back to article Linux malware? That'll never happen. Ok, just this once then

Russian security outfit Dr. Web says it's found new malware for Linux. The firms says the “Linux.Lady.1” trojan does the following three things: Collect information about an infected computer and transfer it to the command and control server. Download and launch a cryptocurrency mining utility. Attack other computers of …

  1. Pascal Monett Silver badge

    "those who run Redis without requiring a password for connections"

    WHAT ? There are Linux admins who have actually configured the oh-so-vaunted Linux server to accept external comms without authentication ? Count my gast flabbered. Must be ex-Windows admins.

    In any case, the next time I view another condescending comment on lusers running Windows in admin mode, I will link to this article with relish.

    1. Anonymous Coward
      Anonymous Coward

      Re: "those who run Redis without requiring a password for connections"

      WHAT ? There are Linux admins who have actually configured the oh-so-vaunted Linux server to accept external comms without authentication ? Count my gast flabbered. Must be ex-Windows admins.

      Yes, they must be, because it requires killing off safe defaults. It's as hard to bring a Linux service online in an unsafe state as it easy to do so under Windows, except when it's Joomla (as that even now defaults to adding the password in cleartext to a joining email, and requires such to be disabled explicitly instead of the other way around). But that's not really Linux, that's more like adding Word to Windows and then observing that macro risks are still with us because it's only been like 20 years or so that that risk not only exists but is actively being abused in the wild..

      Not that you need to ADD anything to have problems with Windows - why would you otherwise have to add extra anti-virus?

      1. Anonymous Coward
        Anonymous Coward

        >> It's as hard to bring a Linux service online in an unsafe state as it easy to do so under Windows<<

        Tell that to the MongoDB devs with their "defaulting to secure is too difficult for users" attitude.

        But yeah, most linux users don't know how to secure windows just like most windows devs don't know how to secure linux. And if the last time you used Windows was NT you probably think it still defaults to everything open...

    2. revdjenk

      Re: "those who run Redis without requiring a password for connections"

      First, if you read the article, you need a poorly secured server running Redis.

      Second, from Redis' own site:

      "Redis is an open source (BSD licensed), in-memory data structure store, used as database, cache and message broker."

      So, it isn't Linux!

      1. Pascal Monett Silver badge

        No, it isn't Linux. I never said it was. But it's installed by the same kind of holier-than-thou that endlessly deride Windows users at every opportunity (ok, there is no shortage of opportunity there).

        Sorry, but this is a big black mark on Linux condescension. I will not forget it.

        1. John Brown (no body) Silver badge

          Linux condescension"

          I'm not so sure that an OS can even be condescending. Although MS seem to be doing their best with some of the messages that appear during install or first log-in.

          Anyway, getting back to what your point actually is, just because there are some "squeaky wheel" Linux zealots doesn't mean that they all are.

  2. Anonymous Coward
    Anonymous Coward

    Redis

    Somehow this doesn't surprise me, most how-tos for redis don't cover securing it, and the system packages for most distros are totally open by default.

    1. Anonymous Coward
      Anonymous Coward

      Re: the system packages for most distros are totally open by default.

      but "It's as hard to bring a Linux service online in an unsafe state as it easy to do so under Windows"!

      1. Chika

        Re: the system packages for most distros are totally open by default.

        The way I see it is that no operating system is totally safe and while Linux does make an attempt, in most distros that I've used over the years, to keep itself secure on installation, there are all sorts of reasons why you can never count on complete safety.

        Most of those reasons relate to the people running the systems in question. Just as it is possible to construct a Windows system that doesn't rely on a user being logged in as admin all the time, it is just as possible for a Linux (or MacOS) system to be compromised by a user that insists on being logged in as root or has their own account added to the root group.

        It's the reason why some distros are so keen on using sudo rather than encouraging a root login. You take control for as long as you actually need it and no longer.

        1. bombastic bob Silver badge
          Devil

          Re: the system packages for most distros are totally open by default.

