FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-04-2012, 10:48 PM
Henrique de Moraes Holschuh
 
Default Strange network activity after updates

On Sat, 04 Aug 2012, Camaleón wrote:
> On Sat, 04 Aug 2012 17:40:53 -0300, Henrique de Moraes Holschuh wrote:
> > On Sat, 04 Aug 2012, Camaleón wrote:
> >> > I know the constant connection is a multicast address, but what is
> >> > this other stuff? It looks like something is broken/misconfigured or
> >> > an outright hack of the Debian repository has occurred and many
> >> > Debian systems are now part of a botnet.
> >>
> >> Linux as part of a botnet? That's a good one :-P
> >
> > Now, here I will have to step in. No, it is not a good one. Linux
> > nodes _are_ commonly co-opted to act as C&C for botnets. And
> > browser-based ephemeral botnet nodes (in javascript, installed by
> > drive-by attacks) DO work in Linux.
>
> I've never read about linux boxes being used as bots, can you please
> indicate any report/stats about that fact?

We've cleaned up a few work. We are not sure how the payload got in
(best guess: browser). I am not allowed to disclose any more data than
this.

Still, now that you have heard about it, you can satisfy your curiosity
by doing the searches yourself. And javascript botnets work in Linux,
as I said (but they're a bit more ephemeral most of the time).

> (and please, do not put linux *servers* in the same bag, I speak here
> about linux *desktops* not computers with opened ports and running out-of-
> date and unpatched software)

There isn't that much difference between linux servers and desktops.
Desktops are often just as out-of-date as your typical badly
administered server, and also have open ports. And there are no polite
words appropriate to describe the browser security and security model,
especially if you factor in plugins.

> >> > My Debian box is staying offline until I find out what is going on.
> >>
> >> That's sounds a bit radical :-o
> >
> > It is actually a very responsible way of handling it.
>
> With the given data? Running Debian? Behind a home router which usually
> come by default with NAT and firewall enabled? I don't think so. Really.

Well, that's your prerrogative. He has already detected weird
behaviour. In MY book, that means you consider it compromised until
further data, and you try to protect yourself and others by keeping it
contained until you know more.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120804224834.GA25201@khazad-dum.debian.net">http://lists.debian.org/20120804224834.GA25201@khazad-dum.debian.net
 
Old 08-05-2012, 10:43 AM
Camaleón
 
Default Strange network activity after updates

On Sat, 04 Aug 2012 19:48:35 -0300, Henrique de Moraes Holschuh wrote:

> On Sat, 04 Aug 2012, Camaleón wrote:

>> I've never read about linux boxes being used as bots, can you please
>> indicate any report/stats about that fact?
>
> We've cleaned up a few work. We are not sure how the payload got in
> (best guess: browser). I am not allowed to disclose any more data than
> this.

What?! Are you saying you have been tracking (or are aware of) these kind
of security flaws which is being actively exploited in Linux but can't
comment on? If that's true, that's a very serious situation. As I said, I
don't know of any malware that can be exploited in that way under the
linux ecosystem.

> Still, now that you have heard about it, you can satisfy your curiosity
> by doing the searches yourself. And javascript botnets work in Linux,
> as I said (but they're a bit more ephemeral most of the time).

Papers, please. I ask because I'm subscribed to security bulletins and
have not clue about what you are saying. The last "malware" I read about
were targeted to MacOS systems (flashback and oscrisis) but they were,
IIRC:

- A trojan (data stealing)
- It benefited from an old (vulnerable) java version

This effectively means the malware profited not from an OS vulnerability
but a JRE flaw.

Beyond this, I'm not aware of any treat that makes linux systems become
part of a botnet so I will thank any additional information you can
provide in this regard.

>> (and please, do not put linux *servers* in the same bag, I speak here
>> about linux *desktops* not computers with opened ports and running
>> out-of- date and unpatched software)
>
> There isn't that much difference between linux servers and desktops.
> Desktops are often just as out-of-date as your typical badly
> administered server, and also have open ports. And there are no polite
> words appropriate to describe the browser security and security model,
> especially if you factor in plugins.

There are many differences between them.

First, a server is usually managed by people that knows how this stuff
works (thus, care about security and having up-to-date systems, there are
exceptions, I know) while desktop users rely on their OS to take care
about the usual flaws (updating routines should ensure they run the
latest and patched software).

