Mirai malware infects Linux with Busybox
Just a point of note. If you run Debian you can install debsums
apt-get update
apt-get install debsums
and then validate all installed programs and/or configuration files (includes a option to automatically reinstall changed programs if that takes your fancy) ... see https://blog.sleeplessbeastie.eu/2015/0 ... -packages/
I personally try to run a pristine system - apply changes/updates and save immediately after booting ... otherwise not saving. But have more recently switched over to not using sfs's (but instead have all files fully extracted into the save space and a empty main sfs). That's just so I can boot either frugally (changes not saved, unless I run a script to save things), or boot like a full install (all changes immediately stored i.e. that I use to apply certain Debian updates that otherwise wont install under a frugal boot). Running debsums periodically helps ensure that the system still has its integrity. debsums runs to completion pretty quickly, haven't actually timed it but of the order of less than 5 minutes.
If a virus/malware changed busybox then debsums would most likely spot that change as it uses MD5 validation.
apt-get update
apt-get install debsums
and then validate all installed programs and/or configuration files (includes a option to automatically reinstall changed programs if that takes your fancy) ... see https://blog.sleeplessbeastie.eu/2015/0 ... -packages/
I personally try to run a pristine system - apply changes/updates and save immediately after booting ... otherwise not saving. But have more recently switched over to not using sfs's (but instead have all files fully extracted into the save space and a empty main sfs). That's just so I can boot either frugally (changes not saved, unless I run a script to save things), or boot like a full install (all changes immediately stored i.e. that I use to apply certain Debian updates that otherwise wont install under a frugal boot). Running debsums periodically helps ensure that the system still has its integrity. debsums runs to completion pretty quickly, haven't actually timed it but of the order of less than 5 minutes.
If a virus/malware changed busybox then debsums would most likely spot that change as it uses MD5 validation.
I would probably not worry about the risk from Mirai as much as I would worry about the risks from using unencrypted wifi.Mike7 wrote:I piggy-back on a non-encrypted strong local wi-fi signal.
I could be wrong but my guess is - yes a puppy PC could be infected especially if it was online quite a bit, and also if it used a savefile that would retain the cnc interface code across boots. What should you do about it? - there is probably nothing you can do at present.I am tralking just about the present case, Mirai. My query was purely practical: could my computer be infected with this malware, and what should I do about it, if anything.
Yes. In fact Mirai doesn't seem to go looking for the data on your machine - it seems to hijack a machine just to piggyback off it's internet connection and cause havoc to someone else via a DDos attack. The risks to your data can occur anywhere along the data path between you and the bank. In my opinion an insecure wifi connection would be by far the weakest part of that chain.So, if I understand you, my computer doesn't have to be infected in order for my data to be hacked; it can be got at through the wi-fi router. Is that right?
But that wifi signal is still running through a router - even though it is not your router it is still a router. The fact that it's brand, model, and ownership is unknown to you does put your data at risk.I am not running a router. As I said before, I am using a wi-fi signal.
To be honest I really feel that none of us really have as much security as we believe. I know people who maintain the Southern Cross internet data cable that runs from New Zealand to the U.S via Hawaii and based on their comments I am sure every data packet is transparent to a number of individuals and agencies along the way.Yes, what I am doing is very dangerous (using an unknown wi-fi signal coming from an unknown router). But life is fraught with danger where I am (Buenos Aires, Argentina), so trusting to an unknown wi-fi and router is just a drop in the bucket (albeit a particularly scary one)
I suppose the best advice comes back to regular changing of banking passwords in that case. At least any data that gets trapped on one day can be made irrelevant the next.I know I should have my own internet connection and not use strange wi-fi signals, but even the local ISPs here are untrustworthy.
I will post back if I can find it but it can be hard to find information sometimes. Have to get the keywords right.Where in this forum can I get that [puppy root password change] information?
Thats handy having the save option then. That lets you shutdown without saving. If you wanted greater safety you could always temporarily hide the savefile and run without it, or even make another new one that you could use only for banking sessions (ie only containing the minimal changes required to get online quickly).I have Carolite set up so that there is never a "save" until shutdown, and then only as an option. I realize that using savefiles is risky, but the alternatives are simply too complicated for me. As to mounted drives, my only one is the bootable USB pendrive that Carolite is on. I don't even mount my computer's HDD.
