[sf-lug] South African Linux sites experiencing Ransomware attacks

Rick Moen rick at linuxmafia.com
Thu Sep 12 21:04:47 PDT 2019 

Quoting aaronco36 (aaronco36 at SDF.ORG):

> Bobbie Sellers <bliss-sf4ever at dslextreme.com> wrote at [1]:
> >So this isn't some kind of dire emergency situation that
> >ordinary Linux desktop users need to worry about. It may
> >possible affect your email service provider's server
> >however, unless their sysadmins are keeping up with the
> >latest security notices and patching their servers
> >accordingly as they should be doing.
> 
> Thanks for your brief warning and qualification on this, Bobbie!
> 
> The FOSSBYTES webpage 'Thousands Of Linux Servers Infected By Lilu
> (Lilocked) Ransomware'[2] confirms the above advice when it writes
> "You might evade this attack by keeping strong passwords and
> updating the apps as and when security patches arrive."
> That would likely include updating or perhaps replacing the "defunct
> Exim software".

1.  Phil Hazel's Exim4 MTA is anything but defunct.  But certainly
continuing to fail to apply recommended security patches on
public-facing network daemons _unless_ you have made sure the attacked
features are disabled/unavailable in your installation will eventually
catch up with you.

So, for example, my server runs an old version of the Exim4 MTA for
complicated reasons.  (I am _not_ saying this is a good idea.)  But long
ago, I made sure there is no TLS functionality, among other optional
features I specifically made sure are switched off in the software
configuration, on a theory that code you don't specifically need should
be selectively switched off to make the attack profile just that much
smaller.

2.  TLS in *ix open source has historically been a bit of a tragic
train-wreck, partly because the standard set of TLS libraries, OpenSSL,
is dreadful spaghetti code that really ought to be taken out and shot.
Worse, the aspiring competitor for the GNU Project, GnuTLS, ended up
being even more ghastly.  So, if you end up relying on TLS/SSL
functionality for your Linux or BSD Web server or SMTP server or LDAP
server, you're stuck playing bug-of-the-week.  (I noted in passing that,
however, the cited CVE for Exim concerned a ghastly bug in Exim's code
that calls the optional TLS encryption, not in the crypto libs.)

3.  I repeat, while acknowledging Bobbie's flattering and gracious
comment that I'm presumptively right in my critique, that I don't want
to die on that hill of claiming that gaining remote _root_ through this
Exim4 bug in its code that calls TLS is just impossible.  My
_understanding_ is that Exim4, just like Sendmail and BIND9, starts with
root authority for the master process primarily so it can bind to a
low-numbered port (24/tcp being the main SMTP port), and then
immediately drops authority (to, in the case of the Debian package, user
Debian-Exim) before actually accepting public traffic.  My information
could be incorrect.  I'd be interested in the comments of an expert in
Exim4 software architecture, in which category I don't qualify.

> Note that Lilock ransomware does not affect system files but files
> with extensions including HTML, SHTML, JS, CSS, PHP, INI, and other
> image formats. Since system files are not affected, Linux systems
> are running normally.

Discussing what code-you-should-never run does and doesn't do if you're
dumb enough to run it with root authority or in a way that it can
trivially escalate to root authority is futile.

If anything compromises root privilege on your machine, it's
_compromised_.  It is done.  Assume nothing on it can be trusted,
period.  Check your backups.  Study what happened, try to make sure it
won't happen again, shut down the system, blow it away completely, and
rebuild from scratch with restoring of your data files (only) from
off-system backup.



4.  Seriously, folks, beware of the security snake-oil continually being
emitted by security/antivirus companies.  Remember what their business
model is:  Hint:  It's _not_ ensuring that you correctly understand
security.  In fact, the more you do understand it, the less you need
them and the less money they make.

http://linuxmafia.com/faq/Essays/security-snake-oil.html

More information about the sf-lug mailing list