Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Linux

New Multi-Purpose Backdoor Targets Linux Servers 98

An anonymous reader writes A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers, who believe that the Chinese hacker group ChinaZ might be behind it. "First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task," the researchers explained.
This discussion has been archived. No new comments can be posted.

New Multi-Purpose Backdoor Targets Linux Servers

Comments Filter:
  • by sneakyimp ( 1161443 ) on Monday February 09, 2015 @03:12PM (#49020357)
    Well those certainly look like reputable links by famous 'researchers' to me! As an IT guy, I'll definitely have to go click on them so that my workstation gets infected too.
    • by jellomizer ( 103300 ) on Monday February 09, 2015 @03:20PM (#49020451)

      If you are a Windows Administrator who happens to get dumped with the odd Linux server. Xnote may seem like a good option for a text editor. Not as scary sounding things like.
      vi/vim (Ok you got in... Now why can't I type!, or vi short for Virus Infestation)
      emacs (This sounds like a Macintosh emulator to me)
      nano (Disk Compression tool?)

      Windows Admins are use to Notepad being the default text editor. XNote may be a good pick to choose.

      With us living in a mostly Linux world, the idea that there are professionals that don't know much about Linux is hard to imagine, but they are there. And sometimes they will get dumped a Linux box to manage, even if they don't know much about it.

      • XNote also sounds very similar to XPad, which is a really useful note-taking utility.
      • gvim FTW! It is the bridge. I had already figured out the vi basics before it existed, but it's still cool.

      • "professionals that don't know much about Linux is hard to imagine, but they are there"

        Well, yah ya know... it's not like they haven't had 20 years or so to catch up. I mean... Linux just took over everything in a single night!

      • If you are a Windows Administrator who happens to get dumped with the odd Linux server. Xnote may seem like a good option for a text editor. Not as scary sounding things like.
        vi/vim (Ok you got in... Now why can't I type!, or vi short for Virus Infestation)
        emacs (This sounds like a Macintosh emulator to me)
        nano (Disk Compression tool?)

        Windows Admins are use to Notepad being the default text editor. XNote may be a good pick to choose.

        There is always Midnight Commander editor (mcedit) for such idiots like me (hate vi, will never touch emacs).

  • HAHA (Score:2, Informative)

    by Anonymous Coward

    You have to run the file as a system admin for it even to work. This is a non issue joke.

    • Re:HAHA (Score:5, Insightful)

      by jellomizer ( 103300 ) on Monday February 09, 2015 @03:30PM (#49020539)

      The sys-admin is actually a Windows Admin with a Linux box... He doesn't know better.

      The system was setup by the bosses kid nephew who is good with computers, gives everyone admin access because he doesn't know how to manage permissions.

      Lazy administrators tired of fixing permissions just gives everyone root access...

      Sure we can make fun of the people and say due to their neglect it is their own damn fault... But once it gets in, the damage is real.

      • by Anonymous Coward

        That doesn't make it any less their fault.

        "He doesn't know better?" Then he shouldn't be in charge of someone's equipment and security, someone who knows better does. Period.

        "Lazy administrators tired of fixing permissions just gives everyone root access?" I've never heard of a single instance of any server administrator giving root access to everybody to get around file permission issues. Not once, ever. If that's the sort of thing you or the people who employ you are doing, see the first point.

        "But once i

  • Researchers? (Score:5, Informative)

    by JoeIsuzu83 ( 1005645 ) on Monday February 09, 2015 @03:21PM (#49020453)

    The source was Dr. Web's own marketing page.

    This smells like a press release (which smells coincidentally like spam).

  • by Anonymous Coward

    They mount a bruteforce SSH attack.. for real.. Well, I say bring it on!

    • by coop247 ( 974899 )
      Breaking news: If someone gets root access they can install things. Also breaking: bad guys will try to login with root.
      • Microsoft shills say "Cannot Happen on Windows!" Investigative reports on Evil Linux Admins...

        Film at 11!

  • Come on! (Score:5, Interesting)

    by Anonymous Coward on Monday February 09, 2015 @03:29PM (#49020537)

    Come on!!!

    What vulnerability? What port? What gets attacked?

    Is there more than one vulnerability?

    I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

    What a loaded pile of crappy advertising.

    • by Anonymous Coward on Monday February 09, 2015 @03:55PM (#49020739)

      The linked article mistranslates the original russian.

      The vector is SSH, brute force attempts to guest the root password. The net-security article mistranslates to SSL.

      • Re: (Score:2, Informative)

        by dargaud ( 518470 )
        Most linux systems don't have root passwords anymore. Use sudo, don't allow root logins and you are safe from those stupid 'so 1996' kind of attacks.
        • The idea of using sudo instead of allowing ssh as root always sounded stupid to me.
          If an attacker gets access to your regular user account then it is game over the next time you try to sudo from there.

