| View previous topic :: View next topic |
| Author |
Message |
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
 Posted: Sun Mar 26, 2017 1:33 am Post subject: |
 |
|
| Hu wrote: | | I could split out the philosophical posts, but some parts of the thread have posts that weave between philosophy and the original topic, so splitting could make the conversation harder to follow. If the philosophy debaters want to continue, I'll try to carve up the thread and leave appropriate cross-links. Otherwise, I'll leave the posts all in one thread. |
Thank you, Hu. The discussion is interesting but getting away from the OP's problems. |
|
| Back to top |
|
 |
jonathan183
Guru
Joined: 13 Dec 2011
Posts: 318
|
| Posted: Sun Mar 26, 2017 2:18 am Post subject: |
|
|
| Hu wrote: | | I could split out the philosophical posts, but some parts of the thread have posts that weave between philosophy and the original topic, so splitting could make the conversation harder to follow. If the philosophy debaters want to continue, I'll try to carve up the thread and leave appropriate cross-links. Otherwise, I'll leave the posts all in one thread. |
For me
1. Establishing method of system compromise is interesting and of use to the community more generally, as is escape from VM.
2. Use of root, why that is a bad idea for things like surfing the net may be of use, what and whether software should provide mitigation is probably a separate topic.
3. Forensic investigation may be of use but is probably already better covered elsewhere - a simple don't trust anything on the system certainly applies in this case.
4. Recovery - again probably already covered elsewhere - a fresh install is the only way to be sure.
I am particularly interested in 1 above, so 3 is also relevant to help establish how. I think OP is already aware of 2 and appreciates 4 even though they may be painful. |
|
| Back to top |
|
|
eccerr0r
Watchman
Joined: 01 Jul 2004
Posts: 9679
Location: almost Mile High in the USA
|
| Posted: Sun Mar 26, 2017 4:24 am Post subject: |
|
|
I'm only claiming that I have my doubts that root run firefox is the entry method, and I don't want the OP to give up assuming this is the rootcause because some people think "it's a bad idea, so, it must be the entry method." This is the whole reason why this philosophical problem exists.
Things we now understand:
1. Rotating backups are good and reinstall is only way to safely rid of contamination.
2. Running firefox / adobe flash as root is a very bad idea
2a. ...but is NOT a guarantee to get infected by malware.
3. Likely this is a privilege escalation (or "VM" escape) of some sort versus explicitly running a trojan horse.
4. Crowdsourcing forensic investigation is hard.
5. We still have no definitive entry method.
_________________
Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
| Back to top |
|
|
eohrnberger
Apprentice
Joined: 09 Dec 2004
Posts: 240
|
| Posted: Thu Mar 30, 2017 1:15 am Post subject: |
|
|
Just reporting in.
So far so good. Systems seem to be functioning as expected. MRTG is not noticing any spikes in outgoing traffic. All looks normal. |
|
| Back to top |
|
|
radg
n00b
Joined: 14 Aug 2004
Posts: 33
Location: Edinburgh, UK
|
| Posted: Fri Mar 31, 2017 1:45 pm Post subject: |
|
|
It's possible the malware is based on this proof of concept, as there is a similar /etc/motd message:
https://github.com/jdsecurity/CryptoTrooper
In which case, there are decryption tools provided. |
|
| Back to top |
|
|
destroyedlolo
l33t
Joined: 17 Jun 2011
Posts: 846
Location: Close to Annecy (France)
|
| Posted: Mon May 29, 2017 3:27 pm Post subject: |
|
|
Hello,
In order to detect intrusion and specifically system changes, do you think using inotifywatch to monitor system's critics parts is a good idea ?
Laurent |
|
| Back to top |
|
|
Maitreya
Guru
Joined: 11 Jan 2006
Posts: 441
|
| Posted: Sat Oct 21, 2017 4:37 pm Post subject: |
|
|
| This post made it to HN... |
|
| Back to top |
|
|
bunder
Bodhisattva
Joined: 10 Apr 2004
Posts: 5934
|
| Posted: Sat Oct 21, 2017 11:44 pm Post subject: |
|
|
It was there 7 months ago too.  |
|
| Back to top |
|
|
|
Networking & Security