Second, a server does usually have to open and forward ports into local
machines and this is not always done with a proper firewall in front of
the machines neither having IPS systems. A usual desktop comes with no
open ports at all and firewall is enabled from the DSL modem/router
appliance.

There are still the plugins problematic, I accept that, but I still have
not read a single report about a linux user being infected when browsing
the web, of course, not from WINE+internet explorer but from their usual
tools (Debian+firefox/Chrome...).

>> >> > My Debian box is staying offline until I find out what is going
>> >> > on.
>> >>
>> >> That's sounds a bit radical :-o
>> >
>> > It is actually a very responsible way of handling it.
>>
>> With the given data? Running Debian? Behind a home router which usually
>> come by default with NAT and firewall enabled? I don't think so.
>> Really.
>
> Well, that's your prerrogative. He has already detected weird
> behaviour. In MY book, that means you consider it compromised until
> further data, and you try to protect yourself and others by keeping it
> contained until you know more.

I wouldn't consider "weird behaviour" a connection from/to SSDP and
Google machines. And while removing the link from the "suspicious" system
that's under investigaction will "solve" the spurious network activity
you neither can run more tests on it to discover what are those coming.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jvlioq$kog$4@dough.gmane.org
 
Old 08-05-2012, 02:51 PM
Henrique de Moraes Holschuh
 
Default Strange network activity after updates

On Sun, 05 Aug 2012, Camaleón wrote:
> On Sat, 04 Aug 2012 19:48:35 -0300, Henrique de Moraes Holschuh wrote:
> > On Sat, 04 Aug 2012, Camaleón wrote:
>
> >> I've never read about linux boxes being used as bots, can you please
> >> indicate any report/stats about that fact?
> >
> > We've cleaned up a few work. We are not sure how the payload got in
> > (best guess: browser). I am not allowed to disclose any more data than
> > this.
>
> What?! Are you saying you have been tracking (or are aware of) these kind
> of security flaws which is being actively exploited in Linux but can't

Hmm... I keep telling you this is nothing new, you just don't believe me.

Ask people who work with large number of Linux desktops in a corporate
network, they will tell you the same thing. It is *uncommon* (when compared
to attacks against windows), but not unheard of by any means.

> don't know of any malware that can be exploited in that way under the
> linux ecosystem.

Please update your expectatives. This has not been true for a long while,
although it is easier to find the proof-of-concept reports than the real
thing. Not for much longer, though, there are downsides for the increased
popularity of Linux desktops.

> Papers, please. I ask because I'm subscribed to security bulletins and

I wouldn't know of any released papers, I don't pay much attention to
anything but crypto and communications security in the academic circles.

> This effectively means the malware profited not from an OS vulnerability
> but a JRE flaw.

Or Adobe Flash flaw, or whatever. It doesn't matter much in practice, the
end result is a compromised box that needs to be contained and scrubbed
clean.

> First, a server is usually managed by people that knows how this stuff

This is not true anymore.

> works (thus, care about security and having up-to-date systems, there are

IME, this is not "exactly true", to put it mildly. YMMV.

> > Well, that's your prerrogative. He has already detected weird
> > behaviour. In MY book, that means you consider it compromised until
> > further data, and you try to protect yourself and others by keeping it
> > contained until you know more.
>
> I wouldn't consider "weird behaviour" a connection from/to SSDP and
> Google machines. And while removing the link from the "suspicious" system

A continuous stream to SSDP is weird, yes. Whether it is the result of a
bug or something else, we don't know. I am still waiting for the packet
dumps.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120805145153.GA32438@khazad-dum.debian.net">http://lists.debian.org/20120805145153.GA32438@khazad-dum.debian.net
 
Old 08-05-2012, 03:20 PM
Camaleón
 
Default Strange network activity after updates

On Sun, 05 Aug 2012 11:51:53 -0300, Henrique de Moraes Holschuh wrote:

> On Sun, 05 Aug 2012, Camaleón wrote:

>> > We've cleaned up a few work. We are not sure how the payload got in
>> > (best guess: browser). I am not allowed to disclose any more data
>> > than this.
>>
>> What?! Are you saying you have been tracking (or are aware of) these
>> kind of security flaws which is being actively exploited in Linux but
>> can't
>
> Hmm... I keep telling you this is nothing new, you just don't believe
> me.

