Category Archives: Linux

CYBER ARMS – Computer Security: Basic Security Testing with Kali Linux Giveaway Contest

Want a chance to get a signed copy of my latest Kali Linux book? I am giving away a total of 10 signed copies of “Basic Security Testing with Kali Linux, 3rd Edition”!

Simply follow, like and share this article, or my official Twitter or Instagram announcement, for a chance to win a signed copy of my new book!

10 lucky winners will be randomly selected on October 31st.

The Contest is for those living in the United States only. I may do another one for international readers in the future.

Liking this article & sharing the Official Contest announcements on Twitter and Instagram will increase your chances of winning.  Winners will be notified on October 31st. If a winner cannot be notified or does not respond by the end of the first week of November, another winner will be picked.

Good luck!

 







CYBER ARMS – Computer Security

Microsoft open-sources 60,000 patents to protect Linux

Microsoft makes 60,000 patents open-source to help the Linux Community

Microsoft has joined the Open Invention Network (“OIN”), an open-source group dedicated to protecting Linux and other open-source software programs from patent legal troubles.

The move will see the Redmond giant pledge its valuable and deep portfolio of over 60,000 issued patents open-source and available to other OIN members. Microsoft is positioning its move to show that it has no intention to use patents as a weapon against any free software, beyond just that free software which is part of OIN’s specific list.

“We know Microsoft’s decision to join OIN may be viewed as surprising to some; it is no secret that there has been friction in the past between Microsoft and the open source community over the issue of patents,” Erich Andersen, Corporate Vice President and Deputy General Counsel at Microsoft wrote in a blog post on Wednesday.

“For others who have followed our evolution, we hope this announcement will be viewed as the next logical step for a company that is listening to customers and developers and is firmly committed to Linux and other open source programmes,” Andersen added.

“Now, as we join OIN, we believe Microsoft will be able to do more than ever to help protect Linux and other important open source workloads from patent assertions. We also hope that our decision to join will attract many other companies to OIN, making the license network even stronger for the benefit of the open source community,” Andersen said.

“We look forward to making our contributions to OIN and its members, and to working with the community to help open source developers and users protect the Linux ecosystem and encourage innovation with open source software.”

Andersen said that joining OIN reflects Microsoft’s patent practice evolving in lock-step with the company’s views on Linux and open source more generally.

“We began this journey over two years ago through programs like Azure IP Advantage, which extended Microsoft’s indemnification pledge to open source software powering Azure services,” he said.

“We doubled down on this new approach when we stood with Red Hat and others to apply GPL v. 3 “cure” principles to GPL v. 2 code, and when we recently joined the LOT Network, an organisation dedicated to addressing patent abuse by companies in the business of assertion,” Andersen added.

Founded in 2005, OIN’s mission has been to protect Linux developers from patent lawsuits. OIN owns more than 1,000 patents and comprises more than 2,650 companies that includes firms such as Google, IBM, Red Hat, and SUSE.

Keith Bergelt, CEO of Open Invention Network (OIN), said that Microsoft’s participation in OIN “adds to our strong community, which through its breadth and depth has reduced patent risk in core technologies, and unequivocally signals for all companies who are using OSS but have yet to join OIN that the litmus test for authentic behaviour in the OSS community includes OIN participation.”

According to Bergelt, these newly open-sourced patents consist of tons of open-source technologies such as Android, the Linux kernel, and OpenStack; newer technologies such as LF Energy and HyperLedger, and their predecessor and successor versions.

The post Microsoft open-sources 60,000 patents to protect Linux appeared first on TechWorm.

Plex for Linux Now Available as a Snap

An anonymous reader shares a report: Today, a very popular app, Plex Media Server, gets the Snap treatment. In other words, you can install the media server program without any headaches -- right from the Snap store. "In adopting the universal Linux app packaging format, Plex will make its multimedia platform available to an ever-growing community of Linux users, including those on KDE Neon, Debian, Fedora, Manjaro, OpenSUSE, Zorin and Ubuntu. Automatic updates and rollback capabilities are staples of Snap software, meaning Plex users will always have the best and latest version running," says Canonical.

Read more of this story at Slashdot.

Mutagen Astronomy – Linux Vulnerability Hits CentOS, Debian, and Red Hat Distros

Researchers have discovered a critical vulnerability that allegedly affects multiple Linux distros. The vulnerability named Mutagen Astronomy allows an attacker

Mutagen Astronomy – Linux Vulnerability Hits CentOS, Debian, and Red Hat Distros on Latest Hacking News.

Linux Kernel Finally Nearing Support For The Apple Magic Trackpad 2, Thanks To a Google Employee

Michael Larabel, writing for Phoronix: Apple announced the Magic Trackpad 2 almost three years ago to the day while the mainline Linux kernel will finally be supporting this multi-touch device soon. The Magic Trackpad 2 is a wired/wireless touchpad with haptic feedback support and is a much larger touchpad compared to the original Magic Trackpad. There unfortunately hasn't been any mainline Linux kernel support for the Magic Trackpad 2, but some out-of-tree options. [...] However, as seen by this bug report there have been plenty of people since 2015 interested in using the Magic Trackpad 2 on Linux. Fortunately, Sean O'Brien of Google's Chrome OS team has been working on Magic Trackpad 2 support with a focus on getting it mainlined. The patch, which was also reviewed by other Google/ChromeOS developers, is now up to its third and perhaps final revision.

