Re: [Trisquel-users] I think I caught Widigo

Tue, 07 Feb 2017 09:50:33 -0800 

Re Trisquel infrastruture: I sure hope not. I'm loving Trisquel 8 so far.
I definitely got a root kit though so I am reformatting my whole system. And it really lit a fire under my fanny to figure out much more about how to protect myself. The internet is one scary monster these days. I don't know where it came from.
Just reinstalled Trisquel 8 and ran all the tests listed in my opening and seem clean. I had already reinstalled once but I decided to do a complete reformat of a multiboot system. Honestly, I don't know if that will be enough. I had tails on a stick but now my PC doesn't seem to want to acknowledge the possibility of booting to a usb device. Maybe firmawre was altered. I'd hate to think it but...
I installed noscript right away because I've read that javascript presents one vulnerability to the dns redirect. And I learned that noscript's ABE functionality is no joke. It has the intention of stopping malware from learning about your LAN and passing exploits to your routers etc. 

re our server, there was a test I read about to try and it came out ok:
Test to see if a server is compromised with Linux/Cdorked (part of the Windigo operation family) 
Command and result on infected:
$ curl -i http://myserver/favicon.iso | grep "Location:"
Location: http://google.com/

My Trisquel.info test:
curl -i https://trisquel.info/favicon.iso | grep "Location:"
% Total % Received % Xferd Average Speed Time Time Time Current 
                                 Dload  Upload   Total   Spent    Left  Speed
0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 
Location: https://trisquel.info/en/favicon.iso
But if Abrowser complains about a cert, I'll be getting out of there from now on! 

Maintain a huge hosts file.
Another up and coming attack vector is trusted apps. I'm not sure I want to easily trust Firefox plugins. 

re hash sums:
Some hash sum and other info is at https://github.com/eset/malware-ioc/tree/master/windigo/ there is a list of md5hash sums on infected sshd, ssh, ssh-add and target of the libkeyutils.so.1 symbolic link, also httpd, nginx, lighttpd and bind. I only have ssh, ssh-add and libkeyutils.so.1.5. and my hash sums of those don't fit the Windigo profile.
Well, I'm off to adjust my about:config (just found out about about:about, kind of cool.)

Reply via email to