Agreed.there is some safety in using Puppy-on-a-stick, working in RAM, and not using the HDD.
Maybe you could look at using "portable" versions of your preferred browser. That way you could even have two setups - one browser used solely for banking sessions (with tighter security settings, minimal bookmarks and no browser history or cookies) and another browser setup for general internet surfing and bookmark/cookie retention.Actually, most of the time the only changes I make are to bookmarks, and the whole browser could be kept separately from the puppy files.
I doubt you would notice it unless you were comparing router staistics between infected and non-infected session. And of course you don't have access to the router anyway. If your Puppy was infected with Mirai all you might see is more network icon activity.Anyway, to get back to the subject, I haven't noticed any strange activity on my computer, so I am assuming it has not been infected by Mirai.
Sure, I will post back if I see anything. I quite like the Sophos "Naked Security" website for that sort of info:if you happen to run across a way to detect this malware, I'd appreciate a heads up.
https://nakedsecurity.sophos.com/2016/1 ... ck-on-dyn/
I have not reviewed these threads properly but here are some links regarding the option of changing the root/root uname/password defaults in Puppy Linux:
http://www.murga-linux.com/puppy/viewto ... 3f789d0a19
http://www.murga-linux.com/puppy/viewto ... 60840a8eae
http://www.murga-linux.com/puppy/viewtopic.php?p=228821
http://www.murga-linux.com/puppy/viewto ... 8dabb6b89d
http://murga-linux.com/puppy/viewtopic.php?t=97769
EDIT : This post by Galbi appears to offer the method by which the root password can be changed:
http://www.murga-linux.com/puppy/viewto ... 300#790300
How much that actually increases security I cannot say....
EDIT : Anyone who likes the idea of a Puppy that does not have root access may be interested in this post from the beloved and well missed "nooby":
http://puppylinux.info/topic/making-a-f ... an-be-root
Quote from one of the contributors:
http://www.murga-linux.com/puppy/viewto ... 3f789d0a19
http://www.murga-linux.com/puppy/viewto ... 60840a8eae
http://www.murga-linux.com/puppy/viewtopic.php?p=228821
http://www.murga-linux.com/puppy/viewto ... 8dabb6b89d
http://murga-linux.com/puppy/viewtopic.php?t=97769
EDIT : This post by Galbi appears to offer the method by which the root password can be changed:
http://www.murga-linux.com/puppy/viewto ... 300#790300
How much that actually increases security I cannot say....
EDIT : Anyone who likes the idea of a Puppy that does not have root access may be interested in this post from the beloved and well missed "nooby":
http://puppylinux.info/topic/making-a-f ... an-be-root
Quote from one of the contributors:
It's an emotive discussion.Nothing is more disgusting than not being able to kill the Xorg server by C+A+BS
Hi, rufwoof.
- What do you mean by "If you run Debian"? Is Carolite (and Puppy in general) related to Debian?
- Can debsums be made to validate just a specific file or program or environment like Busybox, so that it doesn't have to check the whole system?
Mike7
Coupla questions here:If you run Debian you can install debsums. . .and then validate all installed programs
- What do you mean by "If you run Debian"? Is Carolite (and Puppy in general) related to Debian?
- Can debsums be made to validate just a specific file or program or environment like Busybox, so that it doesn't have to check the whole system?
Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.
greengeek-
Cheers.
Mike7
It worries me, believe me. But I've been using the signal for five years and so far nothing too bad has happened, just some browser redirections and Youtube hijacks (knock wood).I would probably not worry about the risk from Mirai as much as I would worry about the risks from using unencrypted wifi
What is a cnc interface code and how is it stored?my guess is - yes a puppy PC could be infected especially if it was online quite a bit, and also if it used a savefile that would retain the cnc interface code across boots.
Figures.there is probably nothing you can do at present.
Yes, hijacking IoT devices is a nasty trick. But it was bound to happen.Mirai doesn't seem to go looking for the data on your machine - it seems to hijack a machine just to piggyback off it's internet connection and cause havoc to someone else via a DDos attack.