          "t's the reason why some distros are so keen on using sudo rather than encouraging a root login"

          a fair compromise, if the 'sudoer' user's password isn't super-short/easily-guessed

          And disallowing ALL root logins for sshd (or any OTHER remote access) should be THE DEFAULT, but isn't always. [it's easy, just one line in sshd_config]

        2. Doctor Syntax Silver badge

          Re: the system packages for most distros are totally open by default.

          "It's the reason why some distros are so keen on using sudo rather than encouraging a root login. You take control for as long as you actually need it and no longer."

          I think there's a fairly complex history here. Ideally nothing should run with higher privileges than it requires. Your mail daemon should have a mail user ID, your printer daemon should run as a printer user such as lp etc. In old-style Unix there was a user bin to own most of the standard executables so root wasn't even needed for installations. Nowadays all the executables seem to be owned by root and in general root privileges seem to be needed for more admin that used to be the case.

          Sudo seems to have been introduced in the wake of that - no need for all those separate IDs & passwords. IMV it's a bad compromise between security and convenience with logging thrown in as a some sort of gesture. It means, of course, that a member of sudoers can get root privilege with their own password; it's marginally better than running as root but it does mean that anyone who manages to get that otherwise ordinary user password need nothing else to gain full control of the system. Certainly a direct root login shouldn't be possible, but su to root with a root password and even then only when necessary; in a large installation someone only responsible for printers, for instance, should user a lesser ID such as lpadmin.

          1. manicmike

            Re: the system packages for most distros are totally open by default.

            But sudo caters for allowing users just the elevated access they need, not to sudo to a root shell.

            I was a Unix admin for many years and would never allow someone sudo to ALL unless it were me, and always require a password (which has a minimum length and complexity of course). If you're the admin of a Linux server, you generally know how these things work and don't break the golden rule of allowing people access to things they don't need.

            The default sshd_config is to not allow root logins. Sometimes you do need to login as root, though, and in that case disallow password logins entirely and use a key pair. When I have sshd running and my IP address is external, logs generally show thousands of attempts (mostly from China, Korea and eastern Europe) of a root login. Even though they fail it's pretty scary how many automated hackers there are and it only takes one careless admin to allow them opportunity.

            Man page for sshd_config is here https://linux.die.net/man/5/sshd_config and states the defaults, which are pretty secure. I'd still remove password logins on all accounts and edit the hosts.allow and hosts.deny files.

  3. Zakhar

    PEBCAK

    It is not the first time. It happened on Synology NAS, which run busybox (a special version of Linux for low power CPU/RAM)

    Synolocker: https://www.symantec.com/security_response/writeup.jsp?docid=2014-080708-1950-99

    Same mode of infection: PEBCAK. A colleague got it, of course he had a SSH open to the web with no filtering, standard port (22) and an obvious password. There were also some flaws that Synology patched after that (admin 'backdoor' password like).

    1. Doctor Syntax Silver badge

      Re: PEBCAK

      "It happened on Synology NAS, which run busybox (a special version of Linux for low power CPU/RAM)"

      There seems to be an implication here that busybody is a version of Linux. It isn't. It's an all-in-one replacement for many of the normal Unix-style command line utilities for low resource situations where low resource includes running out of small flash storage. It requires a kernel which is a separate entity.

  4. CAPS LOCK Silver badge

    How is this a Linux issue?

    Could it be that El Reg is trying to diss. Linux? No, unpossible!

    1. Anonymous Coward
      Meh

      Re: How is this a Linux issue?

      The same way that many "Windows" issues are caused by people ignoring all the dam warnings and running as full admin.

      1. Anonymous Coward
        Anonymous Coward

        Re: How is this a Linux issue?

        The same way that many "Windows" issues are caused by people ignoring all the dam warnings and running as full admin.

        Well, that's the default so you can't really blame people for just using the product as it comes out of the box (or off a medium or network). In addition, try running it as a user and see just how easy that is (pretty close to impossible for the consumer versions).

        That being said, it is worth observing that running it as admin only creates security problems with Microsoft Windows? Apple's OSX pretty much does the same thing, yet has far fewer issues (and, I may add, is ALSO an utter pain to run with just user rights).

        1. jason 7 Silver badge

          Re: How is this a Linux issue?

          " In addition, try running it as a user and see just how easy that is (pretty close to impossible for the consumer versions)."

          Tell that to the tens/hundreds of thousands using it everyday in corporate/enterprise situations who seem to get by just fine.

          Hyperbole?

          We used to call Admin and Standard user accounts 'Distracted' and 'Undistracted' accounts.

        2. Ken Hagan Gold badge

          Re: How is this a Linux issue?

          "try running it as a user and see just how easy that is"

          Been using Windows NT and its successors with an ordinary account since version 3.1. No harder than Linux. (Specifically, you or someone friendly needs to have an administrative account for occasional use, like installing software or working around the incompetence of (mainly Microsoft) developers who *themselves* ran as admin and so don't know how shit their product is. That apart, the OS works fine. Never understood why MS have "pants down, bent over" as the OOBE.)

          1. jason 7 Silver badge

            Re: How is this a Linux issue?

            "Never understood why MS have "pants down, bent over" as the OOBE."

            I often remark on this and state that MS needs to change the initial setup to make a separate admin and user account instead. But I usually get shouted down by all the folks that previously commented smugly that all other OS's tend to have this very method as standard.

            (Shrugs)

            1. Chika

              Re: How is this a Linux issue?

              But I usually get shouted down by all the folks that previously commented smugly that all other OS's tend to have this very method as standard.

              Why? It's not the perfect solution but, as you say, other OSs do it. Personally I wouldn't shout down a reasonable idea just because Microsoft don't currently do it. If they were to put this into a system, even the execrable Windows 10, it would be at least one reason to cheer.

          2. AJ MacLeod

            Re: How is this a Linux issue?

            Yes, in principle running Windows as an ordinary user without admin rights is quite straightforward. However in the real world (and particularly in the SME world where most work actually gets done) people have to run applications... not just Office and Internet Explorer, but horribly written monstrosities of programs often ancient in origin and specific to particular tasks or areas of industry.

            Nine times out of ten these pieces of junk will simply not work without full admin rights, or if they do they don't work correctly.

            1. Stevie Silver badge

              Re: How is this a Linux issue? 4 AJ McLeod

              And how is poor application design a Windows issue?

              All the comments like this I hear at work come from Unix-trained admins who refuse to understand the Windows security model is fundamentally different than the Unix one, and they are hoist on their own smug petard time and again when the windows team run circles round the Unix guys (who are, before you scream and leap, "my side").

            2. Anonymous Coward
              Anonymous Coward

              Re: How is this a Linux issue?

              "Nine times out of ten these pieces of junk will simply not work without full admin rights, or if they do they don't work correctly."

              Right Click "Run As Admin"

              Heck even create an account for that application. Edit shortcut. Set to Run As....

              Been doing that since XP.

            3. jason 7 Silver badge

              Re: How is this a Linux issue?

              Ahh well you see I manage to get the SME companies I work for to move away from old legacy software. In fact very few use any custom software any more. Its 99% Office, browsers and some web/cloud applications.

    2. bombastic bob Silver badge

      Re: How is this a Linux issue?

      it's on a Linux system... I guess ANY malware running on a Linux system, being so rare, is "newsworthy" simply because of the "Look I found one!" factor

    3. Frumious Bandersnatch Silver badge

      Re: How is this a Linux issue?

      You fail English.

      1. Doctor Syntax Silver badge

        Re: How is this a Linux issue?

        "You fail English."

        You fail clarity. Which comment were you commenting on?

    4. CAPS LOCK Silver badge

      Re: How is this a Linux issue?

      Thirteen thumbs down - that'll lern me...

  5. Dabooka

    'ignoring all the dam warnings'

    Yes, it really opens up the floodgates ignoring those

    1. Anonymous Coward
      Anonymous Coward

      Re: 'ignoring all the dam warnings'

      Yes, it really opens up the floodgates ignoring those

      It's especially the bouncing bomb errors you need to worry about ..

