Alas, my website's likely to be down for a bit while I explain to them that "the compiler that got used to build an exploit" and "the exploit" can share strings because gnu is incompetent and leaks the path where things got built into the resulting binaries, but that does not mean that the compiler the strings came from in the first place is actually infected.
I mean, here's an article from 2018: https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/ Rob (I'd point to old blog entries where I went "huh, my compilers got used to build random russian malware" ten years ago, but my blog was on my site so you wouldn't see it unless I fish it out of archive.org...) -------- Forwarded Message -------- Subject: DreamHost Security Alert - Malware on landley.net Date: Wed, 24 Apr 2024 09:53:09 -0700 (PDT) From: DreamHost Abuse Team <[email protected]> To: [email protected] Hello Rob Landley, We have received a report of malware at the following location: hXXps://landley.net/aboriginal/downloads/old/binaries/1.2.6/cross-compiler-armv7l.tar.bz2 This means that your site has likely been compromised. We have taken the site offline by renaming its directory (appended _DISABLED_BY_DREAMHOST). Please do not re-enable it until you can address the problem. In general, the three most common entry points for a compromised website are: 1. Vulnerable, typically out-of-date software (such as blogs, forums, CMS, associated themes and plugins, etc.) 2. A cracked/brute-forced admin login for a web application like WordPress, Joomla, Drupal etc. 3. A compromised FTP/SFTP/SSH user password. 1. All software you have installed under your domain should always be kept up-to-date with the most recent version available from the vendors' website, as these often contain security patches for known issues. Older versions of well-known and popular web software (including Wordpress, Drupal, Joomla, etc.) are known to have vulnerabilities that can allow injection and execution of arbitrary code. 2. If you utilize a web application with a script-based administrative backend (like WordPress, Joomla, or Drupal), make sure that you're not using a generic username like "admin" or "webmaster" for the user with administrative privileges. Hackers will slowly brute-force common usernames in order to get access to a script's backend and whatever tools exist there that allow file uploads, alterations, or execution of code. 3. FTP/SFTP/SSH passwords can be compromised and used to modify files. The most important part of securing your account in this case is to change your FTP user's password via the (USERS > MANAGE USERS) -> "Edit" area of the control panel. Passwords should not contain dictionary words and should be a string of at least 8 mixed-case alpha characters, numbers, and symbols. It is also recommended to always use Secure FTP (SFTP) or SSH rather than regular FTP, which sends passwords over the internet in plaintext. You can disable FTP for your user(s) within the DreamHost panel (USERS > MANAGE USERS) section. At this point, we recommend logging into your DreamHost server and removing the content we listed. (Note: You may first need to reset the permissions). You should also look for any other files/directories you did not upload yourself and update all your website components where applicable. As for determining which entry point is the cause of this incident, for 1 and 2, you can review the Apache logs for suspicious activity and requests to suspicious files. Keep in mind that we typically only keep around 5 days worth of Apache logs. For 3, you can refer to this article to find recent logins to your user: https://help.dreamhost.com/hc/en-us/articles/214915728-Determining-how-your-site-was-hacked For further help on this topic, you can refer to our Knowledge Base: https://help.dreamhost.com/hc/en-us/articles/215604737-Hacked-sites-overview https://help.dreamhost.com/hc/en-us/sections/203242117-Logs Lastly, we have scheduled an automated malware scan and if anything is found, we will send you a separate email with those results. If you need further assistance, please respond directly to this email. Thank you for your cooperation! -DreamHost Abuse Team _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