I'm not a good believer, I prefer a report to read :-)

> Ask people who work with large number of Linux desktops in a corporate
> network, they will tell you the same thing. It is *uncommon* (when
> compared to attacks against windows), but not unheard of by any means.

Again, I work in a business environment and have never read on the
problem you are telling about. Neither I know of any threat that affects
linux directly (OS flaw) or indirectly (by third-part addon, like JRE,
Adobe Reader or Adobe Flash) and that is being exploited with success.

On the contrary, I know that linux servers are being successfully
attacked on every day basis :-)

>> don't know of any malware that can be exploited in that way under the
>> linux ecosystem.
>
> Please update your expectatives. This has not been true for a long
> while, although it is easier to find the proof-of-concept reports than
> the real thing. Not for much longer, though, there are downsides for
> the increased popularity of Linux desktops.

Yes, I know that linux is not unbreakable but until now I've not seen a
report about a flaw of that nature. Yes, I know it can be done but far
from being massively exploitable nor as wide as the windows attacks are.
That's why I'm very reticent of seeing a linux desktop as a part of a bot
network.

>> Papers, please. I ask because I'm subscribed to security bulletins and
>
> I wouldn't know of any released papers, I don't pay much attention to
> anything but crypto and communications security in the academic circles.

Well, it would be very interesting to know more about the current threats
affecting linux, don't you think?

>> This effectively means the malware profited not from an OS
>> vulnerability but a JRE flaw.
>
> Or Adobe Flash flaw, or whatever. It doesn't matter much in practice,
> the end result is a compromised box that needs to be contained and
> scrubbed clean.

It do matter. It matters a lot. A good OS design can do more for stopping/
avoiding that kind of attacks that a poorly or flawlessly designed OS.

>> First, a server is usually managed by people that knows how this stuff
>
> This is not true anymore.

Sure it is. Only a fool company will put in charge of its assets a person
that only knows about Excel spreadsheets, don't you think?

>> works (thus, care about security and having up-to-date systems, there
>> are
>
> IME, this is not "exactly true", to put it mildly. YMMV.
>
>> > Well, that's your prerrogative. He has already detected weird
>> > behaviour. In MY book, that means you consider it compromised until
>> > further data, and you try to protect yourself and others by keeping
>> > it contained until you know more.
>>
>> I wouldn't consider "weird behaviour" a connection from/to SSDP and
>> Google machines. And while removing the link from the "suspicious"
>> system
>
> A continuous stream to SSDP is weird, yes.

That would depend on the run services and what kind of devices the user
has in his network. Anyway, the mere presence of network traffic on that
port does not indicate "per se" a more serious problem, although I indeed
would worry to see an outgoing connection to a remote server port
(tcp/80), for instance.

> Whether it is the result of a bug or something else, we don't know. I
> am still waiting for the packet dumps.

Sure, that's what I said from the beginning: more information is
needed :-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jvm2v1$kog$14@dough.gmane.org
 
Old 08-05-2012, 06:04 PM
"John L. Cunningham"
 
Default Strange network activity after updates

On Sun, Aug 05, 2012 at 03:20:01PM +0000, Camaleón wrote:
> On Sun, 05 Aug 2012 11:51:53 -0300, Henrique de Moraes Holschuh wrote:
> > On Sun, 05 Aug 2012, Camaleón wrote:
> >> First, a server is usually managed by people that knows how this stuff
> >
> > This is not true anymore.
>
> Sure it is. Only a fool company will put in charge of its assets a person
> that only knows about Excel spreadsheets, don't you think?

It's not like we have a shortage of fool companies.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120805180458.GB4188@cerulean.myhome.westell.com" >http://lists.debian.org/20120805180458.GB4188@cerulean.myhome.westell.com
 
Old 08-06-2012, 02:22 PM
Camaleón
 
Default Strange network activity after updates

On Sun, 05 Aug 2012 14:04:59 -0400, John L. Cunningham wrote:

> On Sun, Aug 05, 2012 at 03:20:01PM +0000, Camaleón wrote:
>> On Sun, 05 Aug 2012 11:51:53 -0300, Henrique de Moraes Holschuh wrote:
>> > On Sun, 05 Aug 2012, Camaleón wrote:
>> >> First, a server is usually managed by people that knows how this
>> >> stuff
>> >
>> > This is not true anymore.
>>
>> Sure it is. Only a fool company will put in charge of its assets a
>> person that only knows about Excel spreadsheets, don't you think?
>
> It's not like we have a shortage of fool companies.

