Article 3G217 Raw sockets backdoor gives attackers complete control of some Linux servers

Raw sockets backdoor gives attackers complete control of some Linux servers

by
Dan Goodin
from Ars Technica - All content on (#3G217)
backdoor.jpg

(credit: Jeremy Brooks)

A stealthy backdoor undetected by antimalware providers is giving unknown attackers complete control over at least 100 Linux servers that appear to be used in business production environments, warn researchers.

In a blog post published Wednesday, Montreal-based GoSecure claimed that a piece of malware dubbed "Chaos" is infecting poorly secured systems by guessing weak passwords protecting secure shell application administrators use to remotely control Unix-based computers. The secure shell, or SSH, accounts being compromised run as root, and this is how the backdoor is able to get such access as well. Normally, firewalls in front of servers block such backdoors from communicating with the outside Internet. Once installed, Chaos bypasses those protections by using what's known as a "raw socket" to covertly monitor all data sent over the network.

"With Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service," Sebastian Feldmann, a master's degree student intern working for GoSecure, wrote. "As an example, a Webserver that would only expose SSH (22), HTTP (80), and HTTPS (443) would not be reachable via a traditional backdoor due to the fact that those services are in use, but with Chaos it becomes possible."

Read 5 remaining paragraphs | Comments

index?i=0urbZwxGfwU:yXz-j5d6J_c:V_sGLiPB index?i=0urbZwxGfwU:yXz-j5d6J_c:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments