Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

widespread attack campaign that has infected more than 25,000 Linux and UNIX servers

  • 19-03-2014 8:32pm
    #1
    Registered Users, Registered Users 2 Posts: 6,393 ✭✭✭


    Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

    via slashdot, securityweek,


Comments

  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    Run this to see if you're infected or not:
    ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”
    


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Khannie wrote: »
    Run this to see if you're infected or not:
    ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”
    

    I don't know what that command is meant to do but it doesnt do anything on my system.

    Looking up the man page for ssh and searching for -G returns nothing.

    Looking at the logic of the command also doesnt make any sense. Whatever ssh -G is meant to do it then sends output to STDERR (2>&1) and the output is piped to grep which looks for the words illegal or unknown but then sends that output to /dev/null and if the command is successful it prints "system is clean" or "system infected".

    It seems to me this is a complicated looking command which does nothing and will always return "System clean".

    What happens when you execute this on your system:
    echo "This sytem is infected with an illegal and unknown malware" 2>&1 | grep -e unknown -e illegal > /dev/null && echo "System clean" || "System infected"
    


  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    I wondered that myself so I did a little digging. It wont always return "system clean". It's checking the return value rather than the output so the redirect to dev null isn't relevant. ssh -G doesn't exist on a normal system. If it exists on yours then your system is infected.

    edit: I didn't see your edit until after I'd posted. I ran something similar to your edit during my testing and got "system infected".


  • Technology & Internet Moderators Posts: 28,830 Mod ✭✭✭✭oscarBravo


    As Khannie says, it's a check for whether "ssh -G" returns a usage message, which it should on an uninfected system. The existence of a -G option to ssh is the indicator of infection.


  • Closed Accounts Posts: 18,966 ✭✭✭✭syklops


    Khannie wrote: »
    I wondered that myself so I did a little digging. It wont always return "system clean". It's checking the return value rather than the output so the redirect to dev null isn't relevant. ssh -G doesn't exist on a normal system. If it exists on yours then your system is infected.

    Well don't I feel like an idiot.

    Nice explanation of the command here


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    syklops wrote: »
    Well don't I feel like an idiot.

    Not at all. It's nuanced.


Advertisement