| 1 |
On Wed, 2011-03-23 at 10:44 +0100, Roman Zilka wrote: |
| 2 |
> Apart from that, you may once in a while get tempted to open a piece of |
| 3 |
> spam which just happens to look so legitimate. And this item happened |
| 4 |
> to contain a 1x1 pixel white image which abused a hole in libmng which |
| 5 |
> you'd always ignored, because you just never view mng files. |
| 6 |
|
| 7 |
I think you mean "libpng", not "libmng". I can't find any references to |
| 8 |
the latter. This exploit is apparently a design error in the library |
| 9 |
and is rated as being of low risk for Linux. You can get your Linux |
| 10 |
desktop DoS'd, apparently, but I find no reference to a viral infection |
| 11 |
or a wider system compromise. Reboot and carry on :-) |
| 12 |
|
| 13 |
My hypothetical question said "Please cite specific viruses/trojans" |
| 14 |
which can affect a Linux desktop box. There's a difference between an |
| 15 |
exploit vulnerability which can open up a box from the inside to |
| 16 |
intrusion, and persists across reboots, and a vulnerability via an open |
| 17 |
port or exposed service which requires that the services be accessible |
| 18 |
from the Internet cloud. A javascript which can lock a box into an |
| 19 |
infinite loop, or a libpng vulnerability which can effectively DoS a box |
| 20 |
doesn't rise to this level. Can we assume that there's no port exposure |
| 21 |
in a box masqueraded on a RFC1918 network? I'm not sure, which is why I |
| 22 |
posed the question. |
| 23 |
|
| 24 |
With perhaps a very few exception these exploits are aimed at MS Windows |
| 25 |
boxes. Recent Flash vulnerabilities, for instance, are listed as |
| 26 |
affecting "Adobe Flash Player 10.1.82.76 and earlier versions for |
| 27 |
Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player |
| 28 |
10.1.92.10 for Android" but the report goes on to say that "There are |
| 29 |
reports that this vulnerability is being actively exploited in the wild |
| 30 |
against Adobe Flash Player on Windows." No mention of Linux, and I can |
| 31 |
find no references to a web or email borne exploit found in the wild |
| 32 |
that actually generates an *infection* on a Linux box. Consider this a |
| 33 |
challenge, if you will, since I'd love to be proved wrong on this last |
| 34 |
point and learn something. |
| 35 |
|
| 36 |
One of the reasons I use Linux is because real infections of any sort |
| 37 |
via email or web are extremely rare. This isn't to say that they're |
| 38 |
non-existent, and there's no such thing as absolute security, but |
| 39 |
prevention of such problems is a matter of keeping up with CERT |
| 40 |
bulletins. A quick search on US-CERT's website is pretty reassuring. |
| 41 |
Searching for Linux turns up virtually nothing from the past several |
| 42 |
years, although I do know that there was a nasty glibc vulnerability not |
| 43 |
too long ago. There's a difference, however, (subtle as it may be) |
| 44 |
between getting infected by a virus and getting cracked by an intruder. |
| 45 |
|
| 46 |
> DNSSEC is also on the table nowadays. No firewall will protect you from |
| 47 |
> spoofed DNS replies that will lead your browser to a malicious site. |
| 48 |
|
| 49 |
We've seen this. I'm not running DNSSEC on my DNS servers but I've |
| 50 |
taken other measures to avoid cache poisoning on them. One of my |
| 51 |
clients, using one of RoadRunner's DNS servers, did have this problem, |
| 52 |
from a Windows box, and got a very fake Google front page! |
| 53 |
|
| 54 |
> Also, you mentioned earlier that you access various VPNs. I don't know |
| 55 |
> much about VPNs, and topologies and configurations may clearly vary |
| 56 |
> broadly, but I suppose there can be a setting such that your PC will |
| 57 |
> get exposed to direct traffic from the VPN peers. NAT or not NAT. |
| 58 |
|
| 59 |
Absolutely! If a skilled cracker were to compromise one of my servers, |
| 60 |
or one of my clients' servers to which I'm connected via VPN, then I'm a |
| 61 |
sitting duck, assuming said cracker has the skill to figure out how to |
| 62 |
traverse the VPN and compromise _my_ Linux security. My VPN's are wide |
| 63 |
open, for a reason. My question is a hypothetical one, however, |
| 64 |
regarding general security, and the issue of VPNs relates only to my |
| 65 |
particular setup. And this involves an "exploit" of a connected box, |
| 66 |
not a virus/trojan infection, as per my question. |
| 67 |
|
| 68 |
One always learns far more from one's failures than from one's |
| 69 |
successes. My Linux servers _have_ been hacked. The biggest hole on my |
| 70 |
servers is PHP, and all the break-ins on them have been via large PHP |
| 71 |
mega-apps (e.g. WordPress). Most recently we had a customer's WordPress |
| 72 |
installation compromised and the attacker was trying exploit a known |
| 73 |
vulnerability in the local glibc. He managed only to totally DoS the |
| 74 |
box and I had to get an on-site admin to re-boot it. I've locked down |
| 75 |
execute perms on wget, which is what most of these black-hats use to |
| 76 |
load in their cracking tools, and we've had zero problems since. But |
| 77 |
this is server stuff, and OT for this forum. |
| 78 |
|
| 79 |
-- |
| 80 |
Lindsay Haisley | "Fighting against human creativity is like |
| 81 |
FMP Computer Services | trying to eradicate dandelions" |
| 82 |
512-259-1190 | (Pamela Jones) |
| 83 |
http://www.fmp.com | |
Archives