Thousands of Linux Systems Infected By Stealthy Malware Since 2021 30
A sophisticated malware strain has infected thousands of Linux systems since 2021, exploiting over 20,000 common misconfigurations and a critical Apache RocketMQ vulnerability, researchers at Aqua Security reported. Dubbed Perfctl, the malware employs advanced stealth techniques, including rootkit installation and process name mimicry, to evade detection. It persists through system reboots by modifying login scripts and copying itself to multiple disk locations. Perfctl hijacks systems for cryptocurrency mining and proxy services, while also serving as a backdoor for additional malware. Despite some antivirus detection, the malware's ability to restart after removal has frustrated system administrators.
Re: LOLZ! (Score:2)
"misconfigurations" If you use a trivially guessable root password or install sketchy vulnerable third party software all bets are off regardless of how good Linux is. But I bet that had they had SELinux enforcing or running fapolicyd (standard built in security features) they wouldn't have been hacked.
intrusion detection systems (Score:5, Informative)
It's pretty important to have some intrusion detection system enabled on your Linux servers.
Tripwire is a classic but there are others like AIDE. You can also do some very limited detection using the distro's own package checksum tools.
Enabling kernel module signatures is easy these days and default on many distros. It keeps some really nasty business from being easily loaded.
Keeping people out in the first place is of course your best first line of defense. Sshguard or fail2ban is a good start, but there are lots of other options as well.
At the end of the day. Keep back-ups of important data, and wipe systems you suspect are compromised. If you feel that there is a firmware compromise, you will of course take that system completely out of service and replace it with new hardware.
Apache RocketMQ Gets Pwned and you blame Linux? (Score:3, Insightful)
Re: (Score:3)
By Linux, do you mean Linux the kernel. Linux the industry/community. Individual Linux distros. Or system administrators of Linux servers?
The tools are there. Distros include them. And sysadmins are using the tools.
The blame lies with the vuln in Apache RocketMQ, which the summer makes clear in the first sentence.
But more broadly the blame lies with administrators responsible for mitigating and avoiding the impact of vulnerabilities on the systems they control. Nobody is going to take responsibility for you
Re:Apache RocketMQ Gets Pwned and you blame Linux? (Score:5, Informative)
Well, RocketMQ uses root access for administration. So ... admins implicitly gave it permission to overwrite files.
If they used a distro that supports SELinux and setup ACLs attributes correctly, then over writting system files through some goofy cloud admin tool isn't really possible anymore.
There are distros that come correctly configured out-of-the-box with SELinux. Of course the security itself makes everything take extra steps and it's harder for sysadmins just cut-and-paste instructions off stackoverflow.
Linux kernel isn't to blame. It's a tool. Use the tool correctly or incorrectly, Linus Torvalds isn't going to force you to do thing a certain way.
Re: (Score:3)
If they used a distro that supports SELinux and setup ACLs attributes correctly
ACLs are a suggestion under Linux. If something calls chmod(3) your carefully crafted ACLs are going straight out the window. Never-mind that those POSIX ACLs (Standardization pending (TM)) are underwhelming compared to the support of their NT equivalents. Or the fact that NFSv4 doesn't have full support under Linux, and Samba requires it's own mapping logic because the Linux ACLs are useless.
TL;DR: If you want a secure system that reliably enforces ACLs, you should be using some other *INX system. Not L
Re: (Score:3, Insightful)
It's kind of funny that all the comments here are defending Linux and putting all the blame on RocketMQ when the comments about the CrowdStrike debacle were all saying Windows was at least partially responsible for letting the CrowdStrike kernel module crash the system. IMO, in both cases it's a case of the OS letting you run bad software if you want. RocketMQ runs as root and hence (in the absence of SELinux or similar) can wreak havoc on your system, CrowdStrike's software runs in kernel mode and wreak
Re: (Score:2)
it only needs to update your password, but it needs to be setuid root to do that, and that lets it do absolutely anything
Any modern distro has support for capabilities [die.net] built in. So no, it cannot just do anything. And yes a method to restrict certain root abilities already exists.
As for bugs, you do realize that at some point accessing a protected file to update it requires granting permission to do so to the update process. Right? Ideally, that grant should last for as minimal amount of time as necessary to reliably update the file and no longer. But even Windows needs to access the SAM database at some point.
Re: (Score:1)
It's kind of funny that all the comments here are defending Linux and putting all the blame on RocketMQ when the comments about the CrowdStrike debacle were all saying Windows was at least partially responsible for letting the CrowdStrike kernel module crash the system.
Linux case: 3rd party software + config errors + Linux bugs which were patched a long time ago.
Windows case: 3rd party software, plus MS's decision that they couldn't be bothered to create a proper API for Crowdstrike et al to use**
See how t
Re:Apache RocketMQ Gets Pwned and you blame Linux? (Score:4, Informative)
Re: (Score:1)
Simple (Score:3)
systemctl restart perfctl
Howabout other *Nix Systems? (Score:2)
Obviously not Linux; but are other, *Nix Systems affected?
For example, macOS?
Re: (Score:3)
macOS is BSD not *nix.
BZZT! Wrong!!! Thanks for Playing!
First off, if you are referring to FreeBSD, the only reason it can't call itself "Unix", is because Certification costs money!
https://unix.stackexchange.com... [stackexchange.com]
macOS is a Certified Unix. Has been since at least OS X 10.2, IIRC, Even now, in its most recent Apple Silicon and Intel incarnations:
https://www.opengroup.org/open... [opengroup.org]
BTW, Linux is simply "Unix-like".
CrowdStrike would have prevented this (Score:2)
Re: (Score:2)
You are aware that CrowdStrike can also be used to "protect" Linux systems? And that there have been two outages relatively recently which had a lot in common with that Windows disaster a few months back? I think they support one Red Hat configuration and one Debian configuration, but expecting them to test their updates before distributing them appears to be overly optimistic.
Re: (Score:2)
It's too bad they didn't use an intrusion detection and response solution.
While also stopping every other bit of traffic passing through, to, and from your server. /s
CrowdStrike is an amazing effective traffic block tool. /s
I heard that CrowdStrike (Score:2)
Has a solution for these kinds of problems.
Listen to the cooling fan (Score:2)
Since most malware is used for cryptocurrency mining, listen for the cooling fan spinning up unexpectedly. ...
Of course, now someone will write malware that pauses mining whenever the fan is about to engage
Sophisticated Linux malware /s (Score:2)
“A sophisticated malware strain has infected thousands of Linux systems
Re: (Score:3)