The solutions for me are not good and all are expensive. Plus, like I said, the usual Internet connections here are just as bad as the unencrypted wifi signal, maybe worse in some ways (like banner and popup ads from the ISP, and even worse abuse). Satellite is the best solution here, and a friend in my building has it. But it costs a fortune.In my opinion an insecure wifi connection would be by far the weakest part of that chain.
True. It's certainly nowhere near as secure as my Verizon fiber optic+router in New York. Not secure at all, really. Highly dangerous, even. But life is dangerous. However, I don't think any of my financial institutions would accept a large transaction from the website. Heck, I even have trouble using my debit cards <grin>. And just the fact that my computer, and this unencrypted wifi signal, are in Argentina is some sort of security, because no one trusts anything coming from this country.But that wifi signal is still running through a router - even though it is not your router it is still a router. The fact that it's brand, model, and ownership is unknown to you does put your data at risk.
A rather frightening thought, for sure. And with the U.S. Gov hacking the whole world through ISPs (PRISM, etc.), there's no way to be secure. I mean, do you trust all the employees of the NSA who have access to everything not to use the data to steal?I know people who maintain the Southern Cross internet data cable that runs from New Zealand to the U.S via Hawaii and based on their comments I am sure every data packet is transparent to a number of individuals and agencies along the way.
Thanks. I wouldn't know how to look.I will post back if I can find it but it can be hard to find information sometimes. Have to get the keywords right.
Yes, there are a number of options. I was in the middle of working through them not long ago, when there was some tragedy and I got sidetracked. I seem to recall that the best idea appeared to be to password-protect the pendrive partition where the changesfile is kept. And really the only changes I am making now are to bookmarks as I have Carolite pretty well configured the way I want it. Some times I just copy the new bookmarks to a text file and do a no-save at shutdown. That's probably the safest procedure of all. But I'm going to password-protect the 2nd, vfat partition on the pendrive and maybe keep the whole .mozilla folder there.If you wanted greater safety you could always temporarily hide the savefile and run without it, or even make another new one that you could use only for banking sessions (ie only containing the minimal changes required to get online quickly).
Yes, I am looking into shinobar's portables.Maybe you could look at using "portable" versions of your preferred browser.
I presently do not save any browser history, cookies, or cache when I exit Firefox, which I do frequently during the day to renew the IP address. And only bookmarks are saved when I shut down the computer. But, as you say, a separate browser for sensitive transactions would be best. Maybe even a separate pendrive with a virgen Carolite and a more secure browser than Firefox, which has become too bulky and complicated to be made secure.you could even have two setups - one browser used solely for banking sessions (with tighter security settings, minimal bookmarks and no browser history or cookies) and another browser setup for general internet surfing and bookmark/cookie retention.
Sad but true. That unencrypted wifi signal is a grave danger. I have no way of even knowing if I'm being hacked. Terrible.you don't have access to the router anyway. If your Puppy was infected with Mirai all you might see is more network icon activity.
Thanks for that URL.I quite like the Sophos "Naked Security" website for that sort of info:
Cheers.
Mike7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.
Mike,
Have a look at Palemoon I use in older puppies I use - is faster than FF.
Also 8Geee has a very secure of FF27 he has configured he uses in his updated slacko 570
https://archive.org/details/firefox2701
Have a look at Palemoon I use in older puppies I use - is faster than FF.
Also 8Geee has a very secure of FF27 he has configured he uses in his updated slacko 570
https://archive.org/details/firefox2701
Devuan Linux, Stardust 013 (4.31) updated [url]https://archive.org/details/Stardustpup013glibc2.10[/url]
s57(2018)barebone[url]https://sourceforge.net/projects/puppy-linux-minimal-builds/files/s57%282018%29barebones.iso/download[/url]
s57(2018)barebone[url]https://sourceforge.net/projects/puppy-linux-minimal-builds/files/s57%282018%29barebones.iso/download[/url]
greengeek-
Thanks for the links to changing of the root pswd. I will review all this, although from a first look it seems that only the command for changing the user's password is given (code: passwd) and not a command for changing the name of a user. I guess that as things stand that cannot be done (which I suppose is what all the nooby discussion was about, although I didn't really understand it all).
