back to article Hackers uncork experimental Linux-targeting malware

Hackers have unleashed a new malware strain that targets Linux-based systems. The Linux/Shishiga malware uses four different protocols (SSH, Telnet, HTTP and BitTorrent) and Lua scripts for modularity, according to an analysis of the nasty by security researchers at ESET. Shishiga relies on the use of weak, default …

  1. Anonymous Coward
    Anonymous Coward

    This would never happen if you were using BSD

    1. Anonymous Coward
      Anonymous Coward

      Never on BSD ?

      Whenever cheap embedded IOT crap is driven by OS of choice, or is installed by users who don't know they are setting a popular password, OS of choice becomes botware. Yesterday Microsoft, today Linux, tomorrow who knows ? It's not the OS so much as it's the attitude and security nous of the embedder, vendor, repackager or installer.

      1. Anonymous Coward
        Anonymous Coward

        Re: Never on BSD ?

        This was sarcasm.

      2. cream wobbly

        Re: Never on BSD ?

        Yesterday Microsoft, today Linux, tomorrow Linux-on-Windows-as-delivered-by-Microsoft.

    2. Anonymous Coward
      Anonymous Coward

      SSH, Telnet, HTTP, BitTorrent, and Lua all work fine on the BSD's. So there's a decent chance this malware could work without much modification, depending on how much/many Linux-isms it relies on. :(

      1. Anonymous Coward
        Anonymous Coward

        Linuxisms ...

        Hard dependency on SystemD?

    3. Chemical Bob

      "This would never happen if you were using BSD"

      Or CP/M

    4. Mark Simon

      Did you even read the article?

      The issue isn’t with the OS. The malware is looking for weak credentials.

      1. bombastic bob Silver badge
        Devil

        Re: Did you even read the article?

        yes, but the default sshd.conf for FreeBSD disallows root logins. OK I think most Linux distros do that too, nowadays...

        also another plus for FreeBSD is that a non-wheel user cannot su to root. You have to su to a wheel-group user (GID 0) and THEN you can su to root. One more layer to frustrate system-crackers that want to pwn you.

        /me typically allows only specific cryptically named "guest level" users with very strong passwords to ssh in from "teh intarwebs" and 'fail2ban' is always on for the dictionary attackers.

        1. CrazyOldCatMan Silver badge

          Re: Did you even read the article?

          also another plus for FreeBSD is that a non-wheel user cannot su to root.

          Not necessarily true - especially if you have sudo installed..

          1. Jamie Jones Silver badge

            Re: Did you even read the article?

            That's like if someone says :

            "To use root, you need to have the correct password"

            replying:

            "That's not true - especially if you have a suid-root shell accessable from your account."

            Once you condider third party software, all bets are off!

    5. boatsman

      indeed. nobody

      is using it.

    6. This post has been deleted by its author

  2. cbars

    Anywhere near the internet:

    You should not use Telnet

    You should not use SSH credentials (use keys)

    Anywhere:

    You should be mitigating brute force (take a look at fail2ban)

    Absolutely Anything Ever:

    Change the default password!!!!!!!!!1111111Jesus

    1. Anonymous Coward
      Joke

      password!!!!!!!!!1111111Jesus

      How did you know mine? Is it in the list of passwords?

      1. Jamie Jones Silver badge

        How did you know mine? Is it in the list of passwords?

        That reminds me of a true story. Some years back, I worked for a large company, and it was decided to run password cracking tools against all 20,000 or so users accounts.

        Any user who had been compromised was sent a warning email explaining the situation, and that their accounts would be locked in X days if not remedied.

        As you can imagine, we had many email responses and call logged. The one that stands out read:

        "How do you know my password is "6inches"? - Have you, or any of your staff, ever slept with me?"

        (It turned out he had moved department and site a few years prior, and his old account was still active, using the actual guessed weak password and email forwarding.)

        1. This post has been deleted by its author

      2. 's water music Silver badge

        >>password!!!!!!!!!1111111Jesus

        How did you know mine? Is it in the list of passwords?

        Ha Ha. I'm safe then, mine's password!!!!!!!!!1111111J3bus

  3. Captain Obvious
    Joke

    Someone had to say it....

    "Eset advises that "to prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials." ®

    Well no SSHit!!!!!!!

    1. Alistair Silver badge
      Holmes

      Re: Someone had to say it....

      Actually Captain, I think you wanted *THIS* icon. I don't consider that a joke.

      1. Hans 1 Silver badge
        Boffin

        Re: Someone had to say it....

        @Alistair, don't think you get the j0ke ... their advice is simply stup1d, why credentials ? Why telnet????????????????????????????

        Eset advises that to prevent your devices from being infected by Shishiga and similar worms, you should not use default Telnet and SSH credentials. ®

        Now you know that you can ignore any and all advice from Eset ...

        Hans1 advises that to prevent your devices from being infected by Shishiga and similar worms, you should use certificate authentication, implement solutions such as fail2ban, slow queues, and/or knocking harder. Don't use insecure services such as telnet, ever!

        http://bsdly.blogspot.fr/2017/04/forcing-password-gropers-through.html

        These solutions are better than fail2ban, imho, could be used in combination with fail2ban if you really wanna use that as well ...

        The main blog discusses using slow queues for miscreants, with OpenBSD examples ... then you have a comment on there from Pete for knocking harder, Linux implementation ... interesting read, I think ...

  4. Anonymous Coward
    Anonymous Coward

    Keys good passwords bad

    "you should not use default Telnet and SSH credentials." Lol well nooo duh. I agree with many other comments, SSH without RSA keys is unsafe. SSH should be configured to not accept connections without keys and a connection attempt limit imposed either with fail2ban or firewall rules

    1. Ian Michael Gumby Silver badge

      @AC Re: Keys good passwords bad

      The one thing you failed to mention...

