Linux devices are under attack by a never-before-seen worm (arstechnica.com)

submitted 5 months ago by SJSmith@lemmy.world to c/technology@lemmy.world

42 comments fedilink hide all child comments

top 42 comments

sorted by: hot top controversial new old

[-] mlfh@lemmy.ml 141 points 5 months ago

This is just an attack that attempts common username/password combinations on ssh, and the article even states that the worm is dime-a-dozen. Unless you have both password auth enabled and an available account with an easily guessable password (and if you have either you should change that), this is nothing to worry about, even with sshd available to the internet.

Sensationalist title.

[-] ichbinjasokreativ@lemmy.world 39 points 5 months ago

Thank you, spared me from giving attention to an unworthy article

[-] SharkAttak@kbin.social 4 points 5 months ago

savedusaclick

[-] Dasnap@lemmy.world 17 points 5 months ago

Hell, even having a lax fail2ban stops these attacks.

[-] knobbysideup@sh.itjust.works 9 points 5 months ago

Prevention, as always, is much easier than a cure.

[-] CyberSeeker@discuss.tchncs.de 23 points 5 months ago* (last edited 5 months ago)

Linux device attacks preventable by standard security precautions

[-] Lifecoach5000@lemmy.world 22 points 5 months ago* (last edited 5 months ago)

So as a new Linux guy that just has Ubuntu installed on a laptop running media server, sounds like I shouldn’t be worried since it is NAT’d behind my router and this worm compromises telnet and SSH connections. Am I getting the gist right? Totally newb here again.

[-] flyos@jlai.lu 33 points 5 months ago

Not particularly security savvy, but :

The infected devices then attempt to crack the telnet password by guessing default and commonly used credential pairs.

My understanding is that the worm is targetting connected devices with supidly simple credentials, which is why "Internet-of-Things" is mentioned?

[-] SlopppyEngineer@lemmy.world 16 points 5 months ago

Looking at sites like insecam.org, the amount of devices still sett to admin/admin is frighteningly high

[-] thisisawayoflife@lemmy.world 5 points 5 months ago

Systems with exposed SSHd, but also properly configured, are also not at risk.

[-] Jackinopolis@sh.itjust.works 5 points 5 months ago

Conventional Linux use should be fine. It's targeting SSH connections to other things over the net; connecting to a server, remote camera, etc. So it reverse engineers the connection by brute-forcing(?) Weak ssh passwords to install the malware.

I'm not an IT professional but this is my layman interpretation.

[-] Kethal@lemmy.world 4 points 5 months ago* (last edited 5 months ago)

People are giving some advice but it doesn't seem appropriate for an absolute newbie. Here's what I'd say. Absolutely do not run telnet. Because it's so insecure and everyone knows that, it's usually not on by default, and you would have had to start it yourself somehow. It's unlikely that you did that, but you can check to see.

If you're new, you very likely don't need an SSH server running. Unless you're logging into that computer remotely, you don't need it. It's probably not running, but it's conceivable that it could run by default. Check to see and disable it if you don't need remote login.

If you do need remote login, use SSH and use a very good password. Ideally, you'd need to leave newbie territory and use public-private keys instead of a password. It's also not a bad idea to use a nonstandard port, instead of 22. That doesn't beef security much, but many scanners are going to look for 22 and nothing else.

[-] Lifecoach5000@lemmy.world 2 points 5 months ago

Thank you for the well thought out response! I, myself do know my way around networking a bit. Linux in general is what I am just now dipping my toes in. Loving it and learning a lot.

[-] dgriffith@aussie.zone 1 points 5 months ago

To add to this, install fail2ban (most distros have it in their package system) and activate it for the various things that use username/passwords in your system.

Basically it monitors access logs and blocks the IPs that repeatedly fail logins.l for a certain amount of time.

This drastically reduces the effectiveness of brute force attempts - as long as your password isn't, "password" and guessable in one go.

[-] QuadratureSurfer@lemmy.world 3 points 5 months ago

Hard to tell at a glance.

The telnet vulnerability allows it to infect some older IoT devices (such as CCTV cameras) or if you are using an older router where telnet is enabled (or may be enabled by default). Most modern devices don't use that method anymore due to security concerns.

The SSH vulnerability can affect a lot more devices. So if you have a Raspberry Pi on your network with a default account/password or a weak password then it can infect that and spread to other devices on your local network. Or maybe a cheap IoT device that has weak security... same problem.

A concern for you is if you have some other device on your network that was vulnerable, because then that device can serve as a point for the worm to jump to your other devices (if they also use default passwords or weak passwords).

Another big question to ask is whether you have UPnP enabled on your router.

Either way I would make sure that you have strong passwords, change the default username, etc, on all of your devices.

[-] foggy@lemmy.world 1 points 5 months ago

Can you connect to your server when not on your network?

If no, you're definitely ok.

