Mirai malware infects Linux with Busybox

[musher0]

Hehe. Gotta be on my tippy toes with you!

I might have "upx'd" it.
(upx is a compression a dev can use on executables.
I doesn't change anything, just compresses.)

Ok. Ho-ho, ho-ho, back to workshop I go!

For double-checking.

Edit after double-checking: Docs are included in the lsof-4.89C *.pet,
among which file lsof-FAQ, 307 Kb. No docs in the other one.

~~~~~~~
Considering, current glibc is at version 2.24...
https://sourceware.org/glibc/wiki/Glibc%20Timeline
I'll see what I can do.

TWYL.

[belham2]

I'm insulted. What do you think my script is? Difficult?

If you think unzipping a file at a certain place, making it executable and
running it is difficult, you're hopeless.

Wow.

Musher,

Yes, I am hopeless. A lost soul in the wilderness of casual users. What do I mean? Family coming into my office (home) and grabbing puppy USB sticks and disappearing for days with them. So, against all reason, yes, I wished there was an easier way to detect 'busybox' pwning, so that these family users of mine would be hit with a big popup box that says something like:



"...Hey, your computer system's busybox has been compromised, and as you read this message all chances of you going to college & having it paid for are disappearing by the second........"




P.S. Thanks again for the script---I set it up where it now runs (after 2 mins has passed from startup) without me lifting a finger. Pop up then hits and lets me know what's up with ole' busybox. Merci-Gracias, ami-amigo

[musher0]

@Mike7

"fi" closes an "if... then... else... fi" conditional statement.

[musher0]

@belham2

Ah, I see. Sorry I took your other post the wrong way.

What you need is a "tragicomic" Id Check, I think.
Tragic for the thief, funny for you.

What I see is:

A script halts any other task after N minutes and asks the thief to identify
him/her-self.

If the wrong answer is provided, Puppy issues a fictitious threat, presents
maybe a video or series of pics of a college fund being depleted, and
finally shuts down after "vote" for a sound ("vote" because of free country
and all that!) has been selected:
-- satanic laughter
-- dog "singing" while master playing the piano (would be more Puppyish!)
-- coins dropping
-- judge slamming wooden hammer on desk
-- other (imagination went blank just when I needed a little more of it!).

Reasoning being:
"This is a free country so you have to vote for something if only to
exercise your freedom neurones. Not voting is not a choice."

The rightful owner would have beforehand provided the correct Identity
answer, of course, in a little text file the script reads for validation. (Could
be any combination of letters, really. Maybe a ridiculous name, to stay in
the spirit of mockery.)

Interesting problem! Sort of a password script with a twist! Some routines
from the busybox compare script above could be re-used.

BFN.

[Mike7]

musher0-

Docs are included in the lsof-4.89C *.pet,
among which file lsof-FAQ, 307 Kb. No docs in the other one.

OK, that clears it up.

Considering, current glibc is at version 2.24...
https://sourceware.org/glibc/wiki/Glibc%20Timeline
I'll see what I can do.

Thanks. I hate to give you more work, but it would be nice if things were compatible.

For that matter, I wonder if libtirpc-1.0.1 is compatible with glibc 2.10.1? (There is no libtirpc in the Carolina repo and naturally none in Carolite-1.2.)

Re fi: Of course! I should have seen that fi was the inverse of if. How unimaginative I am, and how devilishly clever (and, yes, annoying too) are these scripting languages.

M.

[musher0]

Hello, Mike7.

I must confess I have no Carolina Pup installed on any of my 3 boxes...

I have an old Community Edition Pup (by wanderer) on one of them,
which has glibc 2.10, IIRC. So I could compile lsof for you it on that Pup.

Also, I need a bit of time: I'm trying to solve a very strange "permission
denied" bug I've recently encountered on my Puduan-6 Pup when I try to
edit some of my scripts. (Should be in the list of new threads.)

Plus another bug I didn't post about, on the same Pup, which is opera
12.16 not doing copy-and-paste a couple of hours into my session. So I
can't post any helpful URL at the moment.

Both bugs are slowing me down. Granted, I can use a recent browser, it's
less of an issue; but the "permission denied" bug is getting my goat.

A case of the "Cobbler's Son", I suppose???!!!

BFN.

[Mike7]

musher0-

I must confess I have no Carolina Pup installed on any of my 3 boxes

That does make it tricky.

I have an old Community Edition Pup (by wanderer) on one of them, which has glibc 2.10, IIRC. So I could compile lsof for you on that Pup.

Sure, if you think that would be the same as using Carolite's glibc 2.10.1.

Also, I need a bit of time

No hurry. I'll just continue without lsof for now, as I've been doing, and hope that neither Mirai nor anything else creeps into my machine or server in the meantime.

case of the "Cobbler's Son", I suppose?

Uhhh. . . That's a new one on me. Must be a Quebec fairy tale.

M.

[musher0]

@Mike7:

I just checked the glibc on wanderer's Puppy CE-3, and unfortunately, its
version number is 2.11, not 2,10, as I initially thought. Compiling lsof on it
wouldn't make it compatible for your Carolina.

Puppy CE-3 is the Puppy with the lowest glibc I have.

Have you ever thought of upgrading to a recent Puppy?

BFN.

[musher0]

(Edited Sat., Jan. 07, 2016)
~~~~~~~~~~~~~~~~~~~~
Hello all.

I just thought of this very simple security enhancement:

In view of the mirai attack and perhaps copycats, it can't hurt to un-tick
the "world execute" bit on busybox, in your /bin directory.