Grrr! :-)

Yes, for sure we have. I know that small companies (with less than 5
employees which are very usual here in Spain) do have to do "miracles"
for keeping in the market which usually means the owner of the company
has to act as the manager, director, sysadmin, webmaster, accounting
person and marketing staff at the same time because there's no money to
hire personnel.

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/jvojv1$qkd$6@dough.gmane.org
 
Old 08-06-2012, 07:59 PM
Paul Zimmerman
 
Default Strange network activity after updates

Henrique de Moraes Holschuh <hmh@debian.org> writes:
>Alternatively you may use 'tcpdump' instead of wireshark.
>Run "tcpdump -s 1600 -i any -w /tmp/output.tcpdump.bin
>host 239.255.255.250", and stop it with ^C after 5-10s.
>It will save the packet dump to /tmp/output.tcpdump.bin,
>which you should gzip or xz'ip before attaching.

>While you're doing the capture, just in case, DO NOT engage
>in any other activities, do not have your browser, mail user
>agent, or any other programs open that could send credentials
>over the wire (such as email logins, etc) just in case the
>wireshark filter is not correct and it ends up capturing
>packets with data you'd rather keep private.
I prefer the alternative. tcpdump is a much smaller package.

So, I did this for several minutes and looked at the log. Doesn't
look like it needs much technical expertise to interpret. The
content of the packets is printed in plain text and very clearly
what it should be for that address and port. For some odd reason
the AP is sending out a continuous stream of uPNP data. XML URLs
to the interface points. Product ID and URLs to the hardware
manufacturer's site. That sort of thing. Other APs send out the
same sort of thing, in short bursts. But this one sends 10-14k
per second non-stop.

But I don't recall seeing that stream before in several months of
intermittent use of that AP. It would be very, very odd if they
just happened to change something in the configuration of the AP
right when I downloaded my updates. So it seems most likely that
somehow the interface was tweaked by the updates so that it now
shows the traffic that was always there. Or maybe it changed the
dhcp login scripts in a way that makes this AP think my login is
not complete, and this constant stream of uPNP packets is the
attempt to complete the process?

Since it's not an emergency, I can just put up with it for now.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1344283142.99132.YahooMailNeo@web126103.mail.ne1.y ahoo.com">http://lists.debian.org/1344283142.99132.YahooMailNeo@web126103.mail.ne1.y ahoo.com
 
Old 08-06-2012, 09:30 PM
Henrique de Moraes Holschuh
 
Default Strange network activity after updates

On Mon, 06 Aug 2012, Paul Zimmerman wrote:
> I prefer the alternative. tcpdump is a much smaller package.
>
> So, I did this for several minutes and looked at the log. Doesn't
> look like it needs much technical expertise to interpret. The
> content of the packets is printed in plain text and very clearly
> what it should be for that address and port. For some odd reason
> the AP is sending out a continuous stream of uPNP data. XML URLs
> to the interface points. Product ID and URLs to the hardware
> manufacturer's site. That sort of thing. Other APs send out the
> same sort of thing, in short bursts. But this one sends 10-14k
> per second non-stop.

Heh. That's good, looks like it is just an annoying bug.

> Since it's not an emergency, I can just put up with it for now.

If that stream of useless crap is directed to a multicast address, the
AP likely will convert it to broadcast frames, and that is a very bad
thing for throughput on 802.11ag on most APs (and extremely bad if the
AP is trying to support 802.11b as well).

Refer to:
http://superuser.com/questions/432498/what-speed-are-wi-fi-management-and-control-frames-sent-at

which actually has a pretty decent explanation of the problem with
multicast/broadcast frames on 802.11abgn networks.

--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20120806213053.GA8824@khazad-dum.debian.net">http://lists.debian.org/20120806213053.GA8824@khazad-dum.debian.net
 

Thread Tools




All times are GMT. The time now is 09:51 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org