On Wed, 2011-03-23 at 10:44 +0100, Roman Zilka wrote:
> Apart from that, you may once in a while get tempted to open a piece of
> spam which just happens to look so legitimate. And this item happened
> to contain a 1x1 pixel white image which abused a hole in libmng which
> you'd always ignored, because you just never view mng files.
I think you mean "libpng", not "libmng". I can't find any references to
the latter. This exploit is apparently a design error in the library
and is rated as being of low risk for Linux. You can get your Linux
desktop DoS'd, apparently, but I find no reference to a viral infection
or a wider system compromise. Reboot and carry on :-)
My hypothetical question said "Please cite specific viruses/trojans"
which can affect a Linux desktop box. There's a difference between an
exploit vulnerability which can open up a box from the inside to
intrusion, and persists across reboots, and a vulnerability via an open
port or exposed service which requires that the services be accessible
infinite loop, or a libpng vulnerability which can effectively DoS a box
doesn't rise to this level. Can we assume that there's no port exposure
in a box masqueraded on a RFC1918 network? I'm not sure, which is why I
posed the question.
With perhaps a very few exception these exploits are aimed at MS Windows
boxes. Recent Flash vulnerabilities, for instance, are listed as
affecting "Adobe Flash Player 10.1.82.76 and earlier versions for
Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player
10.1.92.10 for Android" but the report goes on to say that "There are
reports that this vulnerability is being actively exploited in the wild
against Adobe Flash Player on Windows." No mention of Linux, and I can
find no references to a web or email borne exploit found in the wild
that actually generates an *infection* on a Linux box. Consider this a
challenge, if you will, since I'd love to be proved wrong on this last
point and learn something.
One of the reasons I use Linux is because real infections of any sort
via email or web are extremely rare. This isn't to say that they're
non-existent, and there's no such thing as absolute security, but
prevention of such problems is a matter of keeping up with CERT
bulletins. A quick search on US-CERT's website is pretty reassuring.
Searching for Linux turns up virtually nothing from the past several
years, although I do know that there was a nasty glibc vulnerability not
too long ago. There's a difference, however, (subtle as it may be)
between getting infected by a virus and getting cracked by an intruder.
> DNSSEC is also on the table nowadays. No firewall will protect you from
> spoofed DNS replies that will lead your browser to a malicious site.
We've seen this. I'm not running DNSSEC on my DNS servers but I've
taken other measures to avoid cache poisoning on them. One of my
clients, using one of RoadRunner's DNS servers, did have this problem,
from a Windows box, and got a very fake Google front page!
> Also, you mentioned earlier that you access various VPNs. I don't know
> much about VPNs, and topologies and configurations may clearly vary
> broadly, but I suppose there can be a setting such that your PC will
> get exposed to direct traffic from the VPN peers. NAT or not NAT.
Absolutely! If a skilled cracker were to compromise one of my servers,
or one of my clients' servers to which I'm connected via VPN, then I'm a
sitting duck, assuming said cracker has the skill to figure out how to
traverse the VPN and compromise _my_ Linux security. My VPN's are wide
open, for a reason. My question is a hypothetical one, however,
regarding general security, and the issue of VPNs relates only to my
particular setup. And this involves an "exploit" of a connected box,
not a virus/trojan infection, as per my question.
One always learns far more from one's failures than from one's
successes. My Linux servers _have_ been hacked. The biggest hole on my
servers is PHP, and all the break-ins on them have been via large PHP
mega-apps (e.g. WordPress). Most recently we had a customer's WordPress
installation compromised and the attacker was trying exploit a known
vulnerability in the local glibc. He managed only to totally DoS the
box and I had to get an on-site admin to re-boot it. I've locked down
execute perms on wget, which is what most of these black-hats use to
load in their cracking tools, and we've had zero problems since. But
this is server stuff, and OT for this forum.
Lindsay Haisley | "Fighting against human creativity is like
FMP Computer Services | trying to eradicate dandelions"
512-259-1190 | (Pamela Jones)