New Multi-Purpose Backdoor Targets Linux Servers

An anonymous reader writes A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers, who believe that the Chinese hacker group ChinaZ might be behind it. "First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task," the researchers explained.

i must click dem!

[sneakyimp]

Well those certainly look like reputable links by famous 'researchers' to me! As an IT guy, I'll definitely have to go click on them so that my workstation gets infected too.

Re:i must click dem!

[jellomizer]

If you are a Windows Administrator who happens to get dumped with the odd Linux server. Xnote may seem like a good option for a text editor. Not as scary sounding things like.
vi/vim (Ok you got in... Now why can't I type!, or vi short for Virus Infestation)
emacs (This sounds like a Macintosh emulator to me)
nano (Disk Compression tool?)

Windows Admins are use to Notepad being the default text editor. XNote may be a good pick to choose.

With us living in a mostly Linux world, the idea that there are professionals that don't know much about Linux is hard to imagine, but they are there. And sometimes they will get dumped a Linux box to manage, even if they don't know much about it.

Re:

[arth1]

Or notepad2 if you don't want bloatware.
Or just install cygwin and use red like Ken intended.

Re:

[mlts]

Only downside of cygwin is that because it installs so many files with a full install, it makes a CHKDSK take a lot longer, so it is a good idea to put the cygwin files on a filesystem mounted on a junction point (no need to waste a drive letter.)

Re:

[arth1]

Or use a USB key formatted to NTFS.

Re:

[wonkey_monkey]

Pah. Programmer's Notepad, you rebel scum!

Re:

[cyberchondriac]

Or UltraEdit, but it's not free.

Re:

[puzzled_decoy]

XNote also sounds very similar to XPad, which is a really useful note-taking utility.

Re:

[drinkypoo]

gvim FTW! It is the bridge. I had already figured out the vi basics before it existed, but it's still cool.

Re:

[morgauxo]

"professionals that don't know much about Linux is hard to imagine, but they are there"

Well, yah ya know... it's not like they haven't had 20 years or so to catch up. I mean... Linux just took over everything in a single night!

Re:

[citizenr]

If you are a Windows Administrator who happens to get dumped with the odd Linux server. Xnote may seem like a good option for a text editor. Not as scary sounding things like.
vi/vim (Ok you got in... Now why can't I type!, or vi short for Virus Infestation)
emacs (This sounds like a Macintosh emulator to me)
nano (Disk Compression tool?)

Windows Admins are use to Notepad being the default text editor. XNote may be a good pick to choose.

There is always Midnight Commander editor (mcedit) for such idiots like me (hate vi, will never touch emacs).

Re:

[Anonymous Coward]

From the linked article:

"It's also good to know that Xnote gets installed on a target machine only if it's been launched with root privileges"

Re:

[mlts]

SSL connections out or in? Most machines (other than webservers) should not be accepting SSL connections from the Internet.

SSL connections out are a different story. For general Web browsing, running a browser without a sandbox, VM, or both is going to get one nailed, no matter what the OS. Even on Android, there are sites which try to foist "securityupdate.apk" on the user.

Re:

[sneakyimp]

In any case, clicking links to a honeypot will only help the hackers find you more quickly.

Re: ok

[Anonymous Coward]

OpenBSD has always supported networking.

Re:

[bobbied]

Successful ones will indeed be much better...

However, not allowing root logins, not running services as root, and keeping things in Chroot jails, makes the task of the virus writer gets so much more difficult, even if you get escalated to root on some buffer overflow, injection attack or something. Not to mention, Linux distributions seem to have a lot of different ideas about how and where the configuration files live, what init process they want to run and the default security settings they use for the

Re:

[unixisc]

No, the BSDs instead. Particularly OpenBSD for this one, although FreeBSD may be just as good

HAHA

[Anonymous Coward]

You have to run the file as a system admin for it even to work. This is a non issue joke.

Re:HAHA

[jellomizer]

The sys-admin is actually a Windows Admin with a Linux box... He doesn't know better.

The system was setup by the bosses kid nephew who is good with computers, gives everyone admin access because he doesn't know how to manage permissions.

Lazy administrators tired of fixing permissions just gives everyone root access...

Sure we can make fun of the people and say due to their neglect it is their own damn fault... But once it gets in, the damage is real.

Re:

[bobbied]

IF you don't mind running my installer as a windows admin, I bet I can own your box in short order.... Linux is no different. Don't login to root, just like you don't use your Windows admin account..... You don't right????