Read more of this story at Slashdot.

CVE-2018-1718 -Google Project Zero reports a new Linux Kernel flaw

Google Project Zero disclosed details for a high severity Linux kernel a use-after-free vulnerability tracked as CVE-2018-1718.

The vulnerability is a use-after-free tracked as CVE-2018-17182, it was discovered by Google Project Zero’s Jann Horn. The vulnerability was introduced in August 2014 with the release of version 3.16 of the Linux kernel.

The issue could be exploited by an attacker trigger a DoS condition or to execute arbitrary code with root privileges on the vulnerable system.

The expert reported the flaws to Linux kernel development team on September 12 and they fixed it in just two days later.

Horn also published the PoC exploit for the vulnerability, the researcher explained that exploitation of the issue is time-consuming because the process triggering the vulnerability needs to run for long enough to cause the overflow for a reference counter.

“This blogpost describes a way to exploit a Linux kernel bug (CVE-2018-17182) that exists since kernel version 3.16.” reads the security advisory published by Project Zero.

“Fixes for the issue are in the upstream stable releases 4.18.9, 4.14.71, 4.9.128, 4.4.157 and 3.16.58.”

The researcher warns of the possibility that threat actors can already develop an exploit for the vulnerability, another element of concern is that the developers of Linux distributions don’t publish kernel updates very frequently, a circumstance that expose users to attacks.

“However, Linux distributions often don’t publish distribution kernel updates very frequently. For example, Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27.” Horn explained. 

“Android only ships security updates once a month. Therefore, when a security-critical fix is available in an upstream stable kernel, it can still take weeks before the fix is actually available to users – especially if the security impact is not announced publicly.”

This exploit demonstrates the importance of a secure kernel configuration, some specific settings like kernel.dmesg_restrict sysctl provides “a reasonable tradeoff when enabled”.

Pierluigi Paganini

(Security Affairs – CVE-2018-1718, Linux)

The post CVE-2018-1718 -Google Project Zero reports a new Linux Kernel flaw appeared first on Security Affairs.

Google Hacker Discloses New Linux Kernel Vulnerability and PoC Exploit

A cybersecurity researcher with Google Project Zero has released the details, and a proof-of-concept (PoC) exploit for a high severity vulnerability that exists in Linux kernel since kernel version 3.16 through 4.18.8. Discovered by white hat hacker Jann Horn, the kernel vulnerability (CVE-2018-17182) is a cache invalidation bug in the Linux memory management subsystem that leads to

Are communications service providers confident in open source networking solutions?

The Linux Foundation announced the results of an industry survey to gauge industry perceptions of open source across networking technologies. Top takeaways from the survey indicate an increasing maturity of open source technology use from operators, ongoing innovation in areas such as DevOps and CI/CD, and a glimpse into emerging technologies in areas such as cloud native and more. Conducted by Heavy Reading, the multi-client survey spanning six segments across networking technologies – DevOps, automation, … More

The post Are communications service providers confident in open source networking solutions? appeared first on Help Net Security.

Linux Now Dominates Azure

An anonymous reader shares a report: Three years ago, Mark Russinovich, CTO of Azure, Microsoft's cloud program, said, "One in four [Azure] instances are Linux." Then, in 2017, it was 40 percent Azure virtual machines (VM) were Linux. Today, Scott Guthrie, Microsoft's executive vice president of the cloud and enterprise group, said in an interview, "Slightly over half of Azure VMs are Linux. That's right. Microsoft's prize cloud, Linux, not Windows Server, is now the most popular operating system. Windows Server isn't going to be making a come back. Every month, Linux goes up," Guthrie said. And it's not just Azure users who are turning to Linux. "Native Azure services are often running on Linux," Guthrie added. "Microsoft is building more of these services. For example, Azure's Software Defined Network (SDN) is based on Linux." It's not just on Azure that Microsoft is embracing Linux. "Look at our simultaneous release of SQL Server on Linux. All of our projects now run on Linux," Guthrie said.

Read more of this story at Slashdot.