               

          • by chihowa ( 366380 )

            But you have to brute force a username as well as a password. These attacks aren't in any way targeted and "root" is present everywhere. I've never seen anyone try to ssh into my machines as the user geantvert or chihowa. Have you?

            • by cstacy ( 534252 )

              chihowa writes:
              But you have to brute force a username as well as a password. These attacks aren't in any way targeted and "root" is present everywhere. I've never seen anyone try to ssh into my machines as the user geantvert or chihowa. Have you?

              Well, not before today...

            • So that is only an additional layer of security by obscurity. Still not convinced!

              • by chihowa ( 366380 )

                Good security includes such layers (but doesn't rely only on them). It's entirely effective against non-targeted automated attacks, which comprise well over 99% of the attacks your network will face. (Of course, a good password or key based auth is just as effective. A good password or key and no root login is more effective.) Allowing root login adds another attack opportunity with predictable parameters. It's all about minimizing the surface open to attack.

                Since >99% of all ssh attacks on the internet

            • just renamed all my "root" users to "admin" :-)
              Try to bruteforce that!
              Maybe I should rename to "Ht695rdwP"

      • by dbIII ( 701233 )
        There's a lot of those ssh brute force attacks going on at the moment, although they are trying usernames other than "root" and widely distributed so you get a couple of hundred machines taking turns of just a few attempts each so that it's harder to block.
        It's a problem a few years old with the recent twist being spreading out the attacks to avoid triggering "fail2ban" and other automated blocking measures.
      • Good luck guessing with major distro's defaulting to "PermitRootLogin no" nowadays.
      • google translate, translates correctly to SSH

        DrWeb, such good "researchers" they can't even translate their own shit

      • by antdude ( 79039 )

        Guest? :P

    • I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

      Editors getting kickbacks? Only if they are getting paid. Slashdot has paid staff editors, so yes. Every paid staff editor is effectively getting paid by Slashdot hosting these slashvertisements.

      Welcome to modern journalism!

    • Come on!!!

      What vulnerability? What port? What gets attacked?

      Is there more than one vulnerability?

      I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

      What a loaded pile of crappy advertising.

      There you go, thinking like a Windows administrator....Thinking about $...

      Somehow they break in, manage to get root, and then, oh gasp, they install something you don't want... Yea, Linux suffers from that kind of thing...

  • by Anonymous Coward

    "The malware, dubbed Xnote, gets delivered on the target computer after the attackers mount a successful brute force attack and establish an SSL connection with the machine."

    If someone brute-forces rootlevel creds on your machine, you're toast anyway, you always were.

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Monday February 09, 2015 @03:34PM (#49020575)
    Comment removed based on user account deletion
    • by Anonymous Coward

      Aaaand, this is why nobody uses Linux. All that just to install a program isn't going to help transition any new users over from other OSes.

    • They never are. It is the clueless users, of which there are plenty. As Linux gets more popular, it gets more of them. We have a lot where I work at a university. Grad students will decide they want to have a Linux system for something they are researching. They won't consult IT, they just go grab whatever distro they've heard of and install it. Then they start turning on every feature they can, SSH, web, etc, anything any of their software asks for or anything they think might be neat. They leave it on all

  • by Anonymous Coward

    Why bother with a backdoor? Just use a front door like SMB.

  • The malware, dubbed Xnote, gets delivered on the target computer after the attackers mount a successful brute force attack and establish an SSL connection with the machine.

    What a fine description of the attack vector. OMG, we are all doomed!

  • by tekrat ( 242117 ) on Monday February 09, 2015 @03:42PM (#49020633) Homepage Journal

    "Who also know nothing about Unix/Linux"....

    Who are the editors here, and have they ever even *used* a linux distribution????

  • This is FASCINATING! Where can I buy Dr. Web antivirus for Linux? I'm seriously SOLD on this product that Dice has seen fit to advertise to me today.

    THANK YOU so much!!!

  • I'm targeting this article with my multi-purpose back door right now.

  • by lippydude ( 3635849 ) on Monday February 09, 2015 @05:09PM (#49021381)
    "A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers.

    How does the 'Trojan' get onto the target machines?

    "To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSL connection with a target machine .. The malware will only be installed in a system if it has been launched with superuser (root) privileges".

    For fucks-sake slashdot, remember when this was a serious technology mag, instead of providing free adverts to some AV company.
  • Why doesn't the summary mention to look for /bin/iptable6?

    Wouldn't that be the single most important piece of information to convay? Oh. No. The single most important piece of information seems to be to plug some AV garbage.

  • It's called systemd. Many users are installing it so now there's a whole slew of linux boxen under someone else's control...
  • What is the exposure by which the Trojan is actually planted, and how does it differ from any other trojan? If this is not a BackDoor, then its not a news item and deserves to be taken off the site.

I had the rare misfortune of being one of the first people to try and implement a PL/1 compiler. -- T. Cheatham

Working...