XOR DDoS botnet infecting Linux OS

wkatastrof · 2015-09-30 16:29:24

Have people heard about this?

"XOR DDoS takes hold by cracking weak passwords used to protect the command shell of Linux computers. Once the attackers have logged in, they use root privileges to run a script that downloads and executes a malicious binary file. There's no evidence XOR DDoS infects computers by exploiting vulnerabilities in the Linux operating system itself. Akamai's advisory has intrusion-prevention-system signatures for detecting infections and instructions for removing the malware."

http://arstechnica.com/security/2015/09 … s-attacks/

https://www.stateoftheinternet.com/reso … snort.html

It looks like you have to sign up to actually read the advisory. I don't run any servers, but I have my workstation (with ssh active) that runs Arch. I'd like to know what the steps are to detect this exploit to be sure my system isn't part of it.

nixpunk · 2015-09-30 17:08:46

https://www.stateoftheinternet.com/reso … ed-to-know

The malware spreads via Secure Shell (SSH) services susceptible to brute-force attacks due to weak passwords.

Are you using SSH with password authentication enabled? If not, according to the snippet above you have nothing to worry about since it's a brute-force attack.

wkatastrof · 2015-09-30 17:33:21

Nope, only rsa keys with password authentication disabled.
I missed that detail, thanks for pointing it out!

mpan · 2015-09-30 17:33:30

The news are not that important as it seems. Attackers are restlessly scanning for badly–secured systems: be it SSH with a weak password, a careless developer who posted a credentials for Amazon EC2 on his github repo or a duplicated private key. Nothing new — this continues for years .

Arch Linux

#1 2015-09-30 16:29:24

XOR DDoS botnet infecting Linux OS

#2 2015-09-30 17:08:46

Re: XOR DDoS botnet infecting Linux OS

#3 2015-09-30 17:33:21

Re: XOR DDoS botnet infecting Linux OS

#4 2015-09-30 17:33:30

Re: XOR DDoS botnet infecting Linux OS

Board footer