Linus Torvalds On Linux’s Code of Conduct

Linus Torvalds oversees every line of code added to the Linux kernel, but in recent years the male-dominated community has become increasingly divided, reports BBC. Rows about sexism and rudeness led to the creation of a Code of Conflict (CoC) in 2015 which was short -- simply recommending people "be excellent to each other." That has now been replaced by a more detailed Code of Conduct -- which retains the acronym, but attempts to be more inclusive and eliminate insulting and derogatory comments and behaviour. Reader sinij writes: Recently Linux Community adopted a new controversial Code of Conduct authored by Contributor Covenant also known for authoring the Post-Meritocracy Manifesto. In an exclusive email interview with the BBC, Mr Torvalds shared his thoughts on his decision to temporarily step aside, the controversy behind the CoC, and the defects of the community he set up. His thoughts on CoC: The advantage of concentrating on technology is that you can have some mostly objective measures, and some basis for agreement, and you can have a very nice and healthy community around it all. I really am motivated by the technology, but the community around Linux has been a big positive too. But there are very tangible and immediate common goals in any technical project like Linux, and while there is occasionally disagreement about how to solve some particular issue, there is a very real cohesive force in that common goal of improving the project. And even when there are disagreements, people in the end often have fairly clear and objective measures of what is better. Code that is faster, simpler, or handles more cases naturally is just objectively 'better', without people really having to argue too much about it. In contrast, the arguments about behaviour never seem to end up having a common goal. Except, in some sense, the argument itself. Have you read the Twitter feeds and other things by the people who seem to care more about the non-technical side? I think your 'hyped stories' is about as polite as you can put it. It's a morass of nastiness. Instead of a 'common goal', you end up with horrible fighting between different 'in-groups'. It's very polarising, and both sides love egging the other side on. It's not even a 'discussion', it's just people shouting at each other. That's actually the reason I for the longest time did not want to be involved with the whole CoC discussion in the first place. That whole subject seems to very easily just devolve and become unproductive. And I found a lot of the people who pushed for a CoC and criticised me for cursing to be hypocritical and pointless. I could easily point you to various tweet storms by people who criticise my 'white cis male' behaviour, while at the same time cursing more than I ever do. So that's my excuse for dismissing a lot of the politically correct concerns for years. I felt it wasn't worth it. Anybody who uses the words 'white cis male privilege' was simply not worth my time even talking to, I felt. "And I'm still not apologising for my gender or the colour of my skin, or the fact that I happen to have the common sexual orientation. What changed? Maybe it was me, but I was also made very aware of some of the behaviour of the 'other' side in the discussion. Because I may have my reservations about excessive political correctness, but honestly, I absolutely do not want to be seen as being in the same camp as the low-life scum on the internet that think it's OK to be a white nationalist Nazi, and have some truly nasty misogynistic, homophobic or transphobic behaviour. And those people were complaining about too much political correctness too, and in the process just making my public stance look bad. And don't get me wrong, please -- I'm not making excuses for some of my own rather strong language. But I do claim that it never ever was any of that kind of nastiness. I got upset with bad code, and people who made excuses for it, and used some pretty strong language in the process. Not good behaviour, but not the racist/etc claptrap some people spout. So in the end, my 'I really don't want to be too PC' stance simply became untenable. Partly because you definitely can find some emails from me that were simply completely unacceptable, and I need to fix that going forward. But to a large degree also because I don't want to be associated with a lot of the people who complain about excessive political correctness.

Read more of this story at Slashdot.

Mutagen Astronomy Linux Kernel vulnerability affects Red Hat, CentOS, and Debian distros

A new integer overflow vulnerability found in Linux Kernel. Dubbed Mutagen Astronomy, it affects Red Hat, CentOS, and Debian Distributions.

Security researchers have discovered a new integer overflow vulnerability in Linux Kernel, dubbed Mutagen Astronomy, that affects Red Hat, CentOS, and Debian Distributions.

The vulnerability could be exploited by an unprivileged user to gain superuser access to the targeted system.

The flaw was discovered by researchers at security firm Qualys that shared technical details of the Mutagen Astronomy vulnerabilities, including proof-of-concept (PoC) exploits (Exploit 1Exploit 2).

The flaw tracked as CVE-2018-14634 affects the kernel versions released between July 2007 and July 2017, Linux Kernel versions 2.6.x, 3.10.x and 4.14.x, are vulnerable to the Mutagen Astronomy flaw.

The versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 are not affected by the issue.

The Mutagen Astronomy vulnerability exists in the create_elf_tables() function in the Linux kernel that is used to manage memory tables.

“We discovered an integer overflow in the Linux kernel’s create_elf_tables() function: on a 64-bit system, a local attacker can exploit this vulnerability via a SUID-root binary and obtain full root privileges.” reads the security advisory published by Qualys.

“Only kernels with commit b6a2fea39318 (“mm: variable length argument support”, from July 19, 2007) but without commit da029c11e6b1 (“exec: Limit arg stack to at most 75% of _STK_LIM”, from July 7, 2017) are exploitable. Most Linux distributions backported commit da029c11e6b1 to their long-term-supported kernels, but Red Hat Enterprise Linux and CentOS (and Debian 8, the current “oldstable” version) have not, and are therefore vulnerable and exploitable.”

Like other local privilege escalation issue, the exploitation of this flaw requests the access to the targeted system and the execution of exploit code that trigger a buffer overflow.

Once the attacker has triggered a buffer overflow, it can execute arbitrary code on the affected machine and take over it.

“An integer overflow flaw was found in the Linux kernel’s create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system.” reads the security advisory published by Red Hat.

“This issue does not affect 32-bit systems as they do not have a large enough address space to exploit this flaw. Systems with less than 32GB of memory are very unlikely to be affected by this issue due to memory demands during exploitation.

This issue does not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5. This issue affects the version of the kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2. Future kernel updates for Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG 2 will address this issue.”

Mutagen Astronomy Linux Kernel

At the time of writing, Red Hat Enterprise Linux, CentOS, and Debian 8 Jessie have not yet addressed the flaw.

Below the timeline for the flaw:

  • 2018-08-31: Contacted secalert@redhat.com.
  • 2018-09-18: Contacted linux-distros@vs.openwall.org and security@kernel.org.
  • 2018-09-25: Coordinated Release Date (Time: 5:00 PM UTC).

Pierluigi Paganini

(Security Affairs – Linux, hacking)

The post Mutagen Astronomy Linux Kernel vulnerability affects Red Hat, CentOS, and Debian distros appeared first on Security Affairs.

