Catch up on stories from the past week (and beyond) at the Slashdot story archive

 


Forgot your password?
Close
typodupeerror
×
Linux Software

Looking At The New Linux Trojan 263

Posted by Hemos from the peering-under-the-hood dept.
Da Schmiz writes: "Security firm Qualys discovered a new Linux trojan on Saturday ... details can be found on their website.. Vnunet picked up the story earlier today, and then followed up with more details. They're comparing the potential impact to Code Red or worse, since more servers run Linux / Apache than NT / IIS. I don't think it's that bad, since the infection can be easily detected, but it certainly isn't good." Update: 09/08 11:58 AM GMT by H : Of course, as Kurt Siefried pointed out in e-mail: "The trojan has nothing to do with Apache. The virus attaches itself to an executable, which you must run to infect other binaries (i.e. you must run this as root). This means that infection vectors include, but are not limited to email attachments, but you must of course save the binary, then set it executable, and then run it, as root, to do any real damage. Alternatively you must download binary software and run it (again as root to do any real damage). In other words someone must run binaries of unknown origin as root, and if this is common practice then you have larger policy and education problems to deal with." So - comparing it to Code Red is a bit dubious.
This discussion has been archived. No new comments can be posted.

Looking At The New Linux Trojan More

Looking At The New Linux Trojan

Comments Filter:

  • a similar story in history (Score:5, Funny)

    by Tregod ( 441880 ) on Saturday September 08, 2001 @04:26AM (#2266531)
    "...a guard at the top of the castle gates spots something in the distance, just beyond the walls. What could it be? Its...a giant wooden penguin! Imediatly, guards from different corridors of the castle rush to percieve what appeared to be a gift from the gods. All at once, they hoisted the behemoth bird onto a make shift wagon and hauled it within the castle. After much celebration and talk of good tidings, the kingdom lay it's head to rest. Later on that night, the wooden bird's bottom opened, releasing thousands upon thousands of Bill Gates' shock troops, sent to terrorize the castle and townspeople."

  • This explains a lot... (Score:5, Funny)

    by ASCIIMan ( 47627 ) on Saturday September 08, 2001 @04:40AM (#2266554)
    Now we know why slashdot has been down so much the last couple days.

  • The Worst Thing Of All (Score:2, Funny)

    by katana ( 122232 ) on Saturday September 08, 2001 @04:45AM (#2266557) Homepage

    At this time, the Remote Shell Trojan source code is not known to be available.

    This...thing violates the GPL and everything Open Source stands for! They could sell it commercially, and not even contribute back to the code base! That's just so, so, so non-Stallman that it makes my middle finger itch!

  • Re:a similar story in history (Score:3, Funny)

    by sinster ( 518986 ) <sinster@@@ballistictech...net> on Saturday September 08, 2001 @05:00AM (#2266579) Homepage
    Of course. Being paranoid bastards, the open source inspired defenders of the castle take one look at the wooden penguin and burn it to the ground, crying, "I'm not taking that until I read the EULA!", "Where're the blueprints?", and "Bah! I hate precompiled statues."

  • A new one has been found! (Score:5, Funny)

    by friscolr ( 124774 ) on Saturday September 08, 2001 @05:38AM (#2266631) Homepage
    Advisory # 44526


    FOR IMMEDIATE RELEASE


    Overview


    The Really Silly Command Virus identified by Blackant Systems has the potential to remove all files from a hard drive. It was recently spotted in the wild a few days ago when a junior sysadmin logged in as root on a production server and executed a shell script he had been emailed from a user known only as script_kiddie@hotmail.com.



    Impact


    Given a detailed analysis of the source code behind this virus, it is possible that the Really Silly Command Virus may eventually mutate into a self-propagating worm.



    Recomendations


    Blackant Systems reccomends that every sysadmin who would run shell scripts from untrusted parties be shot.



    In order to determine if your email may contain this new virus, please look for the following first few lines in a shell script:



    #!/bin/sh
    #1337 script by script_kiddie!!!
    #props to all my homies!!!!
    rm -rf /

    #this doenst seem to work yet...
    mail $0 $1



    If you find a file with similar lines, do not execute it on your server, but remove it immediately. Blackant Systems will be releasing a utility to identify stupid sysadmins shortly.

  • What counts (Score:4, Funny)

    by Faux_Pseudo ( 141152 ) <Faux.Pseudo@gmail.cFREEBSDom minus bsd> on Saturday September 08, 2001 @05:39AM (#2266632)
    I don't mind if there are trojans nad virii for linux as long as they are GPLed and Open Source.

    I'm sorry but i felt it had to be said even if I loose karma

  • The New Linux Trojan! (Score:5, Funny)

    by bgarcia ( 33222 ) on Saturday September 08, 2001 @06:56AM (#2266706) Homepage Journal
    Harry: Just a few more lines to be debugged, and it'll be finished!

    Cindy: Oh Harry, You're so smart! It really turns me on!

    Harry: Oh wow!

    Cindy: As soon as you finish that, I'll think up something to allow us to Celebrate!

    Harry: Oh, WOW!!!

    <horse braying>

    Singers: "TROJAN MAN!!!"

    Trojan Man: Looks like you two are planning to... exchange private keys?

    Harry & Cindy: Well... Uh... I don't...

    Trojan Man: Try new Linux Trojans! The Condom for the virus conscious!

    Harry & Cindy: Thanks Trojan Man!

    Trojan Man: My job is done here!

    <horse braying>

    Trojan Man: Yes, we'll find a philly for you some day...



    Hey, geeks can dream, can't they?

  • It's almost fun (Score:3, Funny)

    by Oestergaard ( 3005 ) on Saturday September 08, 2001 @10:58AM (#2267230) Homepage
    Notice how ordinary communication paths are re-named to "infection vectors" to make them sound technical and dangerous - way to go Hemos ;)

    Anyway, it will be fun to see if the crap media picks this one up "uh no! a worm on Linux, we always knew it would happen! we haven't seen it yet, but someone mentioned it may get worse than CodeRed!"

    But I'm really happy /. warned me - otherwise I might just have saved the program, marked it as executable, su'ed to root, and run it on my main web/ftp servers or the firewalls. Year, right...

  • I think this virus affects me... (Score:1, Funny)

    by Anonymous Coward on Saturday September 08, 2001 @12:03PM (#2267528)
    I'm trying to run Apache on Solaris 8, FreeBSD, or Slackware. I have tried to compile Apache from source each time, and have read through the .conf files before I started the binary each time -- but, for some reason, Port 80 keeps getting flooded by requests for "index.html".

    I also keep getting bombarded with traffic on Ports 25 and 110...do you think the virus affects those ports? So far I'm so scared that I'm going to "init 0" the machines and break them apart with sledge hammers before I propagate the virus.

    I would never have run Apache on any of the machines if I knew the potential for this virus infecting me with dangerous "Internet traffic".

    I'm just a newbie to UNIX and linux -- but, I'm going back to NT 4.0 where I can run any binary attachments I want. At least with NT, I know the machine won't be up long enough to accept conenctions on any of the ports, even if it gets infected.

    Where's that registry editor?

Slashdot Top Deals

So you think that money is the root of all evil. Have you ever asked what is the root of money? -- Ayn Rand

Close