Re:

[Anonymous Coward]

That doesn't make it any less their fault.

"He doesn't know better?" Then he shouldn't be in charge of someone's equipment and security, someone who knows better does. Period.

"Lazy administrators tired of fixing permissions just gives everyone root access?" I've never heard of a single instance of any server administrator giving root access to everybody to get around file permission issues. Not once, ever. If that's the sort of thing you or the people who employ you are doing, see the first point.

"But once i

Researchers?

[JoeIsuzu83]

The source was Dr. Web's own marketing page.

This smells like a press release (which smells coincidentally like spam).

Re:

[sneakyimp]

And spam smells suspiciously like malware which smells a lot like exploit.

Quakin' in me booties

[Anonymous Coward]

They mount a bruteforce SSH attack.. for real.. Well, I say bring it on!

Re:

[coop247]

Breaking news: If someone gets root access they can install things. Also breaking: bad guys will try to login with root.

Re:

[bobbied]

Microsoft shills say "Cannot Happen on Windows!" Investigative reports on Evil Linux Admins...

Film at 11!

Come on!

[Anonymous Coward]

Come on!!!

What vulnerability? What port? What gets attacked?

Is there more than one vulnerability?

I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

What a loaded pile of crappy advertising.

Re:Attack vector Port is SSH (22), passwd guessing

[Anonymous Coward]

The linked article mistranslates the original russian.

The vector is SSH, brute force attempts to guest the root password. The net-security article mistranslates to SSL.

Re:

[dargaud]

Most linux systems don't have root passwords anymore. Use sudo, don't allow root logins and you are safe from those stupid 'so 1996' kind of attacks.

Re:

[geantvert]

The idea of using sudo instead of allowing ssh as root always sounded stupid to me.
If an attacker gets access to your regular user account then it is game over the next time you try to sudo from there.

     

Re:

[chihowa]

But you have to brute force a username as well as a password. These attacks aren't in any way targeted and "root" is present everywhere. I've never seen anyone try to ssh into my machines as the user geantvert or chihowa. Have you?

Re:

[cstacy]

chihowa writes:
But you have to brute force a username as well as a password. These attacks aren't in any way targeted and "root" is present everywhere. I've never seen anyone try to ssh into my machines as the user geantvert or chihowa. Have you?

Well, not before today...

Re:

[geantvert]

So that is only an additional layer of security by obscurity. Still not convinced!

Re:

[chihowa]

Good security includes such layers (but doesn't rely only on them). It's entirely effective against non-targeted automated attacks, which comprise well over 99% of the attacks your network will face. (Of course, a good password or key based auth is just as effective. A good password or key and no root login is more effective.) Allowing root login adds another attack opportunity with predictable parameters. It's all about minimizing the surface open to attack.

Since >99% of all ssh attacks on the internet

Re:

[Gunstick]

just renamed all my "root" users to "admin" :-)
Try to bruteforce that!
Maybe I should rename to "Ht695rdwP"

Re:

[dbIII]

There's a lot of those ssh brute force attacks going on at the moment, although they are trying usernames other than "root" and widely distributed so you get a couple of hundred machines taking turns of just a few attempts each so that it's harder to block.
It's a problem a few years old with the recent twist being spreading out the attacks to avoid triggering "fail2ban" and other automated blocking measures.

Re:

[maestroX]

Good luck guessing with major distro's defaulting to "PermitRootLogin no" nowadays.

Re:

[Gunstick]

google translate, translates correctly to SSH

DrWeb, such good "researchers" they can't even translate their own shit

Re:

[antdude]

Guest? :P

Re:

[drinkypoo]

I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

Editors getting kickbacks? Only if they are getting paid. Slashdot has paid staff editors, so yes. Every paid staff editor is effectively getting paid by Slashdot hosting these slashvertisements.

Welcome to modern journalism!

Re:

[bobbied]

Come on!!!

What vulnerability? What port? What gets attacked?

Is there more than one vulnerability?

I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

What a loaded pile of crappy advertising.

There you go, thinking like a Windows administrator....Thinking about $...

Somehow they break in, manage to get root, and then, oh gasp, they install something you don't want... Yea, Linux suffers from that kind of thing...

if they get you, they get you

[Anonymous Coward]

"The malware, dubbed Xnote, gets delivered on the target computer after the attackers mount a successful brute force attack and establish an SSL connection with the machine."