French cybersecurity agency open sources security hardened CLIP OS

After developing it internally for over 10 years, the National Cybersecurity Agency of France (ANSSI) has decided to open source CLIP OS, a Linux-based operating system developed “to meet the specific needs of the [French] administration,” and is asking outside coders to contribute to its development. About CLIP OS “The CLIP OS project is lead and maintained by developers from the ANSSI but most of the source code resulting in the final CLIP OS system … More

The post French cybersecurity agency open sources security hardened CLIP OS appeared first on Help Net Security.

The New Yorker on Linus Torvalds

Linus Torvalds announced on Sunday that he was sorry for how he treated the community over the years. Torvalds, 48, said he planned to make some changes to how he conducted himself, and on that part, he said he would be taking some time off from Linux kernel development work. The New Yorker has published a story on Torvalds today in which it notes that it reached out to Torvalds days before he made the big announcement. From the story, which may be paywalled for some readers: Torvalds's decision to step aside came after The New Yorker asked him a series of questions about his conduct for a story on complaints about his abusive behavior discouraging women from working as Linux-kernel programmers. In a response to The New Yorker, Torvalds said, "I am very proud of the Linux code that I invented and the impact it has had on the world. I am not, however, always proud of my inability to communicate well with others -- this is a lifelong struggle for me. To anyone whose feelings I have hurt, I am deeply sorry." Torvalds's response was conveyed by the Linux Foundation, which supports Linux and other open-source programming projects and paid Torvalds $1.6 million in annual compensation as of 2016. The foundation said that it supported his decision and has encouraged women to participate but that it has little control over how Torvalds runs the coding process. "We are able to have varying degrees of impact on these outcomes in newer projects," the statement said. "Older more established efforts like the Linux kernel are much more challenging to influence." Linux's elite developers, who are overwhelmingly male, tend to share their leader's aggressive self-confidence. There are very few women among the most prolific contributors, though the foundation and researchers estimate that roughly ten per cent of all Linux coders are women. "Everyone in tech knows about it, but Linus gets a pass," Megan Squire, a computer-science professor at Elon University, told me, referring to Torvalds's abusive behavior. "He's built up this cult of personality, this cult of importance."

Read more of this story at Slashdot.

Naked Security – Sophos: Intel releases firmware update for ME flaw

It’s only September and yet 2018 is well on its way to being remembered as the year of fixing flaws we didn’t realise were possible in hardware we’d never heard of.



Naked Security - Sophos

Linux & Windows hit with disk wiper, ransomware & cryptomining Xbash malware

By Waqas

Xbash is an “all in one” malware. Palo Alto Networks’ Unit 42 researchers have come to the conclusion that the notorious Xbash malware that has been attacking Linux and Windows servers is being operated by the Iron Group which is an infamous hacker collective previously involved in a number of cyber crimes involving the use […]

This is a post from HackRead.com Read the original post: Linux & Windows hit with disk wiper, ransomware & cryptomining Xbash malware

Linux Community To Adopt New Code of Conduct

Following Linus Torvalds' public apology for his behavior over the years, the Linux Community said it will be adopting a new "Code of Conduct", which pledges to make "participation in our project and our community a harassment-free experience for everyone, regardless of age, body size, disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation."

Read more of this story at Slashdot.

Linus Torvalds Apologizes For His Rude Behavior—Takes Time Off

What just happened would definitely gonna surprise you. Linus Torvalds—father of the Linux open-source operating system—finally admitted his behavior towards other developers in the Linux community was hurting people and Linux. In a surprising move this weekend, Torvalds apologized for insulting and abusing other developers for almost three decades and took a break from the open-source

Windows and Linux Are Being Targeted by Malicious Kodi Add-ons

The Kodi Open-Source Media player has been modified with a malicious script that downloads crypto mining software on Windows and

Windows and Linux Are Being Targeted by Malicious Kodi Add-ons on Latest Hacking News.

Cybersecurity as catalyst for greater adoption of agile development

Agile development increases the output of software development projects by using a faster, more iterative engineering process. This pace also allows rapid course correction, which is great for meeting customer

The post Cybersecurity as catalyst for greater adoption of agile development appeared first on The Cyber Security Place.

Rootkit Umbreon / Umreon – x86, ARM samples



Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems
Research: Trend Micro


There are two packages
one is 'found in the wild' full and a set of hashes from Trend Micro (all but one file are already in the full package)






Download

Download Email me if you need the password  



File information

Part one (full package)