As an aside, before settling on Puppy and Carolite I tried out Slitaz (among other distros). Slitaz is not set up so that the user is root, and you have to sudo everything. It really is a pain in the butt and is what turned me off to Slitaz, which in other respects is a very fine OpSys. The fact is that doing sudo all the time isn't so terrible. It's the implied insult (that one is too incompetent to be root) that is so annoying. After all, if one is installing Linux it must be assumed that one has some brains and a little knowledge, no? And forcing the use of sudo is no protection from screwing things up.
M7
Thanks for the links to changing of the root pswd. I will review all this, although from a first look it seems that only the command for changing the user's password is given (code: passwd) and not a command for changing the name of a user. I guess that as things stand that cannot be done (which I suppose is what all the nooby discussion was about, although I didn't really understand it all).
As an aside, before settling on Puppy and Carolite I tried out Slitaz (among other distros). Slitaz is not set up so that the user is root, and you have to sudo everything. It really is a pain in the butt and is what turned me off to Slitaz, which in other respects is a very fine OpSys. The fact is that doing sudo all the time isn't so terrible. It's the implied insult (that one is too incompetent to be root) that is so annoying. After all, if one is installing Linux it must be assumed that one has some brains and a little knowledge, no? And forcing the use of sudo is no protection from screwing things up.
Nothing wrong with a little emotion <grin>.Quote from one of the contributors:It's an emotive discussion.Nothing is more disgusting than not being able to kill the Xorg server by C+A+BS
M7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.
Hi guys.
FWIW, if there seems to be fishy behavior on your Internet line, your
connection icon in the tray of all Puppies has a "disconnect" option (see
attached picture) that you can click.
As well, there is also the manual solution of physically disconnecting the
ethernet cable or turning off the router. You can turn off the machine, of
course, but it's not absolutely necessary for this purpose. To state the
obvious, a non-connected computer cannot connect to anything, thus a
non-connected computer cannot infect anything.
Besides if you want to conduct some forencsic work, you may want to
keep the machine on. If you turn the machine off, the virus might
disappear from RAM with the electrical current.
When the Miral description says it's "using busybox" to propagate that
virus, that's pretty vague, because busybox is a compact rewrite of
about one hundred GNU utilities. It would be not only interesting but
essential to know which one of those is the actual culprit.
AFAIK there are two "busyboxes": a minimal one included in the initrd
used during the kernel boot process and the one used once the "shift
root" (chroot) has occurred.
If we know which of the busybox sub-utilities is to blame, it should be
simple enough to substitute it with the real and complete gnu utility it's
intended to replace. PuppyLinux, BTW, already does that for a number
of them.
Finally, there is no mention of the Miral infection on the Busybox site
https://busybox.net/news.html. If it was as dramatic as it sounds, the
developers there would have already provided a corrective, or working
on it, no?
In the meantime, rufwoof's debsums solution seems like a good idea to
tone down the paranoia!
In short, let's keep our heads and we'll see this through.
BFN.
FWIW, if there seems to be fishy behavior on your Internet line, your
connection icon in the tray of all Puppies has a "disconnect" option (see
attached picture) that you can click.
As well, there is also the manual solution of physically disconnecting the
ethernet cable or turning off the router. You can turn off the machine, of
course, but it's not absolutely necessary for this purpose. To state the
obvious, a non-connected computer cannot connect to anything, thus a
non-connected computer cannot infect anything.
Besides if you want to conduct some forencsic work, you may want to
keep the machine on. If you turn the machine off, the virus might
disappear from RAM with the electrical current.
When the Miral description says it's "using busybox" to propagate that
virus, that's pretty vague, because busybox is a compact rewrite of
about one hundred GNU utilities. It would be not only interesting but
essential to know which one of those is the actual culprit.
AFAIK there are two "busyboxes": a minimal one included in the initrd
used during the kernel boot process and the one used once the "shift
root" (chroot) has occurred.
If we know which of the busybox sub-utilities is to blame, it should be
simple enough to substitute it with the real and complete gnu utility it's
intended to replace. PuppyLinux, BTW, already does that for a number
of them.
Finally, there is no mention of the Miral infection on the Busybox site
https://busybox.net/news.html. If it was as dramatic as it sounds, the
developers there would have already provided a corrective, or working
on it, no?
In the meantime, rufwoof's debsums solution seems like a good idea to
tone down the paranoia!
In short, let's keep our heads and we'll see this through.
