and the solution is?

Story: New Linux Rootkit EmergesTotal Replies: 4
Author Content

Nov 21, 2012
6:45 AM EDT
Being a clueless code dolt, I have only one question: Who has the cure?

Nov 21, 2012
7:30 AM EDT
> Who has the cure?

Only install software from trusted repositories, and check the signatures. Prefer secure rather than "user-friendly" distros for your servers.

This is just PR FUD from a wannabee "security company. It looks like someone is seeking pre-orders for their to-be-released virusware.

You would need to take heroic measures to infect your nginx proxy server: Install a specific kernel and the malware kernel module, edit the init scripts, ... Then you end up with a partially working prototype malware "infection", that may, or may not redirect web visitors to a malware site via an embedded <iframe>.

If you have time to search out and read variations on this "story", some of the comments are quite humorous .


Nov 21, 2012
11:38 AM EDT
I read both the article and the linked article and agree with Vagabondo. There also appears to be no mention of what the exact attack vector was. It appears that it's not a true root kit, in the traditional sense of the term (the typical assumption that the program itself can gain the escalated privileges), but a Trojan with some limited root kit properties (doesn't even hide its tracks about its network related activity, apparently). People just need to insist on having the source available (if you are capable of understanding source code and comparing it to the binary), &/or only install from trusted sources, when you install something. In short it looks like a slap-shot attempt at setting up a watering hole infection vector for other machines. "Nothing to see here... move along,... move along..."

Nov 22, 2012
5:47 PM EDT
Well, from what it is saying, the cyber-criminal utilizes iframe to infect the target system. Though it is unclear of how it is able to actually infect a *nix system without elevated privileges.

The one thing that I can think the average user could do to protect themselves is just as vagabondo suggested with installing from a reliable source, i.e., the Distro Repo.

However another precaution would be to use the extension "NoScript" on both Firefox and Google Chrome/Chromium. In the preferences, the user is able to disable iframes amongst many other things. From there you can allow parts of the website or webpage to load and block anything that may be a potential threat.


Nov 23, 2012
10:22 AM EDT
gara3987 wrote:another precaution would be to use the extension "NoScript"

Boy howdy! NoScript takes care of so many evils. I run it on Seamonkey along with disabling cookies. You'd be amazed at how many websites operate jes fine with all that crap blocked. This one, for example, which seems to have only 2 scripts blocked, yet performs jes fine.

I did check my NoScript and noticed iframes is NOT blocked by default, so if you are already running NoScript, you need to go into options, then embeddings and enable "Forbid <IFRAME>".

Thanks for the heads up, gara.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!