Mageia forum

[zxr250cc]

I have been reading an interesting article about compromised servers and the spread of spam and malware. Since many users in here are also running systems and servers I thought this might be a good article to share. It offers links to possible solutions in the article as well as describing problems.

http://www.welivesecurity.com/2014/03/1 ... -campaign/

cheers all

[madeye]

Interresting read, and somewhat scary. The only thing I have a difficulty understanding from the whitepaper, is how are they installing the exploit?
Outside my LAN there is no access to my server's ssh, so I hope I'm lucky not to be infected. I'll have to check tonight.

Thanks for sharing.

[ITA84]

I've read the Ars Technica article, and from what I've gathered no exploit was used, just compromised credentials; then some modified binaries were installed

[zxr250cc]

In reading the white paper they mention stealing credentials and drive by installs. I have not finished the full document yet but the part I have read makes it look like very good attack vectors for getting info to exploit for monetary gain. I was especially surprised to see they have made it run on ARM already so they can access tablets as well. It is a shame so much work and skill is only for negative results....

cheers all

[developer]

Interresting read, and somewhat scary. The only thing I have a difficulty understanding from the whitepaper, is how are they installing the exploit?
Outside my LAN there is no access to my server's ssh, so I hope I'm lucky not to be infected. I'll have to check tonight.

Thanks for sharing.

rest assured that if there is no entry to your ssh from outside your LAN, you are moreless safe.

[doktor5000]

rest assured that if there is no entry to your ssh from outside your LAN, you are moreless safe.

Sure, as if ssh ("from outside the LAN") would be the only vulnerability / entry point for injections at all ...

Don't get me wrong, but an honest query from my point of view: If you don't provide any real/substantial value to the discussion, best don't add such comments.
What if they compromise your router through the various backdoors/hidden "management" ports discovered in the last few months in most widespread router models and compromise the internal NATing to access your box - then one probably can't rest assured, per your comment.

[jiml8]

What if they compromise your router through the various backdoors/hidden "management" ports discovered in the last few months in most widespread router models

Hidden ports? Link, please. I have not heard about this.

Of course, every router of which I am aware has a management port - and this includes the home appliance routers we all use. In fact, one of the first things you do when placing a new router into service is to ensure its remote management port is disabled on the WAN side.

The satcom equipment we sell has a management port in it, but it is not hidden; our clients use it to manage the devices, and when they call us in, we use it too.

So, the ports are there. But "hidden"? As in...a secret backdoor? I would love to know more about this.

Edit:

well, I found this... http://www.welivesecurity.com/2013/10/2 ... backdoors/

and there are a lot more articles too. Hmmm...

[doktor5000]

Hidden ports? Link, please. I have not heard about this.

So, the ports are there. But "hidden"? As in...a secret backdoor? I would love to know more about this.

Edit:

well, I found this... http://www.welivesecurity.com/2013/10/2 ... backdoors/

and there are a lot more articles too. Hmmm...

Yes, but that one is about a (minor and pretty well-known WPS weakness AFAIUC) check the linked http://www.devttys0.com/2013/10/from-china-with-love/ and http://ea.github.io/blog/2013/10/18/tenda-backdoor/

That is pretty minor compared to the one I was referring to: https://github.com/elvanderb/TCP-32764
Do NOT miss the presentation! It's awesome - totally love that guy's sense of humor
https://raw.githubusercontent.com/elvan ... e_pptx.pdf
In addition you can conveniently search for routers with that port open and accessible: http://www.shodanhq.com/search?q=port%3A32764

For more and related links on that from a quick search I've only got german bookmarks but may dig out some more, as some should also have been published on H online in parallel.

There were also some other pretty major backdoors in the recent past, but my memory left me on those - if you want I can look for them.

[developer]

rest assured that if there is no entry to your ssh from outside your LAN, you are moreless safe.

Sure, as if ssh ("from outside the LAN") would be the only vulnerability / entry point for injections at all ...

Don't get me wrong, but an honest query from my point of view: If you don't provide any real/substantial value to the discussion, best don't add such comments.
What if they compromise your router through the various backdoors/hidden "management" ports discovered in the last few months in most widespread router models and compromise the internal NATing to access your box - then one probably can't rest assured, per your comment.

thats what firmware upgrades are for, if one upgrades his/her router's firmware as soon as they become available, nothing similar should happen

[doktor5000]

thats what firmware upgrades are for, if one upgrades his/her router's firmware as soon as they become available, nothing similar should happen

If you read the above links, and some related information you will see that no firmware upgrades are available for that, even for popular routers.

[madeye]

rest assured that if there is no entry to your ssh from outside your LAN, you are moreless safe.

