Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Multi-Purpose Backdoor Targets Linux Servers

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers, who believe that the Chinese hacker group ChinaZ might be behind it. "First, Linux.BackDoor.Xnote.1 sends information about the infected system to the server. It then goes into standby mode and awaits further instructions. If the command involves carrying out some task, the backdoor creates a separate process that establishes its own connection to the server through which it gets all the necessary configuration data and sends the results of the executed task," the researchers explained.

8 of 98 comments (clear)

  1. i must click dem! by sneakyimp · · Score: 5, Funny

    Well those certainly look like reputable links by famous 'researchers' to me! As an IT guy, I'll definitely have to go click on them so that my workstation gets infected too.

    1. Re:i must click dem! by jellomizer · · Score: 4, Insightful

      If you are a Windows Administrator who happens to get dumped with the odd Linux server. Xnote may seem like a good option for a text editor. Not as scary sounding things like.
      vi/vim (Ok you got in... Now why can't I type!, or vi short for Virus Infestation)
      emacs (This sounds like a Macintosh emulator to me)
      nano (Disk Compression tool?)

      Windows Admins are use to Notepad being the default text editor. XNote may be a good pick to choose.

      With us living in a mostly Linux world, the idea that there are professionals that don't know much about Linux is hard to imagine, but they are there. And sometimes they will get dumped a Linux box to manage, even if they don't know much about it.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Researchers? by JoeIsuzu83 · · Score: 5, Informative

    The source was Dr. Web's own marketing page.

    This smells like a press release (which smells coincidentally like spam).

  3. Come on! by Anonymous Coward · · Score: 5, Interesting

    Come on!!!

    What vulnerability? What port? What gets attacked?

    Is there more than one vulnerability?

    I wonder -- I really, really wonder. Are Slashdot "editors" getting kickbacks?

    What a loaded pile of crappy advertising.

  4. Re:HAHA by jellomizer · · Score: 4, Insightful

    The sys-admin is actually a Windows Admin with a Linux box... He doesn't know better.

    The system was setup by the bosses kid nephew who is good with computers, gives everyone admin access because he doesn't know how to manage permissions.

    Lazy administrators tired of fixing permissions just gives everyone root access...

    Sure we can make fun of the people and say due to their neglect it is their own damn fault... But once it gets in, the damage is real.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  5. slow day on slashdot, by nimbius · · Score: 4, Informative

    "The malware will only be installed in a system if it has been launched with superuser (root) privileges"

    aaaand i've already gone back to my tea.

    any sysop worth her salt knows the rules:
    0. It will build without root or not at all.
    1. It will come from a repository or reputable source.
    2. It will check its md5 and check it twice.
    3. It will be compatible with standard secops tools like chroot, jails, cgroups, propolice, and selinux. this includes sandboxing.
    4. Isolate, quarantine, and deploy the secops team. any compromised machine, any network, any server without question.
    5. Slap about with a large bit of herring or trout the dev or luser in accordance with LART policies.

    --
    Good people go to bed earlier.
  6. Re:Attack vector Port is SSH (22), passwd guessing by Anonymous Coward · · Score: 5, Informative

    The linked article mistranslates the original russian.

    The vector is SSH, brute force attempts to guest the root password. The net-security article mistranslates to SSL.

  7. Remember when /. was a serious technology mag .. by lippydude · · Score: 5, Insightful

    "A new multi-purpose Linux Trojan that opens a backdoor on the target machine and can make it participate in DDoS attacks has been discovered and analyzed by Dr. Web researchers.

    How does the 'Trojan' get onto the target machines?

    "To spread the new Linux backdoor, dubbed Linux.BackDoor.Xnote.1, criminals mount a brute force attack to establish an SSL connection with a target machine .. The malware will only be installed in a system if it has been launched with superuser (root) privileges".

    For fucks-sake slashdot, remember when this was a serious technology mag, instead of providing free adverts to some AV company.