back to article One Bitcoin or lose your data, hacked Linux sysadmins told

Linux sysadmins are being specifically targeted by hackers demanding one Bitcoin to gain access to their own data. Usually, it's Windows systems that get hit by ransomware, but a new strain targets Linux systems to extort cash. "Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that …

  1. hplasm
    Linux

    3-2-1...

    And fixed.

    Sod Off HaxxOrs- because backups.

    1. TeeCee Gold badge

      Re: 3-2-1...

      Yup, one thing they are definitely not targeting here is "sysadmins".

      Sysadmins have backups, by definition.

      1. g e

        Re: 3-2-1...

        Yup, a month of offline daily backups on a separate system here.

        Maybe if I fall victim (not that I use Magento), I should restore a backup and say "Your code is crap. 500 bitcoin to not release the decrypt exploit"

  2. brain_flakes
    Linux

    We'll be safe

    > Usually, it's Windows systems that get hit by ransomware, but a new strain targets Linux systems to extort cash.

    But of course, unlike home Windows users, all Linux sysadmins will keep regularly scheduled backups of their server's data and so won't be affected. Right? Right?? :)

    1. gollux
      Mushroom

      Re: We'll be safe

      DIY Magento tends to be unmaintained VPS with cargo cult configurations and unpatched Magento 1.3/1.4 codebase. About right.

      Afterall, it's Linux, it's gotta be safe (true comment)

      Virus on AWS? I can't believe it! Even with so much care and I'm attacked, I'm changing hosting (true comment)

    2. jinx3y

      Re: We'll be safe

      comparing apples and oranges: "home users" vs. "sysadmins"...sarcasm fail...

  3. Anonymous Coward
    Anonymous Coward

    Snark snark

    Oh, a critical vunrability in a PHP based CMS that isn't WordPress. That's mildly surprising.

  4. Anonymous Coward
    Anonymous Coward

    Well,

    ... first thing I want to know is HOW these systems get infected.

    Second, I haven't a clue about bitcoins, nor how to make them. So how would I pay (as if!)?

    1. Deryk Barker

      Re: Well,

      When the story broke yesterday the line was that the the infection vector was unknown but thought to be via ssh.

      Now the claim is that it is the Magento CMS.

      What I'd like to see is some way of detecting it that doesn't involve subscribing to Dr.Web's antivirus.

      1. Anonymous Coward
        Anonymous Coward

        Re: Well,

        This whole article smells a bit 'none-story': some slack linux server admin, running a particular toolset, who hasn't updated for a while .... Serve 'em right, you gotta keep up to date. Ohh look, Dr Web sells linux 'AV' though, so I can go back to taking it easy, no worry ;)

    2. Anonymous Coward
      Anonymous Coward

      Re: Well,

      via CMS Magento as per the article.

      You can pay with monopoly money and red houses as the green ones suck ass or you could search the internet about bitcoin software then transfer the money to your bitcoin account then to the nefarious criminals.

      However I would strongly recommending not becoming a mark and doing what we all do and that is to keep your systems up to date, be that apt/dpkg/pkg_add/zypper/yum/Windows 10 update.

      1. Michael Habel

        Re: Well,

        <backqoute>be that apt/dpkg/pkg_add/zypper/yum/Windows 10 update</backqoute>

        That sounds like an even larger headache/virus vector/ privacy invasion then its worth. But, thanks for offering to keep our options open. Such a shame that my computing "future" does NOT include any more MicroSoft products though. But, I'll be sure to tell my Nan about it though....

        NOT!

        1. Chika
          Trollface

          Re: Well,

          That sounds like an even larger headache/virus vector/ privacy invasion then its worth. But, thanks for offering to keep our options open. Such a shame that my computing "future" does NOT include any more MicroSoft products though. But, I'll be sure to tell my Nan about it though....

          sob...sob... Microsoft invading a Linux thread.... </sarcasm>

    3. gollux
      Mushroom

      Re: Well,

      Magento shoplift bug (it's embarrassing) Patch was out in February, Magento finally got around to breathless wittering that a patch was available in May, unpatched sites have been having admin user accounts direct injected ever since.

