I read that article too, and immediately checked out all the machines I control. My home machines is gentoo without systemd and it has no such process. Every gentoo/ubuntu system we have at work do have it. Best I can tell it is a legitimate process of systemd. I think either BleepingComputer got this wrong, or the actual malware hides under that process name.Moonboots wrote:Hello
I've just read this article https://www.bleepingcomputer.com/news/s ... nux-hosts/
On looking at my machine i have a user process running (sd-pam) and a quick search seemed indicate to it's a normal systemd service dealing with pam, RedHat has a page answering about it.
But now i'm not so sure. Have i been infected ?
Does anyone else have this service running or info ? Many thanks
Thank you for replying. Yes together with it's sophisticated skulduggery, choosing a known process name has kept it hidden in plain sight for so long.Gene Poole wrote: I read that article too, and immediately checked out all the machines I control. My home machines is gentoo without systemd and it has no such process. Every gentoo/ubuntu system we have at work do have it. Best I can tell it is a legitimate process of systemd. I think either BleepingComputer got this wrong, or the actual malware hides under that process name.
I can find scant little about this malware as it applies to linux and think maybe they even got that wrong. I'll keep searching to see what I can find out about this.
Thanks for the ref to securelist. They seem to provide a bit more info for the linux side of this. If I read that right, the infection can only happen on a linux machine if it is accessed via ssh from an infected windows machine. It is not clear to me on how this could compromise the linux machine unless some root ssh credentials are stored on the compromised windows machine. Nonetheless, I plan to check all my debian/ubuntu machines at work (about 8 machines) for any indicators as mentioned in the article. My home gentoo machine is safe as best I can tell.Moonboots wrote:Thank you for replying. Yes together with it's sophisticated skulduggery, choosing a known process name has kept it hidden in plain sight for so long.Gene Poole wrote: I read that article too, and immediately checked out all the machines I control. My home machines is gentoo without systemd and it has no such process. Every gentoo/ubuntu system we have at work do have it. Best I can tell it is a legitimate process of systemd. I think either BleepingComputer got this wrong, or the actual malware hides under that process name.
I can find scant little about this malware as it applies to linux and think maybe they even got that wrong. I'll keep searching to see what I can find out about this.
As yet there doesn't seem to be a easy Linux checklist for confirmation of infection, but i followed the links in the articles(s) to the securelist.com site, who have a list of
indicators of compromise, which i couldn't detect on any of my machines.
Hopefully malware detectors like rkhunter/ClamAv will add this exploit to their database..
