View previous topic :: View next topic |
Author |
Message |
Tony0945 Watchman
Joined: 25 Jul 2006 Posts: 5127 Location: Illinois, USA
|
Posted: Sun Mar 26, 2017 1:33 am Post subject: |
|
|
Hu wrote: | I could split out the philosophical posts, but some parts of the thread have posts that weave between philosophy and the original topic, so splitting could make the conversation harder to follow. If the philosophy debaters want to continue, I'll try to carve up the thread and leave appropriate cross-links. Otherwise, I'll leave the posts all in one thread. | Thank you, Hu. The discussion is interesting but getting away from the OP's problems. |
|
Back to top |
|
|
jonathan183 Guru
Joined: 13 Dec 2011 Posts: 318
|
Posted: Sun Mar 26, 2017 2:18 am Post subject: |
|
|
Hu wrote: | I could split out the philosophical posts, but some parts of the thread have posts that weave between philosophy and the original topic, so splitting could make the conversation harder to follow. If the philosophy debaters want to continue, I'll try to carve up the thread and leave appropriate cross-links. Otherwise, I'll leave the posts all in one thread. |
For me
1. Establishing method of system compromise is interesting and of use to the community more generally, as is escape from VM.
2. Use of root, why that is a bad idea for things like surfing the net may be of use, what and whether software should provide mitigation is probably a separate topic.
3. Forensic investigation may be of use but is probably already better covered elsewhere - a simple don't trust anything on the system certainly applies in this case.
4. Recovery - again probably already covered elsewhere - a fresh install is the only way to be sure.
I am particularly interested in 1 above, so 3 is also relevant to help establish how. I think OP is already aware of 2 and appreciates 4 even though they may be painful. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Sun Mar 26, 2017 4:24 am Post subject: |
|
|
I'm only claiming that I have my doubts that root run firefox is the entry method, and I don't want the OP to give up assuming this is the rootcause because some people think "it's a bad idea, so, it must be the entry method." This is the whole reason why this philosophical problem exists.
Things we now understand:
1. Rotating backups are good and reinstall is only way to safely rid of contamination.
2. Running firefox / adobe flash as root is a very bad idea
2a. ...but is NOT a guarantee to get infected by malware.
3. Likely this is a privilege escalation (or "VM" escape) of some sort versus explicitly running a trojan horse.
4. Crowdsourcing forensic investigation is hard.
5. We still have no definitive entry method. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
eohrnberger Apprentice
Joined: 09 Dec 2004 Posts: 240
|
Posted: Thu Mar 30, 2017 1:15 am Post subject: |
|
|
Just reporting in.
So far so good. Systems seem to be functioning as expected. MRTG is not noticing any spikes in outgoing traffic. All looks normal. |
|
Back to top |
|
|
radg n00b
Joined: 14 Aug 2004 Posts: 33 Location: Edinburgh, UK
|
Posted: Fri Mar 31, 2017 1:45 pm Post subject: |
|
|
It's possible the malware is based on this proof of concept, as there is a similar /etc/motd message:
https://github.com/jdsecurity/CryptoTrooper
In which case, there are decryption tools provided. |
|
Back to top |
|
|
destroyedlolo l33t
Joined: 17 Jun 2011 Posts: 846 Location: Close to Annecy (France)
|
Posted: Mon May 29, 2017 3:27 pm Post subject: |
|
|
Hello,
In order to detect intrusion and specifically system changes, do you think using inotifywatch to monitor system's critics parts is a good idea ?
Laurent |
|
Back to top |
|
|
Maitreya Guru
Joined: 11 Jan 2006 Posts: 441
|
Posted: Sat Oct 21, 2017 4:37 pm Post subject: |
|
|
This post made it to HN... |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Sat Oct 21, 2017 11:44 pm Post subject: |
|
|
It was there 7 months ago too. |
|
Back to top |
|
|
|