BFN.
- Attachments
-
- disconnect_option_2016-10-30(1).jpg
- (4.52 KiB) Downloaded 316 times
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
Robert123-
Questions: Is Palemoon as secure as an updated and reconfigured Firefox? Can it resolve these new-thing websites that are written for mobile devices? Will ublock work with it?
Question: Do you think 8Geee's reconfigured firefox2701 would work in Carolite-1.2?
M7
Thanks for reminding me about Palemoon. Actually, I have a list of alternative browsers that I have been intending to try. It's just a matter of finding the time (grrr).Have a look at Palemoon I use in older puppies I use - is faster than FF.
Questions: Is Palemoon as secure as an updated and reconfigured Firefox? Can it resolve these new-thing websites that are written for mobile devices? Will ublock work with it?
Interesting. My Carolite came with FF26, but it automatically updated to FF38 when I clicked on Help>AboutFirefox to check on the exact version number. Now I have spent maybe 100 hours reconfiguring FF38, and the thought of changing versions yet again, either updating or returning to an earlier one, makes me shrivel up inside and think about going to live with the Inuit in Greenland.Also 8Geee has a very secure of FF27 he has configured he uses in his updated slacko 570
Question: Do you think 8Geee's reconfigured firefox2701 would work in Carolite-1.2?
M7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.
Hello again guys.
If you read the last part of the article mentioned by green geek, you'll
find that Mirai uses:
telnet
ssh and
busybox tftp
To play it safe you could install the inetutils from the GNU foundation.
https://lists.gnu.org/archive/html/info ... 00004.html
(5th paragraph on that page), to replace the busybox tftp and telnet.
As to ssh, Puppy is offering the full ssh, not the busybox one.
As well the article says that Mirai can leave traces detectable by lsof,
the source of which is available here:
https://people.freebsd.org/~abe/.
There is already an older version of lsof available on this forum:
search for "lsof" as the first search parameter and "musher0" as the
second search parameter. Here:
http://murga-linux.com/puppy/viewtopic. ... 682#844819
For your convenience, the latest version of lsof (lsof-4.89) is attached.
Please install the libtirpc-1.0.1 first, then the lsof-4.89 utility.
This complete lsof will replace the existing busybox lsof symlink that may
exist on some newer Puppies. (Older Puppies do not have lsof at all.)
To see all running connections on your Puppy, open a terminal and type(see attached pic).
So, sorry to go against the paranoid instinct, but instead of panicking one
could try to see if lsof shows traces of Mirai residues on your machine.
BFN.
If you read the last part of the article mentioned by green geek, you'll
find that Mirai uses:
telnet
ssh and
busybox tftp
To play it safe you could install the inetutils from the GNU foundation.
https://lists.gnu.org/archive/html/info ... 00004.html
(5th paragraph on that page), to replace the busybox tftp and telnet.
As to ssh, Puppy is offering the full ssh, not the busybox one.
As well the article says that Mirai can leave traces detectable by lsof,
the source of which is available here:
https://people.freebsd.org/~abe/.
There is already an older version of lsof available on this forum:
search for "lsof" as the first search parameter and "musher0" as the
second search parameter. Here:
http://murga-linux.com/puppy/viewtopic. ... 682#844819
For your convenience, the latest version of lsof (lsof-4.89) is attached.
Please install the libtirpc-1.0.1 first, then the lsof-4.89 utility.
This complete lsof will replace the existing busybox lsof symlink that may
exist on some newer Puppies. (Older Puppies do not have lsof at all.)
To see all running connections on your Puppy, open a terminal and type
Code: Select all
lsof -i
So, sorry to go against the paranoid instinct, but instead of panicking one
could try to see if lsof shows traces of Mirai residues on your machine.
BFN.
- Attachments
-
- lsof_with_-i_parameter_2016-10-30.jpg
- What you should normally see through lsof with an active ethernet connection: only the cups port plus the browser port are open.
- (7.81 KiB) Downloaded 281 times
-
- libtirpc-1.0.1.pet
- needed by lsof-4.89
- (144.21 KiB) Downloaded 137 times
-
- lsof-4.89.pet
- The "LiSt Open Files" utility for a given running application or process.