      :)

      1. Chika

        Re: 'ignoring all the dam warnings'

        Water shocking idea!

    2. Anonymous Coward
      Happy

      Re: 'ignoring all the dam warnings'

      Good point. That said, at least I know how to use the reply button.

  6. Anonymous Coward
    Anonymous Coward

    Nice to see there is a temporary fix for this (jumps straight onto penguista machine)

  7. Alistair Silver badge
    Windows

    yeesh.

    I've been linux advocate for almost 25 years. I've been an *enterprise* linux admin for 15. I have background in... Mainframe (MVS/zOS/IMS/CICS/mq, VAX, networking, hardware support (Printers/Tapedrives/SNx controllers), HPUX, Solaris. I've built hundreds of PCs over the years for family and close friends (for new kids in the it biz DO NOT do that).

    Simply put, if you *investigate* and *work* at it any application can be installed in it's own user account on any OS, there tends to be a ch**ton of work *prior* to the install and there has to be relevantly appropriate comprehension on the part of the installer at run time, but it *can* be done in almost *all* cases. In some *very* few cases special permissions (both *nix and *dows) may be needed on specific binaries to keep things operational.

    Major issue: most admins/app owners have insufficient TIME.

    Time to INVESTIGATE

    Time to LEARN

    Time to work on DOING IT RIGHT.

    I've had almost 30 years in IT getting various portions of my anatomy singed off in various ways. I now have sufficient karma to tell folks to go to hell while I figure out how to do it well. If not *right*.

    If you install and run as (root/Administrator) any application, the first time someone finds a hole in that application, your entire *environment* is immediately at risk in any case.

    <Yes, I'm seriously a grumpy old fart this morning. Send me to fix a raid 5 array with one dead disk and one failing on write commit errors. BACKUPS!>

    1. sabroni Silver badge
      Happy

      Re: ch**ton of work

      A chorlton of work? A chip ton of work?

      It's ok to swear on here you know! Might help you vent a little (more)....

      1. a pressbutton Silver badge

        Re: ch**ton of work

        I think a ch**ton is mentioned in one of Lovecraft's short stories.

        It might be something to do with the time it takes your soul to decay.

        (apologies for changing the subject back to Window server admin)

  8. Kurt Meyer

    Dr. Web

    "The problem is instead between the ears of those who run Redis without requiring a password for connections."

    That surely isn't a linux problem.

    "Dr. Web reckons its own anti-virus for Linux will squash Linux.Lady.1 flat in no time."

    I don't have any experience with Dr. Web, and I've never felt the need to seek out an AV for my linux installations. Do any of the commentards here have any info re: Dr. Web that they'd care to share?

    1. Doctor Syntax Silver badge

      Re: Dr. Web

      "That surely isn't a Linux problem."

      Yup. Here we have some application set up to run insecurely by default and suddenly it becomes a vehicle for selling some nostrum for the OS on which it runs, despite said OS having a reputation for not needing such nostrums. I think I detect a salesman at work and adjust my cynicism levels accordingly.

  9. This post has been deleted by its author

  10. Aodhhan

    How good of an admin are you?

    Instead of staying on topic, almost everyone jumps into the ridiculous argument of UNIX vs Windows.

    Really guys? If you're distracted by such idiocy, just how good can you be at administrating an operating system? I would hope you'd be more professional and not let some post agitate you.

    You'd serve yourself better by taking these articles and using them as "lessons learned" to ensure your systems are secure. Just because you believe your systems are securely configured doesn't make it so.

    1. D 13

      Re: How good of an admin are you?

      "everyone jumps into the ridiculous argument of UNIX vs Windows."

      I feel like we're really close to a final answer on that debate that we can all agree upon. I think if I stay up all night typing posts about all linux users being involuntary virgins that will help move things along to a final conclusive answer by tomorrow.

  11. Anonymous Coward
    Anonymous Coward

    I think it is really cool. Good for them. Mining coins off shitty configured servers is awesome.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020