1 |
On Wed, 2011-03-23 at 10:44 +0100, Roman Zilka wrote: |
2 |
> Apart from that, you may once in a while get tempted to open a piece of |
3 |
> spam which just happens to look so legitimate. And this item happened |
4 |
> to contain a 1x1 pixel white image which abused a hole in libmng which |
5 |
> you'd always ignored, because you just never view mng files. |
6 |
|
7 |
I think you mean "libpng", not "libmng". I can't find any references to |
8 |
the latter. This exploit is apparently a design error in the library |
9 |
and is rated as being of low risk for Linux. You can get your Linux |
10 |
desktop DoS'd, apparently, but I find no reference to a viral infection |
11 |
or a wider system compromise. Reboot and carry on :-) |
12 |
|
13 |
My hypothetical question said "Please cite specific viruses/trojans" |
14 |
which can affect a Linux desktop box. There's a difference between an |
15 |
exploit vulnerability which can open up a box from the inside to |
16 |
intrusion, and persists across reboots, and a vulnerability via an open |
17 |
port or exposed service which requires that the services be accessible |
18 |
from the Internet cloud. A javascript which can lock a box into an |
19 |
infinite loop, or a libpng vulnerability which can effectively DoS a box |
20 |
doesn't rise to this level. Can we assume that there's no port exposure |
21 |
in a box masqueraded on a RFC1918 network? I'm not sure, which is why I |
22 |
posed the question. |
23 |
|
24 |
With perhaps a very few exception these exploits are aimed at MS Windows |
25 |
boxes. Recent Flash vulnerabilities, for instance, are listed as |
26 |
affecting "Adobe Flash Player 10.1.82.76 and earlier versions for |
27 |
Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player |
28 |
10.1.92.10 for Android" but the report goes on to say that "There are |
29 |
reports that this vulnerability is being actively exploited in the wild |
30 |
against Adobe Flash Player on Windows." No mention of Linux, and I can |
31 |
find no references to a web or email borne exploit found in the wild |
32 |
that actually generates an *infection* on a Linux box. Consider this a |
33 |
challenge, if you will, since I'd love to be proved wrong on this last |
34 |
point and learn something. |
35 |
|
36 |
One of the reasons I use Linux is because real infections of any sort |
37 |
via email or web are extremely rare. This isn't to say that they're |
38 |
non-existent, and there's no such thing as absolute security, but |
39 |
prevention of such problems is a matter of keeping up with CERT |
40 |
bulletins. A quick search on US-CERT's website is pretty reassuring. |
41 |
Searching for Linux turns up virtually nothing from the past several |
42 |
years, although I do know that there was a nasty glibc vulnerability not |
43 |
too long ago. There's a difference, however, (subtle as it may be) |
44 |
between getting infected by a virus and getting cracked by an intruder. |
45 |
|
46 |
> DNSSEC is also on the table nowadays. No firewall will protect you from |
47 |
> spoofed DNS replies that will lead your browser to a malicious site. |
48 |
|
49 |
We've seen this. I'm not running DNSSEC on my DNS servers but I've |
50 |
taken other measures to avoid cache poisoning on them. One of my |
51 |
clients, using one of RoadRunner's DNS servers, did have this problem, |
52 |
from a Windows box, and got a very fake Google front page! |
53 |
|
54 |
> Also, you mentioned earlier that you access various VPNs. I don't know |
55 |
> much about VPNs, and topologies and configurations may clearly vary |
56 |
> broadly, but I suppose there can be a setting such that your PC will |
57 |
> get exposed to direct traffic from the VPN peers. NAT or not NAT. |
58 |
|
59 |
Absolutely! If a skilled cracker were to compromise one of my servers, |
60 |
or one of my clients' servers to which I'm connected via VPN, then I'm a |
61 |
sitting duck, assuming said cracker has the skill to figure out how to |
62 |
traverse the VPN and compromise _my_ Linux security. My VPN's are wide |
63 |
open, for a reason. My question is a hypothetical one, however, |
64 |
regarding general security, and the issue of VPNs relates only to my |
65 |
particular setup. And this involves an "exploit" of a connected box, |
66 |
not a virus/trojan infection, as per my question. |
67 |
|
68 |
One always learns far more from one's failures than from one's |
69 |
successes. My Linux servers _have_ been hacked. The biggest hole on my |
70 |
servers is PHP, and all the break-ins on them have been via large PHP |
71 |
mega-apps (e.g. WordPress). Most recently we had a customer's WordPress |
72 |
installation compromised and the attacker was trying exploit a known |
73 |
vulnerability in the local glibc. He managed only to totally DoS the |
74 |
box and I had to get an on-site admin to re-boot it. I've locked down |
75 |
execute perms on wget, which is what most of these black-hats use to |
76 |
load in their cracking tools, and we've had zero problems since. But |
77 |
this is server stuff, and OT for this forum. |
78 |
|
79 |
-- |
80 |
Lindsay Haisley | "Fighting against human creativity is like |
81 |
FMP Computer Services | trying to eradicate dandelions" |
82 |
512-259-1190 | (Pamela Jones) |
83 |
http://www.fmp.com | |