- (109.21 KiB) Downloaded 130 times
Last edited by musher0 on Sun 30 Oct 2016, 20:53, edited 3 times in total.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
musher0-
I wonder where you found the jpg image for the icon popup.
M7
Right you are. And I have had occasion to do that (although on my Frisbee tray icon it's "disable" and "enable").if there seems to be fishy behavior on your Internet line, your
connection icon in the tray of all Puppies has a "disconnect" option (see
attached picture) that you can click.
I wonder where you found the jpg image for the icon popup.
Not for me, unfortunately, as I am wireless to someone else's router.there is also the manual solution of physically disconnecting the
ethernet cable or turning off the router.
Yes, and it's slower than disconnecting from the wireless network.You can turn off the machine, of course, but it's not absolutely necessary for this purpose.
A good thought. I never liked shutting down when a computer I was using became infected. It leaves you in the dark. You never know what's going to happen when you boot back up (some malware only corrupts system files when booting). Better to disconnect from the Internet and track down the malware.Besides if you want to conduct some forencsic work, you may want to
keep the machine on. If you turn the machine off, the virus might
disappear from RAM with the electrical current.
Yes.When the Miral description says it's "using busybox" to propagate that
virus, that's pretty vague, because busybox is a compact rewrite of
about one hundred GNU utilities. It would be not only interesting but
essential to know which one of those is the actual culprit.
This occurred to me, but greengeek says that there is as yet no exact information on how Mirai uses busybox.If we know which of the busybox sub-utilities is to blame, it should be
simple enough to substitute it with the real and complete gnu utility it's
intended to replace.
I find that very strange, to say the least.there is no mention of the Miral infection on the Busybox site
There's something fishy about all this, that's for sure. Could it be that the busybox people are so flummoxed that they won't say anything, or simply too embarrassed that a massive DoS went through their program?If it was as dramatic as it sounds, the developers there would have already provided a corrective, or working on it, no?
I'm waiting for an answer to whether a Debian utility like debsums will work in Carolite. And frankly I don't know how to install it. It's not listed in Carolite's package manager.In the meantime, rufwoof's debsums solution seems like a good idea to tone down the paranoia!
As greengeek says, there's precious little we can do about it anyway. It's too bad that the hackers chose a Linux program for their dirty work, but that was inevitable. The features of Linux that make it right for IoT are just what the hackers were looking for. And what could be better, within Linux, than exploiting busybox? These hackers are fiendishly clever.In short, let's keep our heads and we'll see this through.
M7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.
Hi Mike7.
My reasoning is as follows:
Assuming that these sons-of-a-gun are specifically using busybox as their
vector, if we provide the real inet utilities instead, they're cooked.
If their code is, for exampleand that command does not exist, only, they'd be getting nowhere.
That still needs to be proven, of course -- they could as well use the
"name" of the utility, regardless if it's busybox or not, but you can't go
wrong installing the real lsof for starters.
The real lsof is a very rich application for all sorts of uses. Type and you'll see!
Maybe rufwoof can provide us with more info about debsum.
~~~~~~~~~~~
(Thinking out loud here!)
In the meantime, if it's only to check if checksums of the executables
have changed, we could probably come up with a script saving the results
using cksum or md5sum and then use the diff compare utility on two
columns.
The first run would create a first column for reference on Puppy install.
Subsequent runs would appear in the second column say a few hours
later or the next day, or whenever you like.
The parameter is not fresh in my memory, but you can ask diff to show
only the differences between two texts or tables. So if you had
differences, you'd know your system integrity has been compromised.
And even with what little we know about the Mirai parasite, we know it
targets certain executables, so we could do a speed check on those. It
certainly wouldn't take five minutes, if we target, only maybe 20 seconds.
That list, coupled with results from lsof, would give a pretty good idea of
the integrity of the Puppy at any given time during our computing session.
BFN.
My reasoning is as follows:
Assuming that these sons-of-a-gun are specifically using busybox as their
vector, if we provide the real inet utilities instead, they're cooked.
If their code is, for example
Code: Select all
busybox -telnet
Code: Select all
telnet
That still needs to be proven, of course -- they could as well use the
"name" of the utility, regardless if it's busybox or not, but you can't go
wrong installing the real lsof for starters.