#File NameHash ValueFile Size (on Disk)Duplicate?
1.umbreon-ascii0B880E0F447CD5B6A8D295EFE40AFA376085 bytes (5.94 KiB)
2autoroot1C5FAEEC3D8C50FAC589CD0ADD0765C7281 bytes (281 bytes)
3CHANGELOGA1502129706BA19667F128B44D19DC3C11 bytes (11 bytes)
4cli.shC846143BDA087783B3DC6C244C2707DC5682 bytes (5.55 KiB)
5hideportsD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)Yes, of file promptlog
6install.sh9DE30162E7A8F0279E19C2C30280FFF85634 bytes (5.5 KiB)
7Makefile0F5B1E70ADC867DD3A22CA62644007E5797 bytes (797 bytes)
8portchecker006D162A0D0AA294C85214963A3D3145113 bytes (113 bytes)
9promptlogD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)
10readlink.c42FC7D7E2F9147AB3C18B0C4316AD3D81357 bytes (1.33 KiB)
11ReadMe.txtB7172B364BF5FB8B5C30FF528F6C51252244 bytes (2.19 KiB)
12setup694FFF4D2623CA7BB8270F5124493F37332 bytes (332 bytes)
13spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)Yes, of file spytty.sh
14umbreon.c91706EF9717176DBB59A0F77FE95241C1007 bytes (1007 bytes)
15access.c7C0A86A27B322E63C3C29121788998B8713 bytes (713 bytes)
16audit.cA2B2812C80C93C9375BFB0D7BFCEFD5B1434 bytes (1.4 KiB)
17chown.cFF9B679C7AB3F57CFBBB852A13A350B22870 bytes (2.8 KiB)
18config.h980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)
19config.h.dist980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)Yes, of file config.h
20dirs.c46B20CC7DA2BDB9ECE65E36A4F987ABC3639 bytes (3.55 KiB)
21dlsym.c796DA079CC7E4BD7F6293136604DC07B4088 bytes (3.99 KiB)
22exec.c1935ED453FB83A0A538224AFAAC71B214033 bytes (3.94 KiB)
23getpath.h588603EF387EB617668B00EAFDAEA393183 bytes (183 bytes)
24getprocname.hF5781A9E267ED849FD4D2F5F3DFB8077805 bytes (805 bytes)
25includes.hF4797AE4B2D5B3B252E0456020F58E59629 bytes (629 bytes)
26kill.cC4BD132FC2FFBC84EA5103ABE6DC023D555 bytes (555 bytes)
27links.c898D73E1AC14DE657316F084AADA58A02274 bytes (2.22 KiB)
28local-door.c76FC3E9E2758BAF48E1E9B442DB98BF8501 bytes (501 bytes)
29lpcap.hEA6822B23FE02041BE506ED1A182E5CB1690 bytes (1.65 KiB)
30maps.c9BCD90BEA8D9F9F6270CF2017F9974E21100 bytes (1.07 KiB)
31misc.h1F9FCC5D84633931CDD77B32DB1D50D02728 bytes (2.66 KiB)
32netstat.c00CF3F7E7EA92E7A954282021DD72DC41113 bytes (1.09 KiB)
33open.cF7EE88A523AD2477FF8EC17C9DCD7C028594 bytes (8.39 KiB)
34pam.c7A947FDC0264947B2D293E1F4D69684A2010 bytes (1.96 KiB)
35pam_private.h2C60F925842CEB42FFD639E7C763C7B012480 bytes (12.19 KiB)
36pam_vprompt.c017FB0F736A0BC65431A25E1A9D393FE3826 bytes (3.74 KiB)
37passwd.cA0D183BBE86D05E3782B5B24E2C964132364 bytes (2.31 KiB)
38pcap.cFF911CA192B111BD0D9368AFACA03C461295 bytes (1.26 KiB)
39procstat.c7B14E97649CD767C256D4CD6E4F8D452398 bytes (398 bytes)
40procstatus.c72ED74C03F4FAB0C1B801687BE200F063303 bytes (3.23 KiB)
41readwrite.cC068ED372DEAF8E87D0133EAC0A274A82710 bytes (2.65 KiB)
42rename.cC36BE9C01FEADE2EF4D5EA03BD2B3C05535 bytes (535 bytes)
43setgid.c5C023259F2C244193BDA394E2C0B8313667 bytes (667 bytes)
44sha256.h003D805D919B4EC621B800C6C239BAE0545 bytes (545 bytes)
45socket.c348AEF06AFA259BFC4E943715DB5A00B579 bytes (579 bytes)
46stat.cE510EE1F78BD349E02F47A7EB001B0E37627 bytes (7.45 KiB)
47syslog.c7CD3273E09A6C08451DD598A0F18B5701497 bytes (1.46 KiB)
48umbreon.hF76CAC6D564DEACFC6319FA167375BA54316 bytes (4.21 KiB)
49unhide-funcs.c1A9F62B04319DA84EF71A1B091434C644729 bytes (4.62 KiB)
50cryptpass.py2EA92D6EC59D85474ED7A91C8518E7EC192 bytes (192 bytes)
51environment.sh70F467FE218E128258D7356B7CE328F11086 bytes (1.06 KiB)
52espeon-connect.shA574C885C450FCA048E79AD6937FED2E247 bytes (247 bytes)
53espeon-shell9EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
54espeon.c499FF5CF81C2624B0C3B0B7E9C6D980D14899 bytes (14.55 KiB)
55listen.sh69DA525AEA227BE9E4B8D59ACFF4D717209 bytes (209 bytes)
56spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
57ssh-hidden.shAE54F343FE974302F0D31776B72D0987127 bytes (127 bytes)
58unfuck.c457B6E90C7FA42A7C46D464FBF1D68E2384 bytes (384 bytes)
59unhide-self.pyB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
60listen.shF5BD197F34E3D0BD8EA28B182CCE7270233 bytes (233 bytes)

