View previous topic :: View next topic |
Author |
Message |
Moonboots Apprentice
Joined: 02 Dec 2006 Posts: 161
|
|
Back to top |
|
|
Gene Poole n00b
Joined: 06 Jul 2011 Posts: 6
|
Posted: Fri Oct 27, 2023 6:43 pm Post subject: Re: sd-pam malware |
|
|
I read that article too, and immediately checked out all the machines I control. My home machines is gentoo without systemd and it has no such process. Every gentoo/ubuntu system we have at work do have it. Best I can tell it is a legitimate process of systemd. I think either BleepingComputer got this wrong, or the actual malware hides under that process name.
I can find scant little about this malware as it applies to linux and think maybe they even got that wrong. I'll keep searching to see what I can find out about this. |
|
Back to top |
|
|
Moonboots Apprentice
Joined: 02 Dec 2006 Posts: 161
|
Posted: Sat Oct 28, 2023 8:22 am Post subject: Re: sd-pam malware |
|
|
Gene Poole wrote: | I read that article too, and immediately checked out all the machines I control. My home machines is gentoo without systemd and it has no such process. Every gentoo/ubuntu system we have at work do have it. Best I can tell it is a legitimate process of systemd. I think either BleepingComputer got this wrong, or the actual malware hides under that process name.
I can find scant little about this malware as it applies to linux and think maybe they even got that wrong. I'll keep searching to see what I can find out about this. |
Thank you for replying. Yes together with it's sophisticated skulduggery, choosing a known process name has kept it hidden in plain sight for so long.
As yet there doesn't seem to be a easy Linux checklist for confirmation of infection, but i followed the links in the articles(s) to the securelist.com site, who have a list of
indicators of compromise, which i couldn't detect on any of my machines.
Hopefully malware detectors like rkhunter/ClamAv will add this exploit to their database.. |
|
Back to top |
|
|
Gene Poole n00b
Joined: 06 Jul 2011 Posts: 6
|
Posted: Mon Oct 30, 2023 1:44 am Post subject: Re: sd-pam malware |
|
|
Moonboots wrote: | Gene Poole wrote: | I read that article too, and immediately checked out all the machines I control. My home machines is gentoo without systemd and it has no such process. Every gentoo/ubuntu system we have at work do have it. Best I can tell it is a legitimate process of systemd. I think either BleepingComputer got this wrong, or the actual malware hides under that process name.
I can find scant little about this malware as it applies to linux and think maybe they even got that wrong. I'll keep searching to see what I can find out about this. |
Thank you for replying. Yes together with it's sophisticated skulduggery, choosing a known process name has kept it hidden in plain sight for so long.
As yet there doesn't seem to be a easy Linux checklist for confirmation of infection, but i followed the links in the articles(s) to the securelist.com site, who have a list of
indicators of compromise, which i couldn't detect on any of my machines.
Hopefully malware detectors like rkhunter/ClamAv will add this exploit to their database.. |
Thanks for the ref to securelist. They seem to provide a bit more info for the linux side of this. If I read that right, the infection can only happen on a linux machine if it is accessed via ssh from an infected windows machine. It is not clear to me on how this could compromise the linux machine unless some root ssh credentials are stored on the compromised windows machine. Nonetheless, I plan to check all my debian/ubuntu machines at work (about 8 machines) for any indicators as mentioned in the article. My home gentoo machine is safe as best I can tell. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|