The real lsof is a very rich application for all sorts of uses. Type
Code: Select all
lsof -h | more
Maybe rufwoof can provide us with more info about debsum.
~~~~~~~~~~~
(Thinking out loud here!)
In the meantime, if it's only to check if checksums of the executables
have changed, we could probably come up with a script saving the results
using cksum or md5sum and then use the diff compare utility on two
columns.
The first run would create a first column for reference on Puppy install.
Subsequent runs would appear in the second column say a few hours
later or the next day, or whenever you like.
The parameter is not fresh in my memory, but you can ask diff to show
only the differences between two texts or tables. So if you had
differences, you'd know your system integrity has been compromised.
And even with what little we know about the Mirai parasite, we know it
targets certain executables, so we could do a speed check on those. It
certainly wouldn't take five minutes, if we target, only maybe 20 seconds.
That list, coupled with results from lsof, would give a pretty good idea of
the integrity of the Puppy at any given time during our computing session.
BFN.
Last edited by musher0 on Sun 30 Oct 2016, 13:27, edited 2 times in total.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
musher0-
M7
Sorry, but what article is that? (I couldn't find anything about busybox in the Sophos article.)If you read the last part of the article mentioned by green geek, you'll
find that Mirai uses:
telnet
ssh and
busybox tftp
Will that run on Carolite (Carolina), do you think?To play it safe you could install the inetutils from the GNU foundation. . .to replace the busybox tftp and telnet.
I'm a little confused. Are you suggesting disabling the busybox ssh somehow and installing an ssh pet from a repository?As to ssh, Puppy is offering the full ssh, not the busybox one.
Will these both run in Carolite-1.2 (Carolina)?For your convenience, the latest version of lsof (lsof-4.89) is attached. Please install the libtirpc-1.0.1 first, then the lsof-4.89 utility.
My Carolite-1.2's busybox doesn't contain lsof. In any case, why would there be a symlink?This complete lsof will replace the existing busybox lsof symlink you probably have on your Puppy.
Good idea.instead of panicking one could try to see if lsof shows traces of Mirai residues on your machine.
M7
Carolite-1.2 w/FF38 on bootable 16G flash drive; Asus eeePC 1000HA, Atom CPU, 2G RAM, 160G HDD.
Hello again, Mike7.
Well, I have a lsof on this Puduan-6 Puppy, but it's a symlink to some
busybox code. Back in the day, no Puppies at all had lsof. So this is sort
of an improvement!
Busybox works like that: it recognizes the symlink and executes the
corresponding part in its code. It's sort of like when you add parameters
to a script. Busybox is a meta-application with various parts: only the
lsof-specific part of busybox is used (to keep the lsof example).
For more examples, open your /bin directory, hover the cursor over the
symlinked files, and you'll see lots of names of utilities that are symlinked
to busybox.
About the article, I mean this one:
http://securityaffairs.co/wordpress/509 ... i-elf.html
BFN.
Well, I have a lsof on this Puduan-6 Puppy, but it's a symlink to some
busybox code. Back in the day, no Puppies at all had lsof. So this is sort
of an improvement!
Busybox works like that: it recognizes the symlink and executes the
corresponding part in its code. It's sort of like when you add parameters
to a script. Busybox is a meta-application with various parts: only the
lsof-specific part of busybox is used (to keep the lsof example).
For more examples, open your /bin directory, hover the cursor over the
symlinked files, and you'll see lots of names of utilities that are symlinked
to busybox.
About the article, I mean this one:
http://securityaffairs.co/wordpress/509 ... i-elf.html
BFN.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
With Debian Stable the idea is that there's a central repository that you solely use. Where all programs/packages are individually stable and work well with the other packages. That means you run older versions of programs, but that work ok and (maybe) have had patches applied. If that central repository is sound, then any system using some/part of that (selected programs) is also sound. It also means that every package has its md5 checksum stored in a central repository so you can validate that what you actually have installed compares to what should be installed.Mike7 wrote:Hi, rufwoof.
Coupla questions here:If you run Debian you can install debsums. . .and then validate all installed programs
- What do you mean by "If you run Debian"? Is Carolite (and Puppy in general) related to Debian?
- Can debsums be made to validate just a specific file or program or environment like Busybox, so that it doesn't have to check the whole system?
