Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

sd-pam malware
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Moonboots
Apprentice
Apprentice


Joined: 02 Dec 2006
Posts: 161
PostPosted: Fri Oct 27, 2023 4:14 am    Post subject: sd-pam malware Reply with quote
Hello

I've just read this article https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework-infects-1-million-windows-linux-hosts/
On looking at my machine i have a user process running (sd-pam) and a quick search seemed indicate to it's a normal systemd service dealing with pam, RedHat has a page answering about it.
But now i'm not so sure. Have i been infected ? :(
Does anyone else have this service running or info ? Many thanks
Back to top
View user's profile Send private message
Gene Poole
n00b
n00b


Joined: 06 Jul 2011
Posts: 6
PostPosted: Fri Oct 27, 2023 6:43 pm    Post subject: Re: sd-pam malware Reply with quote
Moonboots wrote:
Hello

I've just read this article https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework-infects-1-million-windows-linux-hosts/
On looking at my machine i have a user process running (sd-pam) and a quick search seemed indicate to it's a normal systemd service dealing with pam, RedHat has a page answering about it.
But now i'm not so sure. Have i been infected ? :(
Does anyone else have this service running or info ? Many thanks


I read that article too, and immediately checked out all the machines I control. My home machines is gentoo without systemd and it has no such process. Every gentoo/ubuntu system we have at work do have it. Best I can tell it is a legitimate process of systemd. I think either BleepingComputer got this wrong, or the actual malware hides under that process name.

I can find scant little about this malware as it applies to linux and think maybe they even got that wrong. I'll keep searching to see what I can find out about this.
Back to top
View user's profile Send private message
Moonboots
Apprentice
Apprentice


Joined: 02 Dec 2006
Posts: 161
PostPosted: Sat Oct 28, 2023 8:22 am    Post subject: Re: sd-pam malware Reply with quote
Gene Poole wrote:
I read that article too, and immediately checked out all the machines I control. My home machines is gentoo without systemd and it has no such process. Every gentoo/ubuntu system we have at work do have it. Best I can tell it is a legitimate process of systemd. I think either BleepingComputer got this wrong, or the actual malware hides under that process name.

I can find scant little about this malware as it applies to linux and think maybe they even got that wrong. I'll keep searching to see what I can find out about this.


Thank you for replying. Yes together with it's sophisticated skulduggery, choosing a known process name has kept it hidden in plain sight for so long.
As yet there doesn't seem to be a easy Linux checklist for confirmation of infection, but i followed the links in the articles(s) to the securelist.com site, who have a list of
indicators of compromise, which i couldn't detect on any of my machines.
Hopefully malware detectors like rkhunter/ClamAv will add this exploit to their database..
Back to top
View user's profile Send private message
Gene Poole
n00b
n00b


Joined: 06 Jul 2011
Posts: 6
PostPosted: Mon Oct 30, 2023 1:44 am    Post subject: Re: sd-pam malware Reply with quote
Moonboots wrote:
Gene Poole wrote:
I read that article too, and immediately checked out all the machines I control. My home machines is gentoo without systemd and it has no such process. Every gentoo/ubuntu system we have at work do have it. Best I can tell it is a legitimate process of systemd. I think either BleepingComputer got this wrong, or the actual malware hides under that process name.

I can find scant little about this malware as it applies to linux and think maybe they even got that wrong. I'll keep searching to see what I can find out about this.


Thank you for replying. Yes together with it's sophisticated skulduggery, choosing a known process name has kept it hidden in plain sight for so long.
As yet there doesn't seem to be a easy Linux checklist for confirmation of infection, but i followed the links in the articles(s) to the securelist.com site, who have a list of
indicators of compromise, which i couldn't detect on any of my machines.
Hopefully malware detectors like rkhunter/ClamAv will add this exploit to their database..


Thanks for the ref to securelist. They seem to provide a bit more info for the linux side of this. If I read that right, the infection can only happen on a linux machine if it is accessed via ssh from an infected windows machine. It is not clear to me on how this could compromise the linux machine unless some root ssh credentials are stored on the compromised windows machine. Nonetheless, I plan to check all my debian/ubuntu machines at work (about 8 machines) for any indicators as mentioned in the article. My home gentoo machine is safe as best I can tell.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy