or special characters). Any less is trivial to break. More would be ideal, but really, don't fall below this level
- Don't execute things as root that you don't absolutely trust. This should go without saying, but I'm looking at you specifically, boinc. If it requires root, it isn't worth installing for the vast, vast majority of software. Although Linux.RST.b does employ vulnerabilities that allow permission escallation, allowing root to get programs run just makes Linux.RST.b's job that much easier.
- Keep linux install cds handy. Even if you get infected, you may as wel ljust be prepared to wipe teh system clean. And also keep data and operating system partitions seperate so this is easier, and cleaner. Keeping a list of your modified system files would be ideal
- Debsums, tripwire, chkrootkt and wireshark are all helpful ffor a security user standpoint, / power user standpoint, but for the average user just make sure that you NEVER see errors aout debian-debsum-keys not being present for coreutils specificalloy, and anything immportant in general. This is just a problem waiting to happen, and if you see it, inquire until you no longer get that error.
Also, i noticed my apache logs were kind of wacky for a long time...don't ignore it when your log filels start dissapearing, or when your system starts acting slower than you'd expect.
edit: as if things couldn't get any better, apparently 250gb of my backups have vanished. They are probably still out somewhere near colfax, SK, safe and sound, but I don't think even SERVER knows where they are. That and I killed a recent backup of my to do list with a stupid UNIX mistake(tar -cvvjf filename .tar.bz2 filename doh). And now neither my regular cd burner nor meirionwen's burner works properly---i'm downloading a ubuntu ISO at the university, but this could take awhile.
edit: Found the likely entry point : I had, not too long ago, tried to do something very quickly (probably setting up ftp for my webpad!) that involved creating a username 'temp', probably with an easy to guess password. Its home directory was riddled with text files containing user/password pairs
He used ascii-formatted text cracking tools. Impressive.
"cat $1 > pass_file
echo "#=====#==================================#=====#"
echo "#Looking for -= $1 =- at speed -= $2 =-"
echo "#--- PATIENCE IS VIRTUTE... Please wait now ---#"
echo "#=====#==================================#=====#"
sleep 5
./ssh $2
echo "#=THE=#==================================#=THE=#"
echo "#=>-<=#=== !! DONE... CHOOSE AGAIN !! ===#=>-<=#"
echo "#=END=#==================================#=END=#"
"
What's also interesting is that he catted a file 'bios.txt'. Interesting, no?
"powered by stealth" #Chance
h0sty, #ame-team
Also, a list of IP addresses, in the 212.23.0.0/16 range. IP addresses my machine was to attack?
echo "${YEL}[+]${BLK}Exploiting status: 50%${YEL}[+]${WHI}"
cat 32 > pass_file
sleep 3
./ssh 270
Damn. I think I can both improve upon and learn from this guy's shell code.
1) He should really have used a loop instead of just catting and sleeping numbered files. WTF.
2) curses! sweet. Now I can probably create shell scripts using curses following their example..