DebianDog puppy and/or any other pup that installs using the debian repository can use debsums, as all its basically doing is checking that a package md5 matches. debsums can check individual packages, or the complete system including configuration files, however my guess is that complete system checks wouldn't work for systems that used some packages/programs from here and there (elsewhere), like typical puppy's do.
Like for scanning for rootkits, I tend to just boot frugally, install debsums or the rootkit scanner, run/scan and then reboot without saving afterwards. I do that pretty infrequently and as a comfort thing whenever the fancy takes. Personally I try and take the opposite view to most and consider all systems to be weak/breached, for instance as though my home desktop pc was a local public library pc. Most of the stuff I do I couldn't care less if anyone else saw/had access to that, for things that I want to keep secure such as online banking connections/passwords I boot/use a more secure setup. But obviously whilst blasé about general use I'm not totally casual and wouldn't want for instance something like Mirai to be installed/running.
Typically there are two busybox's, one inside initrd that you need to uncompress and run through cpio to see the content of, and the main busybox (some pup's might use the same busybox for both). Running 'busybox' command alone will show all of the commands that have been compiled into that busybox. Your /bin files may be sym links to the busybox version, or might be separate stand alone programs. Even if there is no sym link for a program to busybox you can still run a busybox program ... for instance my system doesn't have lzop installed (a compression/decompression program similar to gzip) as a separate program nor does it have a sym link to it within busybox, but it is in busybox, so I can run busybox lzop .... to run that. One way to validate the integrity of the busybox would be to check its md5sum against the original version i.e. if the local version had been hacked/breached then that md5sum would differ to the original.
-
- Posts: 1885
- Joined: Tue 05 Jun 2012, 12:17
- Location: Wisconsin USA
Edit, Nov. 2, 2016.
Kept for archival purposes. Please use the new version in this post.
Thanks.
~~~~~~~~~~~~~~~
Hello again.
Feel free to test this script:
Thanks in advance.
It's an application of the concept I was talking about earlier, here.
Finally, there's nothing to worry about concerning the "changed" example
in the picture: I simply edited the script above a little to see if the script
would detect the change. I then restored the script to its pristine state.
BFN.
Kept for archival purposes. Please use the new version in this post.
Thanks.
~~~~~~~~~~~~~~~
Hello again.
Feel free to test this script:
Code: Select all
#!/bin/sh
# /usr/local/bin/md5sums-diff.sh
# To check sums of executables and compare them if different.
# (c) musher0, 2016/10/30. GPL3.
# Feel free to improve on this script.
#
## Usage: make a first run with
# < md5sums-diff.sh prep > on a pristine Puppy you have just installed.
# After that first run, you'll use the syntax
# < md5sums-diff.sh check > to find out if your executables are intact.
##
####
BuildTablE () {
> $LisT
for i in /bin /sbin /usr/bin /usr/sbin /usr/local/bin
do echo $i >> $LisT
md5sum $i/* 2> /dev/null >> $LisT
echo . >> $LisT
done
}
case "$@" in
prep)LisT="";LisT="/root/my-applications/md5sums.lst.orig"
BuildTablE
;;
check)LisT="";LisT="/root/my-applications/md5sums.lst.chk"
BuildTablE
aA="`md5sum /root/my-applications/md5sums.lst.orig | awk '{ print $1 }'`"
bB="`md5sum $LisT | awk '{ print $1 }'`"
if [ "$aA" != "$bB" ];then
diff -y --suppress-common-lines /root/my-applications/md5sums.lst.orig $LisT
# This will show the files that have a different md5sum.
else
echo "
The binary files have NOT been tampered with.
Your Puppy OS is ok.
"
# Otherwise no files are shown, you simply get an all-clear message.
fi
;;
esac
It's an application of the concept I was talking about earlier, here.
Finally, there's nothing to worry about concerning the "changed" example
in the picture: I simply edited the script above a little to see if the script
would detect the change. I then restored the script to its pristine state.
BFN.
- Attachments
-
- md5sum-diff_2016-10-30.jpg
- You get an all-clear message (top of picture) if no files have changed.
If some executables have changed, you get a listing (bottom of picture). - (21.65 KiB) Downloaded 203 times
Last edited by musher0 on Wed 02 Nov 2016, 04:54, edited 2 times in total.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)