Story 2014-03-20 3GE Operation Windigo - Linux ssh exploit and bot net

Operation Windigo - Linux ssh exploit and bot net

by
in security on (#3GE)
Here's an unpleasant start to your morning: confirmation of a long-running openSSH exploit [PDF] that has led to an extensive botnet pumping out spam, viruses, malware, and of course links to redirect farms. Symantec provides some analysis here . "Operation Windigo" as it's called has been alive since 2011, stealing SSH credentials on Windows, Linux, and BSD systems, and it has hit a couple of well-known companies, including cpanel and the Linux Foundation.

Check your system in the time it takes for your morning coffee to cool, with this command to see if you've been affected:
ssh -G 2>&1 | grep -e illegal -e unknown >/dev/null && echo "System clean" || echo "System infected"
Uninfected systems return an "error illegal option" or "unknown option" for the -G flag, plus as the usage message, whereas infected systems will return only the usage message.

If your system doesn't come up clean, you are probably one of an estimated 25,000 compromised servers currently sending out over 35 million pieces of spam.
Reply 5 comments

openssh exploit??? (Score: 2, Interesting)

by odm@pipedot.org on 2014-03-20 09:32 (#PV)

This is a very sophisticated bit of kit, but from glancing through the pdf yesterday I was under the impression that initial access was gained by other means and then openssh was later patched with a backdoor. Someone correct me if I'm wrong, but I don't think there's anything to panic about if your system comes up clean (assuming they haven't remotely updated their exploit kit to cover the test - which is certaily possible)

Csh syntax (Score: 2, Informative)

by dnied@pipedot.org on 2014-03-20 10:39 (#PX)

To not leave all the fun to [ba]sh users, here's the same test in [t]csh:
(ssh -G |& grep -e illegal -e unknown >/dev/null)&&echo "System clean"||echo "System infected"

Re: Csh syntax (Score: 1)

by vanderhoth@pipedot.org on 2014-03-20 11:38 (#PY)

I meant to ask yesterday on Soylent, but if a system is infected is there a known solution? I haven't tested my machines at home yet and I can't really see how they might be infected, but other than just formatting them, which I might do anyway because I enjoy it, is there a way to clean infections off.

I suppose I could just Google it, but fostering discussion and all that.

Re: Csh syntax (Score: 1)

by odm@pipedot.org on 2014-03-20 11:49 (#PZ)

the linked pdf has an appendix on cleaning, but basically, no, you need a complete wipe and reboot - as you would for any attack that's gained root access. By the way, unless your home machines are internet facing servers, they're not going to be affected.

Re: Csh syntax (Score: 2, Interesting)

by zafiro17@pipedot.org on 2014-03-20 12:41 (#Q3)

Thanks for that - much appreciated. I just ran it and due to various typos copying that line, had a nice ride on the emotional roller coaster before confirming my system is clean.

I'll be happy when we have the legislation in place that allows us to feed these scumbags into wood chippers when convicted.