From owner-freebsd-questions@FreeBSD.ORG Sun May 3 22:31:32 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A41C2A15 for ; Sun, 3 May 2015 22:31:32 +0000 (UTC) Received: from mx02.qsc.de (mx02.qsc.de [213.148.130.14]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4E08F12EB for ; Sun, 3 May 2015 22:31:32 +0000 (UTC) Received: from r56.edvax.de (port-92-195-64-237.dynamic.qsc.de [92.195.64.237]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx02.qsc.de (Postfix) with ESMTPS id 87A8F249FA for ; Mon, 4 May 2015 00:31:23 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id t43MVMV8002274 for ; Mon, 4 May 2015 00:31:22 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Mon, 4 May 2015 00:31:22 +0200 From: Polytropon To: FreeBSD FreeBSD Subject: Re: Unnoticed for years, malware turned Linux and BSD servers into spamming machines Message-Id: <20150504003122.c8eb54ee.freebsd@edvax.de> In-Reply-To: <20150503123824.3faeca9e@seibercom.net> References: <20150503123824.3faeca9e@seibercom.net> Reply-To: Polytropon Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 May 2015 22:31:32 -0000 Nothing new, not even OS-specific. This is what happens when stupidity gets access to Internet-facing computers. On Sun, 3 May 2015 12:38:24 -0400, Jerry wrote: > Has anyone else seen this: >=20 > Unnoticed for years, malware turned Linux and BSD servers into spamming m= achines >=20 > http://www.net-security.org/malware_news.php?id=3D3030 Because it's common practice to install "pirated copies" of software on BSD and Linux servers. :-) Still strange: ESET researchers say the malware is made up of two different components. Exploiting vulnerabilities in Joomla and Wordpress, the first component is a generic backdoor that requests commands from its Command and Control server. The second component is a full-featured spammer daemon that is launched via a command received by the backdoor. Mumblehard is also distributed via 'pirated' copies of a Linux and BSD program known as DirectMailer, software sold on the Yellsoft website for $240. "Our investigation showed strong links with a software company called Yellsoft," explained L=E9veill=E9. "Among other discoveries, we found that IP addresses hard-coded in the malware are closely tied to those of Yellsoft," explained L=E9veill=E9. Source: http://www.eset.com/int/about/press/articles/malware/article/linux-and-bsd-= web-servers-at-risk-of-sophisticated-mumblehard-infection-says-eset/ Further reading keywords: mumblehard, joomla, wordpress. That, in combination with knowledge about the "noexec" mount option, should be interesting. :-) You can easily conclude that it requires a skilled admin to operate an Internet-facing server system. The "out of the box experience", combined with "I don't need to know how this works", plus "I don't care" (today's common "Windows" mindset) will lead to problems. Especially an open operating system like Linux or BSD provides you with tools to do your work properly. You can examine everything. If you refuse to do it - it's entirely your problem (or that of your trustful customers). Don't get me started about installing PHP bloatware... :-) When "wget http://app.example.com/install.sh | sudo bash" and running arbitrary binary software "stolen" somewhere from the Internet is being performed by a "responsible" person, it's probably the best time to fire that person. "The trojan is often included in the installation packages of programs downloaded from untrustworthy sources." No big deal. In this case, it seems (if I understood the few information presented correctly) that a cracked installer installs both the "DirectMailer" and the backdoor (to be run in userspace). But it's also possible that weak passwords, open FTP access or other "problems" could lead to an infection. And 3000 out of 300 million servers worldwide... well, I think this is _no_ relation to spamming botnets build with "Windows". Also see =A7 5.1 here: http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf Don't die while laughing. :-) --=20 Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...