part 2 (those listed in the Trend Micro article)
#File NameHash ValueFile Size (on Disk)
1015a84eb1d18beb310e7aeeceab8b84776078935c45924b3a10aa884a93e28acA47E38464754289C0F4A55ED7BB556489375 bytes (9.16 KiB)
20751cf716ea9bc18e78eb2a82cc9ea0cac73d70a7a74c91740c95312c8a9d53aF9BA2429EAE5471ACDE820102C5B81597512 bytes (7.34 KiB)
30a4d5ffb1407d409a55f1aed5c5286d4f31fe17bc99eabff64aa1498c5482a5f0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
40ce8c09bb6ce433fb8b388c369d7491953cf9bb5426a7bee752150118616d8ffB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
5122417853c1eb1868e429cacc499ef75cfc018b87da87b1f61bff53e9b8e86709EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
6409c90ecd56e9abcb9f290063ec7783ecbe125c321af3f8ba5dcbde6e15ac64aB4746BB5E697F23A5842ABCAED36C9146149 bytes (6 KiB)
74fc4b5dab105e03f03ba3ec301bab9e2d37f17a431dee7f2e5a8dfadcca4c234D0D97899131C29B3EC9AE89A6D49A23E65160 bytes (63.63 KiB)
88752d16e32a611763eee97da6528734751153ac1699c4693c84b6e9e4fb08784E7E82D29DFB1FC484ED277C70218781855564 bytes (54.26 KiB)
9991179b6ba7d4aeabdf463118e4a2984276401368f4ab842ad8a5b8b730885222B1863ACDC0068ED5D50590CF792DF057664 bytes (7.48 KiB)
10a378b85f8f41de164832d27ebf7006370c1fb8eda23bb09a3586ed29b5dbdddfA977F68C59040E40A822C384D1CEDEB6176 bytes (176 bytes)
11aa24deb830a2b1aa694e580c5efb24f979d6c5d861b56354a6acb1ad0cf9809bDF320ED7EE6CCF9F979AEFE451877FFC26 bytes (26 bytes)
12acfb014304b6f2cff00c668a9a2a3a9cbb6f24db6d074a8914dd69b43afa452584D552B5D22E40BDA23E6587B1BC532D6852 bytes (6.69 KiB)
13c80d19f6f3372f4cc6e75ae1af54e8727b54b51aaf2794fedd3a1aa463140480087DD79515D37F7ADA78FF5793A42B7B11184 bytes (10.92 KiB)
14e9bce46584acbf59a779d1565687964991d7033d63c06bddabcfc4375c5f1853BBEB18C0C3E038747C78FCAB3E0444E371940 bytes (70.25 KiB)

Howto setup a Debian 9 with Proxmox and containers using as few IPv4 and IPv6 addresses as possible

My current Linux Root-Server needs to be replaced with a newer Linux version and should also be much cheaper then the current one. So at first I did look what I don’t like about the current one:

  • It is expensive with about 70 Euros / months. Following is responsible for that
    • My own HPE hardware with 16GB RAM and a software RAID (hardware raid would be even more expensive) – iLo (or something like it) is a must for me 🙂
    • 16 additional IPv4 addresses for the visualized container and servers
    • Large enough backup space to get back some days.
  • A base OS which makes it hard to run newer Linux versions in the container (sure old ones like CentOS6 still get updates, but that will change)
    • Its time to move to newer Linux versions in the containers
  • OpenVZ based containers which are not mainstream anymore

Then I looked what surrounding conditions changed since I did setup my current server.

  • I’ve IPv6 at home and 70% of my traffic is IPv6 (thx to Google (specially Youtube) and Cloudflare)
  • IPv4 addresses got even more expensive for Root-Servers
  • I’m now using Cloudflare for most of the websites I host.
  • Cloudflare is reachable via IPv4 and IPv6 and can connect back either with IPv4 or IPv6 to my servers
  • With unprivileged containers the need to use KVM for security lessens
  • Hosting providers offer now KVM servers for really cheap, which have dedicated reserved CPUs.
  • KVM servers can host containers without a problem

This lead to the decision to try following setup:

  • A KVM based Server for less than 10 Euro / month at Netcup to try the concept
  • No additional IPv4 addresses, everything should work with only 1 IPv4 and a /64 IPv6 subnet
  • Base OS should be Debian 9 (“Stretch”)
  • For ease of configuration of the containers I will use the current Proxmox with LXC
  • Don’t use my own HTTP reverse proxy, but use exclusively Cloudflare for all websites to translate from IPv4 to IPv6

After that decision was reached I search for Howtos which would allow me to just set it up without doing much research. Sadly that didn’t work out. Sure, there are multiple Howtos which explain you how to setup Debian and Proxmox, but if you get into the nifty parts e.g. using only minimal IP addresses, working around MAC address filters at the hosting providers (which is quite a important security function, BTW) and IPv6, they will tell you: You need more IP addresses, get a really complicated setup or just ignore that point at all.

As you can read that blog post you know that I found a way, so expect a complete documentation on how to setup such a server. I’ll concentrate on the relevant parts to allow you to setup a similar server. Of course I did also some security harding like making a secure ssh setup with only public keys, the right ciphers, …. which I won’t cover here.