[-] uint32@discuss.tchncs.de 1 points 5 months ago

There will always be new malware. Just update regularly and use your head. Don't worry about it too much

[-] linearchaos@lemmy.world 17 points 5 months ago

A million attacks a day have done this for the past 20 years. ssh + bad password is so old it can drink in the US.

ssh-keygen is your friend, pretty much no reason not to use it.

[-] 21Cabbage@lemmynsfw.com 11 points 5 months ago

One would assume it wouldn't have been seen before, be weird if a patch got pushed and all of a sudden an old virus came back out of the archives like that permafrost thing people are paranoid about.

[-] cmnybo@discuss.tchncs.de 10 points 5 months ago

This is why you don't allow password login for SSH, especially not on systems that are accessible from the internet.

[-] cyberpunk007@lemmy.world 2 points 5 months ago

This might as well be an article about windows systems exposing RDP to the internet.

[-] terminhell@lemmy.world 6 points 5 months ago

I'm guessing, per the article, that as long as you're not exposing telnet/ssh directly, you should be ok? If you're doing that already, why? I could see having some iot device that isn't properly segmented from the rest of your lan already problematic, and something like this would be a concern.

[+] Squizzy@lemmy.world -28 points 5 months ago

I shouldn't be on Linux, I don't know anything about computers. This is why Windows is the safer bet.

[-] TheOSINTguy@sh.itjust.works 24 points 5 months ago

Whenever linux has a big sercurity issue, its a big deal. whenever windows has a big security issue, its just another tuesday.

That should tell you that windows systems are targeted much more.

[-] Squizzy@lemmy.world 3 points 5 months ago

The security threat isn't the issue, my skillset is.

[-] naticus@lemmy.world 1 points 5 months ago

Not all distros are that hard to get into. I personally don't care one way or another as long as you're comfortable with your OS, but it'd be worth giving Linux a try at some point. Mint Linux or PopOS! are both good options for entry level Linux (but not limited to just entry level).

[-] Squizzy@lemmy.world 1 points 5 months ago

I'm switch to Linux soon just this type of thing turns me away because I have no idea what mounting a drive means much less how to do it and things like gnu, kernel and running on like directly typed instructions are alien to me.

[-] themurphy@lemmy.world 2 points 5 months ago

I think it's because the general public would expect a big company to come and fix it, like Microsoft. They feel safe because it's a well known OS that everyone uses. So it can't be unsafe, right? Right?

With Linux you're fucked if you have no computer knowledge, like most people. That's the general thinking.

[-] TheOSINTguy@sh.itjust.works 1 points 5 months ago

I dont think a non-tech savvy person would be fucked, I think it would deffenatly be harder to use but UX in linux has been getting steadily better.

[-] c0mbatbag3l@lemmy.world 1 points 5 months ago

True, but that's the point.

Linux isn't safer because it's more secure, it's safer because no one writing malware is going to target only 4% of the market when they could write malware for 60% of the market.

[-] Sanguine@lemmy.world 6 points 5 months ago

Maybe 4% desktop market share. You are not including Linux market share of servers; this would be a more worthwhile target.

[-] Evil_incarnate@lemm.ee 2 points 5 months ago

But a much harder target, as servers will usually have someone at least semi-competent keeping them updated. Until rising costs and you know, the economy, force the ceo to choose between an IT department and a new boat.

[-] c0mbatbag3l@lemmy.world 1 points 5 months ago

Those servers are also sitting in and/or behind DMZs specifically configured with network based intrusion prevention systems to protect them.

So while more valuable, they're also better protected because network security is a thing.

[-] Sanguine@lemmy.world 1 points 5 months ago

Yeah fair enough. I'd have to assume folks who spend time making malware want a return on their investment, whether financial or status / fame. Not a big ROI on hacking my gaming desktop or a thinkpad I use to stream movies.

[-] c0mbatbag3l@lemmy.world 1 points 5 months ago

That's true for all OSs though, you might be a target of convenience but the money is in enterprise networks.

[-] CluckN@lemmy.world 1 points 5 months ago

By Jehovah you can’t say that on Lemmy!

[-] JimmyBigSausage@lemm.ee 4 points 5 months ago

NOT the boreworm!!

[-] paraphrand@lemmy.world 3 points 5 months ago

Flash, ahhhhh!

[-] excitingburp@lemmy.world 2 points 5 months ago

/ laughs in immutable Linux

[-] cyberpunk007@lemmy.world 1 points 5 months ago

What use is an immutable system, if it doesn't already have the data on it that an attacker can steal?

[-] excitingburp@lemmy.world 1 points 5 months ago* (last edited 5 months ago)

Worms are near impossible to install on an immutable system. You can't just write to /usr/share/bin or some other truck to hide your binary. It doesn't help at all with exfiltration

[-] cyberpunk007@lemmy.world 1 points 5 months ago

Your last sentence is exactly my point.

this post was submitted on 10 Jan 2024

99 points (70.9% liked)

Technology

55606 readers

2356 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each another!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, to ask if your bot can be added please contact us.
Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago

MODERATORS