Thousands of Linux Systems Infected By Stealthy Malware Since 2021 21
A sophisticated malware strain has infected thousands of Linux systems since 2021, exploiting over 20,000 common misconfigurations and a critical Apache RocketMQ vulnerability, researchers at Aqua Security reported. Dubbed Perfctl, the malware employs advanced stealth techniques, including rootkit installation and process name mimicry, to evade detection. It persists through system reboots by modifying login scripts and copying itself to multiple disk locations. Perfctl hijacks systems for cryptocurrency mining and proxy services, while also serving as a backdoor for additional malware. Despite some antivirus detection, the malware's ability to restart after removal has frustrated system administrators.
Re: LOLZ! (Score:2)
"misconfigurations" If you use a trivially guessable root password or install sketchy vulnerable third party software all bets are off regardless of how good Linux is. But I bet that had they had SELinux enforcing or running fapolicyd (standard built in security features) they wouldn't have been hacked.
intrusion detection systems (Score:5, Informative)
It's pretty important to have some intrusion detection system enabled on your Linux servers.
Tripwire is a classic but there are others like AIDE. You can also do some very limited detection using the distro's own package checksum tools.
Enabling kernel module signatures is easy these days and default on many distros. It keeps some really nasty business from being easily loaded.
Keeping people out in the first place is of course your best first line of defense. Sshguard or fail2ban is a good start, but there are lots of other options as well.
At the end of the day. Keep back-ups of important data, and wipe systems you suspect are compromised. If you feel that there is a firmware compromise, you will of course take that system completely out of service and replace it with new hardware.
Apache RocketMQ Gets Pwned and you blame Linux? (Score:2)
Re: (Score:3)
By Linux, do you mean Linux the kernel. Linux the industry/community. Individual Linux distros. Or system administrators of Linux servers?
The tools are there. Distros include them. And sysadmins are using the tools.
The blame lies with the vuln in Apache RocketMQ, which the summer makes clear in the first sentence.
But more broadly the blame lies with administrators responsible for mitigating and avoiding the impact of vulnerabilities on the systems they control. Nobody is going to take responsibility for you
Re: (Score:3)
Well, RocketMQ uses root access for administration. So ... admins implicitly gave it permission to overwrite files.
If they used a distro that supports SELinux and setup ACLs attributes correctly, then over writting system files through some goofy cloud admin tool isn't really possible anymore.
There are distros that come correctly configured out-of-the-box with SELinux. Of course the security itself makes everything take extra steps and it's harder for sysadmins just cut-and-paste instructions off stackoverf
Re: (Score:1)
Say what? Some shitty MQ doucheware gets hacked and somehow this is the fault of Linux? Uhm, I don't think so. Try re-writing these clickbait headlines with your thinking cap on.
Shut up. “Thousands of Windows systems infected with..” wouldn’t have even batted an eye, been accurate, and you know it. Headline is actually fine.
Re: (Score:3)
Re: (Score:1)
Simple (Score:2)
systemctl restart perfctl
Howabout other *Nix Systems? (Score:2)
Obviously not Linux; but are other, *Nix Systems affected?
For example, macOS?
CrowdStrike would have prevented this (Score:2)
Re: (Score:2)
You are aware that CrowdStrike can also be used to "protect" Linux systems? And that there have been two outages relatively recently which had a lot in common with that Windows disaster a few months back? I think they support one Red Hat configuration and one Debian configuration, but expecting them to test their updates before distributing them appears to be overly optimistic.
Re: (Score:2)
It's too bad they didn't use an intrusion detection and response solution.
While also stopping every other bit of traffic passing through, to, and from your server. /s
CrowdStrike is an amazing effective traffic block tool. /s
I heard that CrowdStrike (Score:2)
Has a solution for these kinds of problems.
Listen to the cooling fan (Score:2)
Since most malware is used for cryptocurrency mining, listen for the cooling fan spinning up unexpectedly. ...
Of course, now someone will write malware that pauses mining whenever the fan is about to engage