That might be true, however there is always the possibility that some vulnerability will be found. Sadly the world is not a perfect place

Yes, but that one is about a (minor and pretty well-known WPS weakness AFAIUC) check the linked http://www.devttys0.com/2013/10/from-china-with-love/ and http://ea.github.io/blog/2013/10/18/tenda-backdoor/

That is pretty minor compared to the one I was referring to: https://github.com/elvanderb/TCP-32764
Do NOT miss the presentation! It's awesome - totally love that guy's sense of humor
https://raw.githubusercontent.com/elvan ... e_pptx.pdf
In addition you can conveniently search for routers with that port open and accessible: http://www.shodanhq.com/search?q=port%3A32764

Interresting read. Now I'm getting even more paranoid
I'm using a TP-LINK TL-ER5120 as gateway/router on my network. And a Cisco Linksys EA6500 as wireless access point. Although I am thinking about replacing that with my Asus RT-N66U (only for wireless access point) due to the Cisco sending some crap http requests on the LAN all the time. WPS has of course been disabled. It's too easy to break a WPS code.

[zxr250cc]

I wonder if anyone has found any of their servers compromised as the article was talking about? I know many of the low cost home routers are compromised but isn't that a different topic?

Just curious...

cheers all

[developer]

If you read the above links (...)

its very risky to open links when you do not know where to they lead to. Remember that many people tries to fool you by giving the links titles which suggests link leads to well known (safe) site.

[wobo]

Yes, that's why doktor5000 wrote "If you read....". It's your risk, your decision, nobody forces you to open such a link. OTOH links are an essential part of what is called "WorldWideWeb" and most of its users will continue to use them.

[zxr250cc]

Am I understanding that I am supposedly offering a bogus link? I hope I am misunderstanding that.

I offered the link to the compromised server issue because it seemed a good info article for admin or sysadmin type folks as I occasionally meet in here.

Has anyone found a server they run affected like the article discusses?

cheers all

[doktor5000]

Am I understanding that I am supposedly offering a bogus link? I hope I am misunderstanding that.

Well, probably if you ask Mr. Devloper all links are probably risky as that might lead to somebody actually reading the information hidden behind those links ...

[doktor5000]

FWIW, fits pretty good with the topic - for the recent openssl vulnerability, everybody should read up on http://heartbleed.com/

[viking60]

Yes heartbleed is a nasty one.
It does not affect Mageia.org though so there is no need to do anything here.
http://possible.lv/tools/hb/?domain=mageia.org

Kind of surprising since I reckoned that Mageia was using OpenSSL.

[zxr250cc]

If you check mageia.org with the LastPass web site heartbleed checking function it shows mageia as being vulnerable. no?

cheers

[viking60]

Cheers

I am not sure what you mean by that?
Lastpass.com is a compromized site that now has been patched:
http://possible.lv/tools/hb/?domain=lastpass.com
And therefor it is very important to change your passwords there. The certificates have been reissued and the keys probably regenerated (which is good). But it is no nice thought that someone already may have collected your data there.

But does the site have a Heartbleed search function?
Edit
Found it!
Yes Mageia is regarded likely to be affected there:

LastPass Heartbleed checker

Site: mageia.org
Server software: Apache/2.2.23 (Mageia/PREFORK-1.mga1)
Vulnerable: Likely (known use OpenSSL)
SSL Certificate: Unsafe (created 1 year ago at Feb 7 00:00:00 2013 GMT)
Assessment: Wait for the site to update before changing your password

It seems to jump to conclusions though.
Mageia seems to be in the clear:

[doktor5000]

If you check mageia.org with the LastPass web site heartbleed checking function it shows mageia as being vulnerable. no?

He probably means https://lastpass.com/heartbleed/

[viking60]

Yes thanks! I found it and edited above.
The sinner has been found and it is Dr Robin Seggelmann from Münster and the reviewer was Dr Stephen Henson.
Your name isn't Robin or Stephen; is it?
In any case I would expect an announcement from the server responsible's on this "worst vulnerability in the history of the internet".
http://www.v3.co.uk/v3-uk/news/2338987/ ... e-schneier

[doktor5000]

In any case I would expect an announcement from the server responsible's on this "worst vulnerability in the history of the internet".

Responsible for which server?

[viking60]

All Mageia servers?
All of these
Basically an announcement that Mageia is not affected by the biggest vulnerability in the history of internet.
Are the "top dogs" waiting for a more important occasion?

[doktor5000]

Basically an announcement that Mageia is not affected by the biggest vulnerability in the history of internet.
Are the "top dogs" waiting for a more important occasion?

FWIW: https://ml.mageia.org/wwsympa-wrapper.f ... 00039.html