VectorLinux
October 20, 2014, 05:50:06 pm *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Visit our home page for VL info. To search the old message board go to http://vectorlinux.com/forum1. The first VL forum is temporarily offline until we can find a host for it. Thanks for your patience.
 
Now powered by KnowledgeDex.
   Home   Help Search Login Register  
Please support VectorLinux!
Pages: [1] 2 3 4
  Print  
Author Topic: Interesting Article. Is Vector safe from this?  (Read 7007 times)
CrazyDog
Member
*
Posts: 85



« on: September 05, 2013, 12:12:49 am »

http://www.linuxbsdos.com/2013/09/03/hand-of-thief-trojan-and-your-favorite-linux-distribution/
Logged
rbistolfi
Packager
Vectorian
****
Posts: 2288


« Reply #1 on: September 05, 2013, 03:56:49 am »

This one is a Trojan, meaning that the attacker needs to trick you into executing it. We can protect ourselves from this one by just not executing untrusted programs (harder than it sounds.)
That said, looks like Vector does use the safe setting for ptrace mentioned in the article. You can check with:

Code:
$ cat /proc/sys/kernel/yama/ptrace_scope

0 is the more permissive setting, and 1 is the safer one (from https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace)
Logged

"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!
sledgehammer
Vectorian
****
Posts: 1425



« Reply #2 on: September 05, 2013, 07:07:50 am »

Quote
You can check with:

Code:

$ cat /proc/sys/kernel/yama/ptrace_scope



Rodrigo, I get a "command not found"

Do you know what I need to add or change in my system to enable ptrace?
Logged

VL7.0 xfce4 Samsung RF511
wigums
Packager
Packager
Vectorite
****
Posts: 124



« Reply #3 on: September 05, 2013, 07:57:46 am »

Quote
One question I wanted to have the researcher answer for me is this: Why did SELinux not stop the trojan from functioning on Fedora 19?

things that make you say hmmmmm
(dont forget who wrote selinux)
Logged

When the people fear their government, there is tyranny; when the government fears the people, there is liberty.
rbistolfi
Packager
Vectorian
****
Posts: 2288


« Reply #4 on: September 05, 2013, 08:52:07 am »

Quote
You can check with:

Code:

$ cat /proc/sys/kernel/yama/ptrace_scope



Rodrigo, I get a "command not found"

Do you know what I need to add or change in my system to enable ptrace?

Hi John,

Maybe you didnt remove the "$" character? Thats justva  convention that means "run the following command in a terminal". The command would be:

Code:
cat /proc/sys/kernel/yama/ptrace_scope
Logged

"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!
MarkGrieveson
Vectorian
****
Posts: 531


« Reply #5 on: September 05, 2013, 05:19:22 pm »

Like John, it also doesn't show up on my computer.  

Code:
vector:/~
mark:$ cat /proc/sys/kernel/yama/ptrace_scope
cat: /proc/sys/kernel/yama/ptrace_scope: No such file or directory
vector:/~
mark:$
« Last Edit: September 05, 2013, 05:22:42 pm by MarkGrieveson » Logged

I am using VL7.0 standard with XFCE
CrazyDog
Member
*
Posts: 85



« Reply #6 on: September 05, 2013, 06:14:41 pm »

Thanks for the replies everybody.  I appreciate it.  I do some financial stuff with my bank online and just wanted to make sure I was safe.  I believe that Vector is the safest choice out there.  Smiley
Logged
rbistolfi
Packager
Vectorian
****
Posts: 2288


« Reply #7 on: September 06, 2013, 03:04:34 am »

Like John, it also doesn't show up on my computer.  

Code:
vector:/~
mark:$ cat /proc/sys/kernel/yama/ptrace_scope
cat: /proc/sys/kernel/yama/ptrace_scope: No such file or directory
vector:/~
mark:$

Maybe. John was getting "Command not found". Your kernel doesnt seem to have ptrace scope enabled, whats the output of "uname -r" in your system? I am in 7.1 and it is enabled here. I will check it out, we could build a new kernel for 7.0 if needed. If anyone wants to experiment with this in 7.0 please let me know.
Logged

"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!
vincent2
Vectorite
***
Posts: 407


« Reply #8 on: September 06, 2013, 03:39:08 am »

Quote
$ uname -r

3.10.10


$  cat /proc/sys/kernel/yama/ptrace_scope
1

better install kernel 3.10.10, you'll be more secure!

kernel 3.11 could be more
Logged
retired1af
Packager
Vectorian
****
Posts: 1264



« Reply #9 on: September 06, 2013, 05:44:20 am »


kernel 3.11 could be more

And why should we do that when 3.10 is the stable tree? Hmmm?
Logged

ASUS K73 Intel i3 Dual Core 2.3GHz
MarkGrieveson
Vectorian
****
Posts: 531


« Reply #10 on: September 06, 2013, 07:34:06 am »

Code:
vector:/~
mark:$ uname -r
3.0.8

Logged

I am using VL7.0 standard with XFCE
rbistolfi
Packager
Vectorian
****
Posts: 2288


« Reply #11 on: September 06, 2013, 07:47:51 am »

Thanks Mark, we will have 3.10 packages to test in a couple of hours.
Logged

"There is a concept which corrupts and upsets all others. I refer not to Evil, whose limited realm is that of ethics; I refer to the infinite."
Jorge Luis Borges, Avatars of the Tortoise.

--
Jumalauta!!
sledgehammer
Vectorian
****
Posts: 1425



« Reply #12 on: September 06, 2013, 09:59:40 pm »

I updated the kernel once and it worked, but forgot how.  I think I followed the instructions in:

http://forum.vectorlinux.com/index.php?topic=10385.msg66371#msg66371

Do they still work?  I see the new kernel in untested but I may not try it this weekend as I am pretty busy with the computer and don't want to screw it up.



Logged

VL7.0 xfce4 Samsung RF511
MarkGrieveson
Vectorian
****
Posts: 531


« Reply #13 on: September 07, 2013, 10:30:50 am »

Those instructions look like they're for a system using lilo rather than grub.  Perhaps they would work with just skipping the lilo step.  Anyway, I think I'll wait for the announcement that a new kernel has made it to testing, as rbistolfi mentioned.
Logged

I am using VL7.0 standard with XFCE
sledgehammer
Vectorian
****
Posts: 1425



« Reply #14 on: September 07, 2013, 11:37:32 am »

I use lilo, but I think your suggestion to wait a good one.
Logged

VL7.0 xfce4 Samsung RF511
Pages: [1] 2 3 4
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!