      Current barn door is Zend SOAP XML API hole fails under UTF-8 (it's embarrassing)

    4. Anthony Hegedus Silver badge

      Re: Well,

      Bitcoins are the most fiendishly complex way of paying for anything the world has ever witnessed. You may as well have 8 Ningis to one Pu, where a Pu is a triangular rubber coin 6800 miles across.

      I don't understand why this currency has any value whatsoever: it seems to be mainly used for scamming.

  5. This post has been deleted by its author

    1. sisk

      Re: ZFS is looking more and more attractive...

      SELinux isn't much protection against an attacker with root access!

      Neither is FreeBSD. Root access=game over, regardless of the OS.

    2. jonfr

      Re: ZFS is looking more and more attractive...

      If you want secure BSD you go with OpenBSD or NetBSD. FreeBSD is fine, while secure than any linux out there it is less secure than OpenBSD or NetBSD.

    3. Lars Silver badge
      Happy

      Re: ZFS is looking more and more attractive...

      No, nothing "much protection against an attacker with root access!". You can, of course, prevent that, allowing root access only locally. Have I bothered about that, no, have all Linux users done that, probably not, who knows. And damn it, if you get root locally, why not take the who damned machine, or at least the drives with you. Although I know Linux is more secure than some other solutions I am still pissed off with people who think it's all about the OS. Give me a bank, any bank, if I speak the "language", I would claim I would need less time fooling people than fucking around with bits and bytes regardless of the OS or any security ever invented. Should we not also discuss more about the "human factor" among all other security risks. Damn it, better stop here.

      1. sisk

        Re: ZFS is looking more and more attractive...

        Give me a bank, any bank, if I speak the "language", I would claim I would need less time fooling people than fucking around with bits and bytes regardless of the OS or any security ever invented.

        What's the easiest way to get someone's password? You ask them for it. There's a reason social engineering is considered the most effective form of attack.

    4. jelabarre59

      Re: ZFS is looking more and more attractive...

      > SELinux isn't much protection against an attacker with root access!

      That's presuming SELinux was in use at all. 17 **YEARS** after it was first introduced, there are *STILL* major packages that require you to entirely disable SELinux for them to run. And a large number of them are made by the "geniuses" at IBM.

    5. tom dial Silver badge

      Re: ZFS is looking more and more attractive...

      My understanding is that SELinux actually can protect against root access, although it probably is not something most admins would really like to do.

    6. Anonymous Coward
      Anonymous Coward

      Re: ZFS is looking more and more attractive...

      "SELinux isn't much protection against an attacker with root access!"

      Incorrect - this is exactly what SELinux (mandatory access control) protects against. It describes which programs can access which files, even when they are running as root. It also tracks "how you you got here", so it can enforce things like "user logged on with physically attached keyboard and ran sudo bash to become root and so can disable SELinux".

    7. fajensen

      Re: ZFS is looking more and more attractive...

      It's just that FreeBSD Jails (while neat and well implemented) are just horrible, almost too Horrible, to use!

      The FreeBSD developers never bothered much with providing tools for all the good stuff in FreeBSD, In My Opiniun. The learning curve for FreeBSD jails is more like a brick wall.

      PS:

      SELinux does protect against 'root' access. The 'root' account can't just go off and do anything at all like it can with 'normal' Linux.

      PSPS:

      It seems odd that malware will cripple itself by requiring 'root' access. There are *plenty* of Money-Making opportunities just running as a normal user account - which is hardly secured from itself and from flash/java.stupidity at all since this is inconvenient and (to the sysop) it's *just* a user account not the sacred 'root'.

    8. alain williams Silver badge

      Re: ZFS is looking more and more attractive...

      SELinux isn't much protection against an attacker with root access!

      Although running SELinux would help prevent someone who has exploited the Magento vulnerability from going on to gain root access. That is part of the point.

  6. Anonymous Coward
    Anonymous Coward

    Knowing nothing about bitcoins and the fact that all these demands seem to use them.

    I started to wonder if it was possible to add a payload to a bitcoin that would either a) call home or b) do something nasty to receiving system.

    Payback?

    1. sisk

      I started to wonder if it was possible to add a payload to a bitcoin

      You can stop wondering. It isn't. You might just as well try to add a payload to a dollar being transfered via wire transfer for all the good it'd do you.