If someone brute-forces rootlevel creds on your machine, you're toast anyway, you always were.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[Anonymous Coward]

In what world do competent women admins exist?

This one. The overwhelming majority of sysadmins I've seen all have boobs.

Re:

[Anonymous Coward]

Aaaand, this is why nobody uses Linux. All that just to install a program isn't going to help transition any new users over from other OSes.

Re:

[schitso]

Can't tell if troll, or stupid.

Re:

[bobbied]

"0. It will build without root or not at all."

We look after 12 'off the shelf' unix systems which are supplied as is and supported by the supplier.

For these machiens to work as intended they need: - network access (with rsh and ftp enabled) - root access and privledges for anything and everything

The real kicker ? Everyone of these boxes in use (globaly) has the same root password ! Your are free to change it, however this will then brick the server . . . . .

It goes without saying that the supplier of these boxes quite literally doesn't know jack about Linux security.... But, As long as you are forced to use them, make sure you have that CYA document that says you routinely objected to the lax security settings, signed by as many "higher ups" you can manage... Not that it will help with the inevitable happens and they are looking for someone to blame/fire....

Sysops worth their salt aren't the issue

[Sycraft-fu]

They never are. It is the clueless users, of which there are plenty. As Linux gets more popular, it gets more of them. We have a lot where I work at a university. Grad students will decide they want to have a Linux system for something they are researching. They won't consult IT, they just go grab whatever distro they've heard of and install it. Then they start turning on every feature they can, SSH, web, etc, anything any of their software asks for or anything they think might be neat. They leave it on all

So many holes in Linux systems..

[Anonymous Coward]

Why bother with a backdoor? Just use a front door like SMB.

Re:

[deek]

Actually, it's pretty simple to stop SystemD from listening on network ports. It's called "socket activation". Look it up. It's pretty neat. All you need to do is stop the specific socket service, and then edit the appropriate socket file.

You'll also be interested to know that the Debian install of SystemD doesn't use socket activation by default. Not yet, anyway.

As for systemd security auditing, from what I've heard, the people at Redhat run the source code through various tools designed to pick out b

Re:

[deek]

My turn to say "huh?"

The post I replied to was talking about SystemD listening on network ports. In that context, socket activation _is_ everything. Any bug in the network listening code of SystemD cannot be triggered, if the software ain't listening in the first place.

Honestly, kids these days. I blame the music they listen to. Turns the brain to mush.

Awesome TFA

[mi]

The malware, dubbed Xnote, gets delivered on the target computer after the attackers mount a successful brute force attack and establish an SSL connection with the machine.

What a fine description of the attack vector. OMG, we are all doomed!

Re:

[JohnVanVliet]

quick everyone change the old SSL password from
Pas: password
to the NEW password
Pas: password1234

News for nerd....

[tekrat]

"Who also know nothing about Unix/Linux"....

Who are the editors here, and have they ever even *used* a linux distribution????

Fascinating!!

[EmagGeek]

This is FASCINATING! Where can I buy Dr. Web antivirus for Linux? I'm seriously SOLD on this product that Dice has seen fit to advertise to me today.

THANK YOU so much!!!

I'm targeting this article

[drinkypoo]

I'm targeting this article with my multi-purpose back door right now.

Re:

[drinkypoo]

That would have been funnier if you didn't refer to your "back door" as "Multi Purpose" :-0

At minimum, it passes solids, liquids, and gases... and sometimes, you'd swear, plasma. I call that multi-purpose.

Remember when /. was a serious technology mag ..

[lippydude]

"A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers.

How does the 'Trojan' get onto the target machines?

"To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSL connection with a target machine .. The malware will only be installed in a system if it has been launched with superuser (root) privileges".

For fucks-sake slashdot, remember when this was a serious technology mag, instead of providing free adverts to some AV company.

No mention of the path to the trojan?

[nyet]

Why doesn't the summary mention to look for /bin/iptable6?

Wouldn't that be the single most important piece of information to convay? Oh. No. The single most important piece of information seems to be to plug some AV garbage.

Linux users mass-installing the exploit...

[dark.nebulae]

It's called systemd. Many users are installing it so now there's a whole slew of linux boxen under someone else's control...

Please clarify the exposure or remove

[See Attached]

What is the exposure by which the Trojan is actually planted, and how does it differ from any other trojan? If this is not a BackDoor, then its not a news item and deserves to be taken off the site.