      1) Disallow root to ssh.

      2) Only allow a limited set of users to ssh and make sure none of them are system accounts.

      3) Increase the fail2ban jail time by a factor of 10 or 100

      Even with fail2ban running, I see a lot of attack attempts. The next step is to start banning net blocks from countries where you know you're not going to have traffic to or from.

      1. oneguycoding

        Re: @AC Keys good passwords bad

        4) move sshd off its default port (port knocking?)

        That said, port 22 is pretty low on my list of commonly attacked ports (80, 8080, 8088, ...)

      2. Kiwi Silver badge

        Re: @AC Keys good passwords bad

        Even with fail2ban running, I see a lot of attack attempts.

        I briefly saw that the message below yours references this (after I'd clicked reply before the post page loaded).

        I used to get up to hundreds of attacks an hour on SSH. I moved it away from the default port. Now I am lucky to see 5 attacks a day on SSH.

        I see a number of tries on other services. No services there, or fail2ban/denyhosts take care of those. IIRC 5 hour ban time for fail2ban (instead of the default few minutes), and only 3 attempts.

        But going away from the standard port actually makes a huge difference.

        1. Jamie Jones Silver badge

          Re: @AC Keys good passwords bad

          Ah yes, moving to a non-default port makes a hell of a difference.

          And before anyone makes the comment, it's not security-by-obscurity, as all the other protections are still in place - but it means the attack attempt logs are a lot smaller. (which in itself could be considered a security benefit)

          Just make sure that you are running sshd on a privileged port (either a port < 1024, or, on systems that allow it, a port specifically marked privileged by configured policy)

      3. CrazyOldCatMan Silver badge

        Re: @AC Keys good passwords bad

        Even with fail2ban running, I see a lot of attack attempts. The next step is to start banning net blocks from countries

        Indeed - I have one gateway server that allows ssh (and, as you say, disallows user login if not using a cert), doesn't allow root, uses fail2ban, still gets hundreds and hundreds of probes.

        I blocked Russia, China & various other far-East countries at the firewall and the number of attacks dropped by 60%. If only I could block the US, I'd be able to block another 30%..

  5. noddybollock
    FAIL

    ac / pw list files .......

    I thought the default password on a ras-pi was "raspberry" - they list the "pi" as an account but forgot the password in the list's !

    can I claim a bug bounty please ?

  6. Trigonoceps occipitalis

    A built-in password list

    Serious Question:

    Is there a site that lists the common/complete set of "Built in Passwords"?

    I studiously avoid "password", "12345678" etc. however my carefully crafted but memorable passwords may not be as obscure as I think they are. Where can I check?

    Please don't ask me to send them to you so that you can check them for me, no matter how many dollars are awaiting me in Nigeria.

    1. NP-Hardass

      Re: A built-in password list

      https://github.com/danielmiessler/SecLists/tree/master/Passwords

      1. Anonymous Coward
        Anonymous Coward

        Re: A built-in password list

        Thanks! I'm gonna change my password to 'starstar' since it's the last password on the top10000 list and therefore the most secure. I recommend everybody else do the same to protect us from the hackers.

    2. Vic

      Re: A built-in password list

      memorable passwords may not be as obscure as I think they are. Where can I check?

      John is your friend...

      Vic.

  7. DougS Silver badge

    This should read as "embedded Linux targeting" malware

    Since there are no Linux distros that ship with default credentials. It is intended to hit stuff like wireless routers, CCTV cameras, and various IoT junk that often comes from the OEM with a simple default like 'admin/admin' or whatever. This malware will not affect a PC you installed Linux on.

    Such an attack would work equally well no matter what OS it was running, if all it needs is an open telnet/SSH/HTTP with a known default login/password pair. Once it logs in it still needs to use some sort of exploit to do something bad, but since few upgrade the firmware on these embedded devices, the list only grows longer as the firmware gets more out of date...

    1. Doctor Syntax Silver badge

      Re: This should read as "embedded Linux targeting" malware

      "Since there are no Linux distros that ship with default credentials."

      Embedded distros (including those for the Raspberry Pi) often do. The nature of these devices is that the device ships with a pre-built image rather than as an installation disk that requires a password to be entered at install time. In these situation of best practice should be to require the user to enter a password at first boot and again after a factory reset.

  8. Tomato42 Silver badge
    Facepalm

    Default passwords

    > Shishiga relies on the use of weak, default credentials in its attempts to plant itself on insecure systems through a bruteforcing attack

    It's truly pathetic that this is still a problem.

  9. alain williams Silver badge

    Run nmap occasionally ...

    just in case you forgot to close that port that you opened for a 5 minute test last month:

    nmap -A -T4 my.host.name

  10. boatsman

    these people are not hackers

    they are criminals.

    1. Sir Runcible Spoon Silver badge
      Joke

      Re: these people are not hackers

      hackers are people criminals too!

  11. WibbleMe

    SSH root@mypublicwebserver.com -p 22 ... and hacked

    1. Sir Runcible Spoon Silver badge
      Paris Hilton

      default port

      why would you need '-p 22' ?

      1. Jamie Jones Silver badge

        Re: default port

        Default port can be set in ssh_config to something other than 22.

    2. tom dial Silver badge

      And how would the hack succeed if the SA used proper key-based identification and authentication?

  12. rbf

    China and Romania Colleges

    Long time ago but it was easy to collect "popular" passwords by checking ssh logs.

    You had to have a cert that I handed out on a USB key.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019