It's very easy to do:
-- open the /bin directory with ROX-Filer;
-- right click on the desired executable. A sub-menu shows up.
-- in this sub-menu, click "Properties". A panel will be displayed as in the
attached picture;
-- if a tick is present in the little square at the "World / Execute" intersect,
click inside this little box. The box will become blank, the result being that
the "world execute" bit is deactivated.
-- close the panel. That's it!

If for whatever reason you need this "world execute" bit back on, just do
the above process in reverse and re-tick this little square.

Explanation:
User "root" (meaning: you) and group "root" (meaning: your group) will
still be able to access and execute the busybox executable absolutely
normally, and any script depending on it, but it will be out of reach for
any other group or user.

A seasoned "kiddo" can probably find ways around this. Nevertheless,
IMO we've just complicated his hacking a little.

IHTH. BFN.

[Mike7]

musher0-:

I just checked the glibc on wanderer's Puppy CE-3, and unfortunately, its
version number is 2.11, not 2,10, as I initially thought. Compiling lsof on it
wouldn't make it compatible for your Carolina.

That's more bad luck, for me. Couldn't you just download the Carolite-1.2 iso, install it onto a pendrive, and compile lsof off that?

Have you ever thought of upgrading to a recent Puppy?

Naturally. But the more recent puppies don't have all the bells and whistles for the EeePC (e.g. the Fn>F1 save-to-RAM/sleep functionality; the ASUS apci tools for monitoring fan speed and CPU temp.; email print-to-pdf; etc.) that Carolite has, because it was designed for my EeePC. Carolite (Carolina) is simply a highly superior, sophisticated verison of Puppy, which I suppose is why there are people keeping the Carolina repo updated with a profusion of pets (at smokey01).

Unfortunately they stopped supporting Carolite a while back. So no newer version with a more recent glibc.

Happy New Year!

Mike7

[musher0]

You could compile it yourself, you know, if you have the devx file for Carolina.

It's almost as simple as pie! If you're interested, I could provide you with the
instructions.

Happy New Year to you too!

[Geoffrey]

Unfortunately they stopped supporting Carolite a while back. So no newer version with a more recent glibc.

You could try Carolina: Vanguard Edition with Glibc2.20, it should be slim if you remove the adrive

[Mike7]

musher0-

(after lengthy holiday recess)

You could compile it yourself

I don't think you quite realize what you're saying. I've never compiled anything. I don't even know what compiling is.

I could provide you with the instructions.

I sincerely appreciate your generous offer of help, but I don't think I should get into this. I will get lost and suffering will ensue.

M.

[Mike7]

Hi, Geoffrey.

You could try Carolina: Vanguard Edition with Glibc2.20,

I seriously considered making the switch-over some time ago, and for some reasons I can no longer fully recall decided against it. I think one of the things was that Carolina is heavier than Carolite (duh). Another was on purely religious grounds: IF IT AIN'T BROKE, DON'T FIX IT. Plus, all the pretty pictures at that link scared me.

And now, just to have a newer Glibc? I dunno. . .

it should be slim if you remove the adrive

I'd like to know how the heck to get rid of the adrive in Carolite first.

M.

[musher0]

Compiling an executable for Puppy is as easy as learning to swim: you dive
in and you do the dog paddle!

[belham2]

I don't think you quite realize what you're saying. I've never compiled anything. I don't even know what compiling is.

Mike,

If a bungling dunderhead old fart like me can have a few compiling successes, then you can to! Seriously, it is intimidating at first, but then once you start banging on the keyboard telling it to "MAKE" and stuff like that, you start to think "hey, I can do this!' Seriously, it is not hard to give it a go and doesn't take that much time. You spend more time typing out replies here than you would if you'd give compiling a go (but, hey, maybe that is all of ours' secret intent---to connect with others across this blue orb of ours). Anyhooot, when compiling, the only question is not only whether it (the compiling) succeeds, but more importantly if your creation works how it is supposed to lol! And you'll know that lickety-split once you load it in and see. That's the fun, and when it does work, my Lord, the beer tastes that much sweeter that night

Compiling an executable for Puppy is as easy as learning to swim: you dive in and you do the dog paddle! Wink

....and don't worry, Musher (and Geoffrey & others) says this reply to everyone. They throw us in the big darn compiling ocean and then sees if we sink or swim. They haven't let many of us drown...at least not yet

[musher0]

You missed the pun between compiling on Puppy and doing the dog paddle?
Anyway, it's not the Big Blue, probably more like the local frog pond!

[belham2]

You missed the pun between compiling on Puppy and doing the dog paddle?
Anyway, it's not the Big Blue, probably more like the local frog pond!

Musher,

As a side note to this thread (plz excuse me, original author, Mike7, but the topic did come up concerning compiling), is there any plans for a, say, brand spanking-new complied Puduan 7.0 or such....maybe with your security busybox script (and any others) included by default.....helping protect us poor, wretched puppy souls from mirai malware

[Mike7]

musher0-

Compiling an executable for Puppy is as easy as learning to swim: you dive in and you do the dog paddle!

My air-conditioning is on the blink and it's 98 F. in Buenos Aires today. I don't think it's the right moment for experiments.

For now, I have disabled "World" in the bash and busybox permissions as you suggested.

M.

[Mike7]

musher0-

I jumped the gun and spoke too soon. Carolite has Thunar, not ROX-filer, and the Permissions tab in Properties gives only these four choices for each group: Read Only, Write Only, Read & Write, and None. There is no Execute choice for each group. At the bottom of the tab there's a tick box that says "Allow this file to run as a program". That's all there is on the Permissions tab.

So, how do I disable "World - Execute" while leaving "Owner - Execute" enabled? Can it be done with the terminal?

M.