lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-Id: <20C0F766-3261-4AAE-B2D8-05528BE50A4C@planetkips.nl> Date: Fri, 8 Nov 2013 19:21:38 +0100 From: Jasper Kips <jasper@...netkips.nl> To: Alex <fd@...oo.de> Cc: "<Full-Disclosure@...ts.grok.org.uk>" <Full-Disclosure@...ts.grok.org.uk> Subject: Re: I'm new here, and I already have something to share Alex, Not allowing anonymous SSH, doesn't mean you need a password for SSH. Actually, certificates are way more secure than passwords. Just a damned security guy Jasper Kips, Always waiting for the ricochet > Op 8 nov. 2013 om 18:47 heeft Alex <fd@...oo.de> het volgende geschreven: > > I don't care about this worm. Having password on ssh is not user friendly. Damn you security guys. > > > Am 7. November 2013 07:02:23 schrieb Jack Johnson <jack@...l.umbrellix.tk>: >> It is a user friendly report about a new worm/rootkit (only goes into worm mode when UUCP is active) that is able to, but has not yet, wreaked havoc on any system that it infects. >> >> This report does drop dox, since it mentions the handle of an EFNet user. However, all it is >> is a description of a currently-active rootkit. >> >> Xplatform.JPreskit rootkit >> >> User friendly report written by Jack Johnson >> 'j4jackj' on EFNet >> >> DESCRIPTION >> This newest infection is a rootkit spread by weak passwords and duff links. >> It was made by an EFNetter called JPres. He originally developed it on the BeOS >> but it is able to strike every operating system that has actual use in the world. >> >> THREAT LEVEL >> This threat is terminal, for once a computer is infected, if you isolate it, >> the failsafe mode kicks in. The JPresKit failsafe is to nuke the hard disk on which / >> resides. >> >> It is able to infect Windows ia32 and amd64 architectures, Debian and RHEL 32 and 64, >> and the BeOS, PowerPC and Intel. >> >> Threat activation is manually, by an unsuspecting user or by the master using a weak >> password via SSH and RSH. >> >> PAYLOAD DELIVERY >> Payload delivery once the rootkit is on the computer is by Pastebin.com. >> Payloads are encrypted and base64 encoded. It is unknown which encryption method >> from those available in a default (insert form of UNIX here) install is used. >> >> The format for payload titles is @tagYYYYMMDDSS where YYYYMMDDSS is a >> serial number determining the time of execution, and tag is the >> tag of the rooted machine. >> >> BEHAVIOUR >> On UNIX systems, when UUCP is enabled, this rootkit is also a worm. >> This rootkit/worm is able to morph by the master issuing commands to the >> worm. >> >> RECOMMENDED ACTION >> You must back up and reinstall. This rootkit may still be present after a reinstall, >> if you moved your files to the new installation. >> >> PREVENTION >> In the future, do not allow anonymous SSH into your computer, unless for things like UUCP. >> This will prevent future reinfection. >> >> Thank you for reading this report as a matter of urgency. >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists