Linux Trojan Mines For Cryptocurrency Using Misconfigured Redis Servers (softpedia.com) 62
An anonymous reader writes: In another installment of "Linux has malware too," security researchers have discovered a new trojan that targets Linux servers running Redis, where the trojan installs a cryptocurrency miner. The odd fact about this trojan is that it includes a wormable feature that allows it to spread on its own. The trojan, named Linux.Lady, will look for Redis servers that don't have an admin account password, access the database, and then download itself on the new target. The trojan mines for the Monero crypto-currency, the same one used by another worm called PhotoMiner, which targets vulnerable FTP servers. According to a recent Risk Based Security report from last month, there are over 30,000 Redis servers available online without a password, of which 6,000 have already been compromised by various threat actors.
But I've thought that linux was secure (Score:3, Funny)
clearly the story is a fake there is no virus for linux because linux is OPEN SORES which means its BUGS are shallow and it is FREE FROM MALWARE. Wasn't freedom from malware one of the four freedoms?
Ok (Score:1)
Set a password. Problem solved. There is literally nothing being exploited except total lack of a password to get in.
Same thing would happen if you put up a Windows server with no password.
Re: (Score:1)
I don't have any Mod points today, but someone should mod this up. This is not a Linux failure, but a Redis admin failure.
Um... What Access Control? (Score:5, Insightful)
There is an "authentication" feature, but it's amazingly primitive, and the credentials are sent in the clear -- in other words, next to useless. The rest of the page makes it fairly clear: If you are running a Redis server accepting connections from the open Internet, you are an idiot.
Re: (Score:2)
If you are running a Redis server accepting connections from the open Internet, you are an idiot.
Good thing we don't have too many of them! No, wait...
Unfit stance on security for the 21st century (Score:3)
I think that this "trusted" within "trusted environments" scheme is unfit for todays and future IT integration.
Because it will not encourage the developer(s) to write code with security in mind(*). Because it will remove this vector from their mindset.
Secondly as an integrator you would need to built that trusted environment, infrastructure and with a "security neglecting" application another headache.
Many security breaches manifest themself with a breakin into those "trusted enviroments", and my personal p
Re: (Score:2)
1.) You did not understand what I said,
I didn't say that you should scrape your DMZ for secure apps.
I said that developers should focus on security, because even a DMZ can be broken into, AND THEREFORE DEVELOPERS AND USERS SHOULD FOCUS ON SECURITY TO CONTAIN THE IMPACT OF THEIR HOLE IN THEIR DMZ CONFIGURATION.
And DMZ should not equal to a free-for-all zone.
I know that security is relative, however if you can put the bars higher with relatively low effort you should do it.
2.) You like your features till the
Re: Um... What Access Control? (Score:1)
The result is that there are thousands of Redis servers exposed to malware. Clearly administrators can't always be trusted to do what's right which is why I find Redis' attitude irresponsible.
If Redis shipped with sensible defaults, none of this would have happened.
Clickbait (Score:5, Insightful)
So in other words, the whole article/summary is flamebait/clickbait. Only an idiot would install a server and not configure an admin password.
Saying that "Linux has malware!" because morons misconfigure an application running on Linux, is like saying "Windows has malware!" because SQL Server was installed with a blank sa password. I mean, sure, Windows does have malware, but this is just clickbait nonsense.
Re: (Score:2)
Re: (Score:2)
You can come in uninvited, and if you don't someone else will. The easier you make it, the more people will be capable of doing it.
Re: (Score:2)
It's not even close to the same reasoning. Just because something is open, doesn't automatically mean you have a right to it.
Granted, most things that are open (eg: wifi), are left open on purpose because the administrator specifically wants to encourage people to use it, but unless you are absolutely sure that you have been given permission to use a service, then what you are doing is trespassing, period.
Re: (Score:2)
No, it doesn't. Unless the administrator has specifically declared that the open service is open on purpose, you cannot assume that it's there as a free-for-all.
The vast majority of consumer-facing services, like open wifi, websites, ftp sites, etc, make it easy to forget that those services were left open *on purpose*. For example, the vast majority of (properly set up) wifi access points will present you with a guest access ToS screen.
Unfortunately not everyone is competent in setting up front-facing se
Re: (Score:2)
Sorry, ignore my other comment. I conflated what you wrote with what you quoted.
Re: (Score:2)
Oh FFS. Ok, no more slashdot while it's so hot I can't focus clearly enough to reply on the correct comment. Twice. :P
Re: (Score:2)
Can you really call it hacking a server when there is no password? Doesn't that make it an open server, kinda like open wifi?
"Hacking" might not be the best description or word to use, but it seems like an unauthorized entry or use of the platform.
I know it's a bit fuzzy in terms of terminology, but the lack of a password on something doesn't automatically grant carte blanche permission to do whatever you want.
Not having a lock on my door doesn't mean you have permission to open it and come in.
Re: (Score:2)
No, it doesn't. Unless the administrator has specifically declared that the open service is open on purpose, you cannot assume that it's there as a free-for-all.
The vast majority of consumer-facing services, like open wifi, websites, ftp sites, etc, make it easy to forget that those services were left open *on purpose*. For example, the vast majority of (properly set up) wifi access points will present you with a guest access ToS screen.
Unfortunately not everyone is competent in setting up front-facing serv
Re: (Score:2)
Shame you posted AC. That comment is worth a +5 Funny.
Re: (Score:2)
Saying that "Linux has malware!" because morons misconfigure an application running on Linux, is like saying "Windows has malware!" because SQL Server was installed with a blank sa password. I mean, sure, Windows does have malware, but this is just clickbait nonsense.
But this makes the Windows lads feel much better about themselves. While it is whacked to say that an open server is a Linux malware, It allows them to say, just like in the summary "Linux has malware too". Nope. It's a badly written bit of kit.
For all of the multitudes of Windows malware, the idea of pointing a finger at an open server and saying that Linux has Malware too!" is preposterous.
Hey we've arrived! (Score:2)
In another installment of "BeauHD is an idiot"... (Score:2)
our faithful "editor" has apparently never heard of the Morris Worm.
Okay, let me be the first to ask (Score:2)
What the heck is Redis? Okay, I see that it's some sort of database server... but why would anyone use it instead of software people have heard of?
Re: (Score:2)
Its just memcache for hipsters.
Re: (Score:2)
Re: Why is Monero different? (Score:2)
True but that doesn't explain why it is the first proper e -cash. The answer is that , because the blockchain is opaque, monero is fungible in contrast to bitcoin where all interactions on the blockchain are readable by all parties. XMR transactions are actually unlinkable and untraceable unless a private key is provided for purposes of auditability. Therefore, unlike Bitcoin, your funds cannot be blacklisted if they are Politically Incorrect.