Setting up the OS

I used the Debian 9 minimal install, which Netcup provides, and did change the password, hostname, changed the language to English (to be more exact to C) and moved the SSH Port a non standard port. The last one I did not so much for security but for the constant scans on port 22, which flood the logs.

passwd
vim /etc/hosts
vim /etc/hostname
dpkg-reconfigure locales
vim /etc/ssh/sshd_config
/etc/init.d/ssh restart

I followed that with making sure no firewall is active and installed the net-tools so I got netstat and ifconfig.

apt install net-tools

At last I did a check if any packages needs an update.

apt update
apt upgrade

Installing Proxmox

First I checked if the IP address returns the correct hostname, as otherwise the install fails and you need to start from scratch.

hostname --ip-address

Adding the Proxmox Repos to the system and installing the software:

echo "deb http://download.proxmox.com/debian/pve stretch pve-no-subscription" > /etc/apt/sources.list.d/pve-install-repo.list
wget http://download.proxmox.com/debian/proxmox-ve-release-5.x.gpg -O /etc/apt/trusted.gpg.d/proxmox-ve-release-5.x.gpg
apt update && apt dist-upgrade
apt install proxmox-ve postfix open-iscsi

After that I did a reboot and booted the Proxmox kernel, I removed some packages I didn’t need anymore

apt remove os-prober linux-image-amd64 linux-image-4.9.0-3-amd64

Now I did my first login to the admin GUI to https://<hostname>:8006/ and enabled the Proxmox firewall

Than set the firewall rules for protecting the host (I did that for the whole datacenter even if I only have one server at this moment). Ping is allowed, the Webgui and ssh.

I mate sure with

iptables -L -xvn

that the firewall was running.

BTW, if you don’t like the nagging windows at every login that you need a license and if this is only a testing machine as mine is currently, type following:

sed -i.bak 's/NotFound/Active/g' /usr/share/perl5/PVE/API2/Subscription.pm && systemctl restart pveproxy.service

Now we need to configure the network (vmbr0) for our virtual systems and this is the point where my Howto will go an other direction. Normally you’re told to configure the vmbr0 and put the physical interface into the bridge. This bridging mode is the easiest normally, but won’t work here.

Routing instead of bridging

Normally you are told that if you use public IPv4 and IPv6 addresses in containers you should bridge it. Yes thats true, but there is one problem. LXC containers have their own MAC addresses. So if they send traffic via the bridge to the datacenter switch, the switch sees the virtual MAC address. In a internal company network on a physical host that is normally not a problem. In a datacenter where different people rent their servers thats not good security practice. Most hosting providers will filter the MAC addresses on the switch (sometimes additional IPv4 addresses come with the right to use additional MAC addresses, but we want to save money here 🙂 ). As this server is a KVM guest OS the filtering is most likely part of the virtual switch (e.g. for VMware ESX this is the default even).

With ebtables it is possible to configure a SNAT for the MAC addresses, but that will get really complicated really fast – trust me with networking stuff – when I say complicated it is really complicated fast. 🙂

So, if we can’t use bridging we need to use routing. Yes the routing setup on the server is not so easy, but it is clean and easy to understand.

First we configure the physical interface in the admin GUI

Two configurations are different than at normal setups. The provider gave you most likely a /23 or /24, but I use a subnet mask /32 (255.255.255.255), as I only want to talk to the default gateway and not the other servers from other customers. If the switch thinks traffic is ok, he can reroute it for me. The provider switch will defend its IP address against ARP spoofing, I’m quite sure as otherwise a incorrect configuration of a customer will break the network for all customer – the provider will make that mistake only once. For IPv6 we do basically the same with /128 but in this case we also want to reuse the /64 subnet on our second interface.

As I don’t have additional IPv4 addresses, I’ll use a local subnet to provide access to IPv4 addresses to the containers (via NAT), the IPv6 address gets configured a second time with the /64 subnet mask. This setup allows use to route with only one /64 – we’re cheap … no extra money needed.

Now we reboot the server so that the /etc/network/interfaces config gets written. We need to add some additional settings there, so it looks like this

The first command in the red frame is needed to make sure that traffic from the containers pass the second rule. Its some kind lxc specialty. The second command is just a simple SNAT to your public IPv4 address. The last 2 are for making sure that the iptable rules get deleted if you stop the network.

Now we need to make sure that the container traffic gets routed so we put following lines into /etc/sysctl.conf

And we should also enable following lines

Now we’re almost done. One point remains. The switch/router which is our default gateway needs to be able to send packets to our containers. For this he does for IPv6 something similar to an ARP request. It is called neighbor discovery and as the network of the container is routed we need to answer the request on the host system.

Neighbor Discovery Protocol (NDP) Proxy

We could now do this by using proxy_ndp, the IPv6 variant of proxy_arp. First enable proxy_ndp by running:

sysctl -w net.ipv6.conf.all.proxy_ndp=1

You can enable this permanently by adding the following line to /etc/sysctl.conf:

net.ipv6.conf.all.proxy_ndp = 1

Then run:

ip -6 neigh add proxy 2a03:5000:3d:1ee::100 dev ens3

This means for the host Linux system to generate Neighbor Advertisement messages in response to Neighbor Solicitation messages for 2a03:5000:3d:1ee::100 (e.g. our container with ID 100) that enters through ens3.

While proxy_arp could be used to proxy a whole subnet, this appears not to be the case with proxy_ndp. To protect the memory of upstream routers, you can only proxy defined addresses. That’s not a simple solution, if we need to add an entry for every container. But we’re saved from that as Debian 9 ships with an daemon that can proxy a whole subnet, ndppd. Let’s install and configure it:

apt install ndppd
cp /usr/share/doc/ndppd/ndppd.conf-dist /etc/ndppd.conf

and write a config like this

route-ttl 30000
proxy ens3 {
router no
timeout 500
ttl 30000
rule 2a03:5000:3d:1ee::/64 {
auto
}
}

now enable it by default and start it

update-rc.d ndppd defaults
/etc/init.d/ndppd start

Now it is time to boot the system and create you first container.

