Sign in / up

back to article Linux nasty kicks weak, hacked gadgets when they're already down

Several thousand Linux devices have been infected with a new Linux-based trojan, Russian security software firm Doctor Web warns. The Linux-Proxy-10 Trojan infects network devices running Linux, turning them into a platform for cybercrime that allows crooks to remain anonymous online. Black hats run freeware code called the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Gene Cash Silver badge

    Can we vague that up a little?

    It seems the drweb.com link is slashdotted ElReg-ed, so can someone expand on "network devices running Linux"?

    Are these desktops? IoT? Raspberry Pis? Routers running OpenWRT?

    11 0 Reply

    1. This post has been deleted by its author

    2. leexgx
      Reply Icon

      Re: Can we vague that up a little?

      it be mostly routers and CCTV devices typically (as they run Linux or a china china base copy of some sort other another router/device that has the hole in it)

      OpenWRTis unlikely to have been compromised or if it had it been patched allready

      5 1 Reply
      1. asdf
        Reply Icon

        Re: Can we vague that up a little?

        >OpenWRTis unlikely to have been compromised or if it had it been patched allready

        Haven't seen even a non base package updated in nearly a year at least on Barrier Breaker (last update for that sieve OpenSSL) so guessing not. There are unofficial patches for dirty cow but since BB runs most things as root anyway privileged escalation is not a huge deal.

        0 0 Reply
        1. asdf
          Reply Icon

          Re: Can we vague that up a little?

          Edit: Damn it all another open source project has forked on me with being the last to get memo (PC-BSD to TrueOS only (granted that one mostly a branding change, but having two separate websites with the explanation why buried deep sucks), Cyanogenmod to LinageOS and now OpenWRT to LEDE).

          2 0 Reply
          1. Anonymous Coward
            Reply Icon
            Anonymous Coward

            Re: Can we vague that up a little?

            I missed the memo too, so when I ran across TrueOS branding, confused the Hell out of me. First we kill all the marketing people.

            3 0 Reply
        2. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: Can we vague that up a little?

          You know Barrier Breaker is old and it's now Chaos Calmer, right?

          Looks like the Ledge fork will merge too.

          I'd run some updates if I were you.

          1 0 Reply
          1. asdf
            Reply Icon

            Re: Can we vague that up a little?

            >You know Barrier Breaker is old and it's now Chaos Calmer, right?

            Zombie thread but Cerowrt is still the best low latency build by far for the WNDR3xxx so been nursing backports and updates.

            0 0 Reply
  2. Anonymous Coward
    Anonymous Coward

    Not the first time evil proxy servers have appeared on network connected devices as noted. Won't be the last either. BTW. intelligence agencies like this trick too.

    4 0 Reply
    1. asdf
      Reply Icon

      All the more reason to at the bare minimum block all traffic to and from hosts on the emerging threats list (https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt). The list isn't all that big and with ipset it hardly requires any resources on the router. Might not stop this (too lazy to research) but usually stops the most obvious and obnoxious threats at least.

      1 0 Reply
  3. Chris King

    "Satanic Socks"

    Has someone been rifling through my laundry basket ?

    6 0 Reply
    1. Chemical Bob
      Reply Icon
      Devil

      Re: "Satanic Socks"

      Sorry, thought it was mine.

      2 0 Reply
  4. bombastic bob Silver badge

    use of default passwords

    yet another reminder to change the default passwords on intarweb-connected things.

    I haven't allowed a dictionary-based sshd attack for some time. I'd expect admin:admin pi:pi pi:raspberry and a few others to be in that list.

    and, unfortunately, you can't seem to educate people fast enough before they get cracked.

    1 1 Reply
    1. asdf
      Reply Icon

      Re: use of default passwords

      >yet another reminder to change the default passwords on intarweb-connected things.

      Preaching to the choir of the tech (probably not financial) 1% on here. Meanwhile Grandma who insists on Chinese bargain basement prices is fscked without realizing it.

      1 0 Reply
      1. John Smith 19 Gold badge
        Reply Icon
        Unhappy

        "Meanwhile Grandma.. fscked "

        That I can live with.

        But in doing so she's helping build a botnet army.

        And that potentially puts whoever's running it one step closer to you and me.

        Sooner or later, ladies and gentlemen, we are going to have to do something about Granny.

        For our own good.

        1 1 Reply
    2. dbannon
      Reply Icon

      Re: use of default passwords

      " I'd expect admin:admin pi:pi pi:raspberry and a few others to be in that list."

      I always remove the "pi" account when I setup a raspberry pi for anything longish term. No point in even giving them that hint IMHO.

      0 0 Reply
    3. marioaieie
      Reply Icon

      Re: use of default passwords

      What about routers that come with a random password and not the usual admin:admin? Is it necessary to change also those?

      0 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    Trojan targets Trojan infected devices.

    Is there really no honour amongst thieves?

    Realistically telling those already infected that they could get infected with something else is like telling a smoker with a nasty cough they should stop as they will get lung cancer.

    0 0 Reply
    1. Mark 85
      Reply Icon

      So how many infections can the average (for some value of average) "gadget" get before being overloaded with crap? I'd think that unless the new infection overwrote the old one, it wouldn't be too long before the device crashed. Which is maybe the plan by the manufacturers... device crashes, user buys new one.

      0 0 Reply
    2. Anonymous Coward
      Reply Icon
      Anonymous Coward

      It's similar to how many Windows infections work.

      You get one nasty and it then goes off and drags a whole load more down.

      1 1 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        "

        It's similar to how many Windows infections work.

        You get one nasty and it then goes off and drags a whole load more down.

        "

        Or you could avoid the first nasty by not installing windows

        0 1 Reply
  6. Anonymous Coward
    FAIL

    Dangers of accessing a device through a browser

    Inside lib/login_checker.php there is login_check() function which is used to check if user is logged, but it’s possible to bypass this function because it simply checks if $_COOKIE['username'] and $_COOKIE['isAdmin'] exist.”

    Yet again demonstrating the dangers of using a browser to access your secure storage in the cloud.

    1 0 Reply
  7. Norman Nescio Silver badge

    LEDE and OPENWRT may have merged

    El Reg reported that the LEDE fork was quite possibly merging back

    http://www.theregister.co.uk/2016/12/23/openwrt_lede_merge/

    There are more details in the mailing list archives in the thread "Talks between OpenWRT and LEDE"

    https://lists.openwrt.org/pipermail/openwrt-devel/2016-December/thread.html

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like