      That said, bitcoin is very traceable, far less anonymous than cash. The fact that people think it's anonymous is proof that people don't really understand how it works. There are ways to anonymize it, but realistically I wouldn't trust any of them.

      1. Steven Roper

        "That said, bitcoin is very traceable, far less anonymous than cash."

        If that's the case then why are there no stories about people hunting these ransomware scammers down for the purpose of peeling their fingernails off one by one?

        1. Boris the Cockroach Silver badge
          Big Brother

          because GCHQ et al

          far prefer listening to everyone's chat so they can blackmail various politicians into increasing their budget/workforce under the guise of saving us from peadoterrorists instead of doing the job they'd be better at such as hunting down these crooks and giving them a good kicking/locking them away.

          1. FrankAlphaXII

            Re: because GCHQ et al

            Since when is Law Enforcement an intelligence agency's job?

            1. Anonymous Coward
              Anonymous Coward

              Re: because GCHQ et al

              Since the local plods are thoroughly outgunned when it comes to people that eat this technology literally with their morning pizza. There are quite a few talented ones capable of the work but being understaffed already... it just goes by the wayside. They're used elsewhere.

              Now the intelligence agencies are deeply reliant on the same technologies as the "hackers, crackers, ..." crowd and have nice depth of talent. Still nowhere as good as some of the better enterprises but not do to lack of funds. Black budgets mean black contracts if you can't do it in-house. And we saw where that turned around and bit them in the balls with the consultancy that Mr. Snowden worked at. Heck, even before he left direct employment by the government (Air Force?), he was getting schooled on penetrations and other offensive operations.

              Do remember, that "Black Ops" doesn't have to be entirely cyber. It can include bringing a gun to a byte fight, not a unwieldy club which is about where most people operate.+

            2. hplasm
              Meh

              Re: because GCHQ et al

              "Since when is Law Enforcement an intelligence agency's job?"

              If not that then what?

              Oh, of course- keeping themselves in a job.

        2. sisk

          Police aren't going to go after them once they figure out the scammers are outside of their jurisdiction and without the ability to subpoena an online store for their shipping records the task becomes more difficult. It's still doable, but law enforcement isn't going to do it for you. A lot of us here could probably do it, but it would have to be some damned valuable data for it to be worth hunting someone down and pulling off fingernails for a key.

    2. Anonymous Coward
      Anonymous Coward

      As far as I understand it you wouldn't be able to attach anything to the bitcoin transfer. However, if you could figure out how the decryption keys were passed from infected machines to the C&C servers run by the scumbags, I'd guess it might be possible to pass a little surprise to them that way.

  7. bailey86

    Is this PHP FPM only?

    Am I right in thinking this is for PHP-FPM only?

    http://legalhackers.com/advisories/zend-framework-XXE-vuln.txt

    'I. VULNERABILITY

    -------------------------

    Zend Framework <= 2.4.2 XML eXternal Entity Injection (XXE) on PHP FPM

    Zend Framework <= 1.12.13

    ...

    - PHP FPM

    http://php.net/manual/en/install.fpm.php

    "FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with

    some additional features (mostly) useful for heavy-loaded sites."

    Starting from release 5.3.3 in early 2010, PHP merged the php-fpm fastCGI

    process manager into its codebase. However PHP-FPM was available earlier as a

    separate project (http://php-fpm.org/).'

    So does this mean that standard Apache/PHP installs are OK? And on Debian unless php5-fpm is installed we should be OK?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is this PHP FPM only?

      Depends on how they're exploiting it, and not using php-fpm might only prevent it from doing the privilege escalation. If you're running Magento I'd get the patches installed as soon as you can just to be safe

  8. Seajay#
    Trollface

    Maybe this will be the year

    .. of Windows on the server

    1. Michael Habel

      Re: Maybe this will be the year

      You won One free Internet!

  9. Anonymous Coward
    Anonymous Coward

    DDoS

    I've seen hackers threatening DDoS unless a multiple-BTC ransom is paid.

    1. Prst. V.Jeltz Silver badge

      Re: DDoS

      Seems like an emtpy threat coming from a scammer with no actual ability to DDOS , or even work out where his spam ended up in order to ddos it

  10. Richard 22

    Poor quality ransomware

    It appears that for this attempt at least, the files are decryptable without paying the ransom;

    https://lwn.net/Articles/663955/rss

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like