Container setup

The container setup is easy, you just need to use the Proxmox host as default gateway.

As you see the setup is quite cool and it allows you to create containers without thinking about it. A similar setup is also possible with IPv4 addresses. As I don’t need it I’ll just quickly describe it here.

Short info for doing the same for an additional IPv4 subnet

Following needs to be added to the /etc/network/interfaces:

iface ens3 inet static
pointopoint 186.143.121.1

iface vmbr0 inet static
address 186.143.121.230 # Our Host will be the Gateway for all container
netmask 255.255.255.255
# Add all single IP's from your /29 subnet
up route add -host 186.143.34.56 dev br0
up route add -host 186.143.34.57 dev br0
up route add -host 186.143.34.58 dev br0
up route add -host 186.143.34.59 dev br0
up route add -host 186.143.34.60 dev br0
up route add -host 186.143.34.61 dev br0
up route add -host 186.143.34.62 dev br0
up route add -host 186.143.34.63 dev br0
.......

We’re reusing the ens3 IP address. Normally we would add our additional IPv4 network e.g. a /29. The problem with this straight forward setup would be that we would lose 2 IP addresses (netbase and broadcast). Also the pointopoint directive is important and tells our host to send all requests to the datacenter IPv4 gateway – even if we want to talk to our neighbors later.

The for the container setup you just need to replace the IPv4 config with following

auto eth0
iface eth0 inet static
address 186.143.34.56 # Any IP of our /29 subnet
netmask 255.255.255.255
gateway 186.143.121.13 # Our Host machine will do the job!
pointopoint 186.143.121.1

How that saved you some time setting up you own system!

Linux.Agent malware sample – data stealer



Research: SentinelOne, Tim Strazzere Hiding in plain sight?
Sample credit: Tim Strazzere


List of files

9f7ead4a7e9412225be540c30e04bf98dbd69f62b8910877f0f33057ca153b65  malware
d507119f6684c2d978129542f632346774fa2e96cf76fa77f377d130463e9c2c  malware
fddb36800fbd0a9c9bfffb22ce7eacbccecd1c26b0d3fb3560da5e9ed97ec14c  script.decompiled-pretty
ec5d4f90c91273b3794814be6b6257523d5300c28a492093e4fa1743291858dc  script.decompiled-raw
4d46893167464852455fce9829d4f9fcf3cce171c6f1a9c70ee133f225444d37  script.dumped

malware_a3dad000efa7d14c236c8018ad110144
malware fcbfb234b912c84e052a4a393c516c78
script.decompiled-pretty aab8ea012eafddabcdeee115ecc0e9b5
script.decompiled-raw ae0ea319de60dae6d3e0e58265e0cfcc
script.dumped b30df2e63bd4f35a32f9ea9b23a6f9e7


Download


Download. Email me if you need the password


Which operating system is the most secure? Four points to remember.

No, you are almost certainly wrong if you tried to guess. A recent study shows that products from Apple actually are at the top when counting vulnerabilities, and that means at the bottom security-wise. Just counting vulnerabilities is not a very scientific way to measure security, and there is a debate over how to interpret the figures. But this is anyway a welcome eye-opener that helps kill old myths.

Apple did for a long time stubbornly deny security problems and their marketing succeeded in building an image of security. Meanwhile Windows was the biggest and most malware-targeted system. Microsoft rolled up the sleeves and fought at the frontline against viruses and vulnerabilities. Their reputation suffered but Microsoft gradually improved in security and built an efficient process for patching security holes. Microsoft had what is most important in security, the right attitude. Apple didn’t and the recent vulnerability study shows the result.

Here’s four points for people who want to select a secure operating system.

  • Forget reputation when thinking security. Windows used to be bad and nobody really cared to attack Apple’s computers before they became popular. The old belief that Windows is unsafe and Apple is safe is just a myth nowadays.
  • There is malware on almost all commonly used platforms. Windows Phone is the only exception with practically zero risk. Windows and Android are the most common systems and malware authors are targeting them most. So the need for an anti-malware product is naturally bigger on these systems. But the so called antivirus products of today are actually broad security suites. They protect against spam and harmful web sites too, just to mention some examples. So changes are that you want a security product anyway even if your system isn’t one of the main malware targets.
  • So which system is most secure? It’s the one that is patched regularly. All the major systems, Windows, OS X and Linux have sufficient security for a normal private user. But they will also all become unsafe if the security updates are neglected. So security is not really a selection criteria for ordinary people.
  • Mobile devices, phones and tablets, generally have a more modern systems architecture and a safer software distribution process. Do you have to use a desktop or laptop, or can you switch to a tablet? Dumping the big old-school devices is a way to improve security. Could it work for you?

So all this really boils down to the fact that you can select any operating system you like and still be reasonable safe. There are some differences though, but it is more about old-school versus new-school devices. Not about Apple versus Microsoft versus Linux. Also remember that your own behavior affects security more than your choice of device, and that you never are 100% safe no matter what you do.

 

Safe surfing,
Micke

 

Added February 27th. Yes, this controversy study has indeed stirred a heated debate, which isn’t surprising at all. Here’s an article defending Apple. It has flaws and represent a very limited view on security, but one of its important points still stands. If someone still thinks Apple is immortal and invincible, it’s time to wake up. And naturally that this whole debate is totally meaningless for ordinary users. Just keep patching what you have and you will be fine. 🙂 Thanks to Jussi (and others) for feedback.