back to article ACHTUNG! Scary Linux system backdoor turns boxes into DDoS droids

Cybercrooks have cooked up a backdoor for Linux-powered systems that boasts multiple malicious functions. The Swiss Army Knife-style malware – dubbed Xnote.1 by Russian anti-virus company Doctor Web – can be used as a platform to mount distributed denial-of-service attacks and other evil activities. To spread the software …

  1. Anonymous Coward
    Anonymous Coward


    Wondered why my hard drive light was coming on for no reason!!!

  2. Jim 59

    It needs a cool name. Heartbleed, shellshock, err...

    1. dogged


    2. Dabooka Silver badge


      1. psychonaut

        name it after the traditional submariners "device" for autopleaseure. wankSOCKS

        1. Big Safari

          You Mean

          StorySucks ?

  3. sjs298

    Brute force of SSL not SSH

    I think something went wrong with the translator...

    The original Russian says that it brute-forces SSH (which isn't uncommon):

    1. diodesign (Written by Reg staff) Silver badge

      Re: Brute force of SSL not SSH

      Yup - just revised the copy. SSL didn't look right.


  4. Skymonrie

    Nothing to see, move on

    So, in order to get this backdoor on they must have to already have root access...really???

    Got bigger problems if that is what happens

  5. Jim 59

    @Reg The page says nothing about the attack vector except a vague "mounts a brute force attack to establish an SSL connection with a target machine.". What does that mean ? SSH ? https ? Not much use without details.

    1. Flocke Kroes Silver badge

      To catch this malware ...

      The original Russian disclosure says SSH, not SSL, so step one is to install and enable SSH, on a port where people can find it. This is a terrible idea on any machine visible on the internet because the machine will be found and hit with a continuous stream login requests attempting to find an account by brute force. Although this stands no chance of success with even basic precautions, it does waste a little CPU time and lots of network bandwidth. (The most popular way to avoid the network traffic is to set up port knocking.)

      Next, you will have to make some changes to /etc/ssh/sshd_config. The one that is definitely required is 'PasswordAuthentication yes' otherwise all attempts to log in with a password will fail (sshd should be set up to require one type of public key authentication, and have all other methods disabled). You can save the crackers some time with 'PermitRootLogin yes'. Without that, the cracker will need to use some sort of privilege escalation - which a competent cracker probably knows. Next you need an account with a password that was not created with a random character generator. If you permitted people to log is as root, make sure you set root's password to a word or two out of the dictionary, swapping i to 1 and o to 0. You can save some network bandwidth by using the most popular pasword: 123456. (Logging in as root should require logging in as an ordinary user, then upgrading to root access).

      Next up, this malware requires a bash script in /etc/init.d/ to install itself. The vast majority of them are sh scripts, but I did find a couple of bash scripts. The malware is looking for '#!/bin/bash', which is the way to specify the bash interpreter in Linux. The BSDs require '#! /bin/bash', and Linux accepts that too for compatibility. You can trip up this version 1 installer by adding a space to bash scripts in /etc/init.d/ - if you have any.

      The translation of the incident page said something about using a virus scanner to detect infection. I stopped reading at that point because the advice is clearly bollocks. If you installed and configured sshd to use the ssh port and password authentication with a brute forceable root password then you computer will be infected with something that can hide from any virus scanner running on the computer. You might be able to find the malware by pulling out the hard disk, putting it in a USB enclosure, attaching it to a different computer and comparing it to your backup.

      I think the biggest barrier to catching this malware is that something more nasty will get in first and close up the configuration errors before everyone and his dog pwns the machine.

      1. Big Safari

        So ?

        "Bad passwords invite hackers "

        "Popes often catholic"


        As I said: Dollarsoft Info-Op.

        1. Anonymous Coward
          Anonymous Coward

          Re: So ?

          "Russians are in our Crimea"

      2. Colin Miller

        Re: To catch this malware ...

        You can also use fail2ban.

        This is a small script that monitors your logs, for N occurrences of regexp X in Y seconds, from the same IP number.. If this is reached, then it carries out an action, and a second action after Z seconds.

        By default it monitors /var/log/auth.log, looking for ssh login failures (either wrong password, or non-existent/no-login user). If this occurs 5 times in 10 minutes, then it will invoke iptables to block all incoming traffic from that IP number to your ssh server, and then automatically unban it 10 minutes later. It can also be set to email you an alert.

