ESET ta gano ƙananan fakiti 21 masu haɗari waɗanda suka maye gurbin OpenSSH

Darkcrizt

4 minti

Linux Eset

ESET kwanan nan tayi post (53 shafi na PDF) inda yake nuna sakamakon sikanin wasu fakitin Trojan cewa an shigar da hackers bayan sun daidaita rundunonin Linux.

Wannan cdomin barin ƙofar baya ko takaddun kalmomin mai amfani yayin haɗawa zuwa wasu masu masaukin baki.

Duk waɗanda aka yi la'akari da bambancin na software na Trojan sun maye gurbin abokin cinikin OpenSSH ko kayan aikin sabar.

Game da gano fakiti

da Zaɓuɓɓuka 18 da aka gano sun haɗa da ayyuka don katse kalmomin shiga da maɓallan ɓoye da kuma ayyuka 17 da aka bayar na bayan fage wanda ke bawa maharin damar samun damar ɓoyewa ta hanyar amfani da kalmar sirri ta sirri.

Bugu da ƙari, lMasu bincike sun gano cewa bayan gidan SSH wanda masu amfani da DarkLeech ke amfani da shi daidai yake da na Carbanak 'yan shekaru daga baya kuma waccan' yan wasan barazanar sun bunkasa nau'ikan rikice-rikice a cikin aiwatarwar bayan gida, daga shirye-shiryen cutarwa da ake samu ga jama'a. Tsarin ladabi na hanyar sadarwa da samfuran.

Ta yaya hakan ya yiwu?

An tura ɓarnatattun abubuwan haɗin gwiwa bayan nasarar kai hari kan tsarin; a matsayinka na doka, maharan sun sami dama ta hanyar zaɓin kalmar sirri ta al'ada ko ta amfani da raunin da ba a taɓa samu ba a aikace-aikacen gidan yanar gizo ko direbobin uwar garken, bayan haka waɗanda tsararrun tsarin suka yi amfani da hare-hare don haɓaka gatarsu.

Tarihin ganowa na waɗannan shirye-shiryen ƙeta ya cancanci kulawa.

A cikin aikin nazarin Windigo botnet, masu binciken kula da lambar don maye gurbin ssh tare da bayan gida na Ebury, wanda kafin ƙaddamarwa, ya tabbatar da shigar da wasu bayan fage don OpenSSH.

Don gano gasar Trojan, an yi amfani da jerin jerin rajista guda 40.

Amfani da waɗannan ayyukan, Wakilan ESET sun gano cewa da yawa daga cikinsu ba sa rufe ƙofofin da aka sani a baya sannan kuma suka fara neman abubuwan da suka ɓace, gami da tura cibiyoyin sadarwar masu amfani da zumar mai rauni.

A sakamakon haka, 21 Trojan bambance bambancen kunshin da aka gano azaman maye gurbin SSH, wanda ya kasance dacewa a cikin 'yan shekarun nan.

Linux_S tsaro

Menene ma'aikatan ESET suke jayayya akan batun?

Masu binciken na ESET sun yarda cewa basu gano wadannan yaduwar ba. Wannan girmamawar tana ga mahaliccin wata sabuwar cutar ta Linux da ake kira Windigo (aka Ebury).

ESET ya ce yayin nazarin Windigo botnet da tsakiyar bayan gida na Ebury, sun gano cewa Ebury yana da wata hanyar ciki wacce ke neman sauran ƙofar baya na OpenSSH da aka sanya a gida.

Yadda ƙungiyar Windigo tayi haka, ESET ta ce, shine ta hanyar amfani da rubutun Perl wanda ya binciki sa hannu 40 na fayil (hashes).

"Lokacin da muka bincika waɗannan sa hannun, nan da nan muka fahimci cewa ba mu da wani samfuri da ya dace da yawancin ƙofofin baya da aka bayyana a cikin rubutun," in ji Marc-Etienne M. Léveillé, mai binciken binciken malware na ESET.

Ya kara da cewa "A hakika masu aikata wannan mummunar aiki sun fi ilimin SSH iya ganuwa a waje fiye da yadda muke da su."

Rahoton ba ya shiga dalla-dalla kan yadda masu aiki da botnet ke dasa wadannan nau'ikan na OpenSSH kan masu dauke da cutar.

Amma idan mun koya wani abu daga rahotannin baya akan ayyukan malware na Linux, hakane Masu fashin kwamfuta galibi suna dogara ne da tsoffin fasahohi don samun damar yin amfani da tsarin Linux:

Utearfin zalunci ko ƙamus na kamus wanda ke ƙoƙarin yin amfani da kalmomin shiga na SSH. Amfani da kalmomin shiga masu ƙarfi ko na musamman ko tsarin tace IP don hanyoyin SSH ya kamata su hana ire-iren waɗannan hare-hare.

Amfani da yanayin rauni a cikin aikace-aikacen da ke gudana akan sabar Linux (misali, aikace-aikacen yanar gizo, CMS, da sauransu).

Idan aikace-aikacen / sabis ɗin ba a daidaita su ta hanyar amfani da tushe ba ko kuma idan maharin ya yi amfani da aibi na haɓaka gata, kuskuren farko na yau da kullun na WordPress yana iya zama mai sauƙi zuwa tsarin aiki.

Kula da komai har zuwa yau, duka tsarin aiki da aikace-aikacen da ke gudana akan sa ya kamata su hana irin wannan harin.

Se sun shirya rubutu da dokoki don riga-kafi da tebur mai tsauri tare da halaye na kowane nau'in SSH Trojans.

Fayilolin da suka shafi Linux

Har ila yau da ƙarin fayilolin da aka kirkira a cikin tsarin da kalmomin shiga don samun dama ta ƙofar baya, don gano abubuwan OpenSSH waɗanda aka maye gurbinsu.

Alal misali, a wasu lokuta, fayiloli kamar waɗanda ake amfani dasu don yin rikodin kalmomin shiga da aka kama:

  • "/Usr/include/sn.h",
  • "/Usr/lib/mozilla/extensions/mozzlia.ini",
  • "/Usr/local/share/man/man1/Openssh.1",
  • "/ Etc / ssh / ssh_known_hosts2",
  • "/Usr/share/boot.sync",
  • "/Usr/lib/libpanel.so.a.3",
  • "/Usr/lib/libcurl.a.2.1",
  • "/ Var / log / utmp",
  • "/Usr/share/man/man5/ttyl.5.gz",
  • "/Usr/share/man/man0/.cache",
  • "/Var/tmp/.pipe.sock",
  • "/Etc/ssh/.sshd_auth",
  • "/Usr/include/X11/sessmgr/coredump.in",
  • «/ Etc / gshadow-«,
  • "/Etc/X11/.pr"

Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Alhakin bayanai: AB Internet Networks 2008 SL
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   wasun89 m
    sa 5 shekaru

    labarin mai ban sha'awa
    bincika ɗaya bayan ɗaya a cikin kundayen adireshi kuma sami ɗaya
    "/ Da dai sauransu / gshadow--",
    me zai faru idan na share shi

    Amsa zuwa nickd89
  2.   Jorge m
    sa 5 shekaru

    Wannan fayel ɗin "gshadow" shima ya bayyana gareni kuma yana neman izini daga tushensa don bincika shi ...

    Amsa wa Jorge