        It is possible to have it monitor itself, so if the same IP address gets banned 5 times in a day, they get a week's ban (tweak to your inner BOFH's content).

        1. Colin Miller

          Re: To catch this malware ...

          And in the name of everything that is sensible, turn off root ssh login — always login via a normal user and use su / sudo to become root.

  6. Craig 2

    Yes, the article doesn't really specify how you get infected and whether it needs human intervention.

    How are people supposed to effectively troll the security or lack thereof in their chosen favourite OSs without the full details!?


    This is a very poor article.

    Vague to the point of being misleading and really without substance. Why El Reg.? I think we should be told.

    1. Mark Allen

      Re: This is a very poor article.

      Why did El Reg post this? Because all the AV companies create these stories if you watch. An obscure virus will have been found by one of the anti-virus companies and they put out a "Security Warning" which should really just say "Press Release" or "Advert for our product".

      Almost every time the "answer" to the panic will be to buy protection from the company producing the advert press release.

      This is a classic example as it seems to imply that the hacker needs root access to install his code. Which kind of defeats the point as once you have root you can do what you like, and you certainly would not be copying in the same old code you have used elsewhere. If your hacker can get root, then you can't blame a "virus" for taking down the machine. You blame the sys admin for leaving the door open.

    2. BitDr

      Re: This is a very poor article.

      There seems to be a slight uptick in vague articles about scary exploits in Linux; enough so that I'm beginning to wonder how (or why) they get past the editors. These kinds of "stories" smack of scare tactics that would be more at home in a FUD marketing campaign than in an IT news publication read by professionals & enthusiasts.

  8. sisk

    Eh, no worries

    So, basically, this is either a trojan that has to be run as root (in which case, who in their right mind runs strange software as root) or spreads via SSH attacks by brute forcing their way into root (in which case who in their right mind runs SSH on the default port and doesn't prevent root logins).

    Nothing to see here. Move along.

  9. Valeyard


    the malware has to be intentionally run with su priviledges

    in other words, purely academic

    1. Big Safari

      Not Necessarily

      From a Propaganda point of view, "throw shit and assume some of it will stick", it makes sense.

      Seasoned politicos know and use this tactic.

      1. BitDr

        Re: Not Necessarily

        Or, "Tell a big enough lie and tell it frequently enough, it will be believed"... Hmmm he (who shall not be named) was a politician too.. so same difference I guess.

  10. Big Safari

    Dollarsoft Information Operation

    So it transpires:

    + Virus must run as root. Or "dangerous Bankrobber only needs all keys and access codes to get the job done"

    So Cui Bono ?

    + Those folks who sell competitors to Linux and Android systems.

    + Folks who want to sell craptastic anti-virus products

  11. Crazy Operations Guy

    What exactly is being exploited here?

    Is this a bug in sshd? In which case, what versions of sshd? What can be done to mitigate the threat?

    The Linux ecosystem is pretty large and there are many different ssh and ssl daemons out there. Hell, there are many different branches of the Linux Kernel itself out in the wild, the part that makes it Linux in the first place...

    1. WylieCoyoteUK

      Re: What exactly is being exploited here?

      If you are running an internet server, you should be taking basic precautions to reduce the attack surface.

      I know that default VPS setups are often pretty poor, so if you just set one up thinking "it's Linux, I'll be safe", your server was probably rooted a couple of months ago, right when you put it on the internet with no firewall settings, and a big sign saying " PLEASE ROOT ME".

      1. Big Safari

        @ WylieCoyoteUK: Linux Is Not Windows

        A proper Linux server just exposes ssh initially. Which must be secured by a good password - best use 10 auto-generated characters.


        $ md5sum 200randomhitkeys.txt

        Secondly, the apache (or other server) you chose to run normally has NO ROOT PRIVILEGES. Thats a big difference to Windows, which exposes a ton of kernel-level services like SMB. And which need to be hidden behind a firewall. The equivalent Linux (Samba) service can surely be run w/o root privileges.

        Conclusion: Your post is F.U.D.

        1. Destroy All Monsters Silver badge

          Re: @ WylieCoyoteUK: Linux Is Not Windows

          Conclusion: Your post is F.U.D.

          Or it's a post of someone with MS mindset.

        2. jbuk1

          Re: @ WylieCoyoteUK: Linux Is Not Windows

          All correct apart from the fact that the default config on windows 2012 r2 has file sharing disabled by default and the firewall enabled. Hell it doesn't even come with a GUI by default.

          My conclusion is that your post is FUD or you're years behind on your Windows knowledge.

  12. Mikey

    And yet the best part is...

    ...that almost everyone so far has merely scoffed at the very idea of a threat to Linux, and not once suggested that users should go and double check their software to make sure it's all as secure as can be. It only takes one new or clueless user to leave something open by accident and then, whoops, you're now part of the problem.

    Of course, that that point no-one will offer any help or support, just merely scoff again and deride them for such a 'basic' mistake.

    So, to make up for this... any and all intelligent sys-admins and users, do yourselves a favour, and go review your security settings. You can't be too careful now, can you?

    1. Valeyard

      Re: And yet the best part is...

      I agree in principle, but from the information of this specific piece of malware from this article alone (I haven't read about it anywhere else) I don't think action is needed, it seems to take effort to infect yourself, rather than take effort to make yourself safe

    2. Big Safari

      Yeah Boy

      If I were a Windows user running stuff on Linux, I would do it using the root account. After all, that is what Dollarsoft conditioned me to do. "Convenience über alles" or so.

    3. Anonymous Coward
      Anonymous Coward

      @Mikey - Re: And yet the best part is...

      I'll give you half of a crumbled brownie for your post. At least you worked hard to present us the two main points Windows users raise when it comes about OS security: Linux users are always feeling smug about the security of their OS and the Linux community horribly abuses those inocents who are looking for support.

      I'll withhold the other half of the brownie because you failed to show us the threat in this particular case.

      1. Destroy All Monsters Silver badge

        Re: @Mikey - And yet the best part is...

        the Linux community horribly abuses those inocents who are looking for support

        And the cat torturing. He never mentioned the cat torturing.


      Re: And yet the best part is...

      > ...that almost everyone so far has merely scoffed at the very idea of a threat to Linux

      That's because there has been no real indication of what to check.

    5. JamesTQuirk

      Re: And yet the best part is...

      Blame Linux ? Even if the Virus was MSWindows based & they had your password or there was none, like like a lot of new PC users, the same thing or worse could be done ... So it's a Set-Up issue when u build system, not something you can always do something about, when you look @ it's results later ..

  13. Dan 55 Silver badge

    In other words...

    Scary sounding malware which brute forces systems with administrators silly enough to set things up to allow root to log in remotely on ssh's standard port with only a password and without a certificate or port knocking has to wait in line while other malware does same.

  14. Anonymous Coward
    Anonymous Coward

    Should've gone with *BSD

    1. Anonymous Coward
      Anonymous Coward

      Nah, it wouldn't work!

      This beast is multiplatform :)

  15. FrankAlphaXII

    If it is some one/some bot brute forcing root using SSH, then the threat footprint has got to be pretty small. Isn't root disabled by default over SSH?

    Its been awhile, about a year or so, since I switched from a Linux distribution to using FreeBSD and PC-BSD, but I'm pretty sure none of the major Linux distros will default to allowing something that stupid. So while it is a threat, its apparently not the nuclear apocalypse that some of my more excitable colleagues told me about earlier because most distributions won't allow that kind of behavior without being configured to do so, unless I'm gravely mistaken.

  16. JoeF

    That explains the number of ssh login attempts

    Yesterday, I noticed an unusually high number of ssh login attempts. This explains it.

    And for the root access, what some commenters seem to miss is that it is much easier to do a brute force root login attack from a local account. A properly configured ssh doesn't allow remote root login.

    1. tom dial Silver badge

      Re: That explains the number of ssh login attempts

      And perhaps a properly configured ssh requires public key authentication for all users, reducing somewhat the brute-force exposure.

      1. P. Lee

        Re: That explains the number of ssh login attempts

        Also, not many places allow outbound SSH connections, so its likely a VPN will be needed for remote access. That's going to hide the SSH server anyway. Otherwise, there's fail-2-ban, port knocking and other measures which can be used to mitigate brute-force password attacks.

        Perhaps the SSL/SSH confusion comes from people putting ssh on port 443 so that they can get to it by pretending to be HTTPS,

  17. Terry Cloth
    Thumb Down

    So, El Reg wants to redefine `backdoor'?

    This is the second article in a few weeks with `backdoor' in lights, when it's nothing of the sort---just another piece of malware wanting to get in.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022