Interesting Article. Is Vector safe from this?

[CrazyDog]

http://www.linuxbsdos.com/2013/09/03/hand-of-thief-trojan-and-your-favorite-linux-distribution/

[rbistolfi]

This one is a Trojan, meaning that the attacker needs to trick you into executing it. We can protect ourselves from this one by just not executing untrusted programs (harder than it sounds.)
That said, looks like Vector does use the safe setting for ptrace mentioned in the article. You can check with:

Code: [Select]

$ cat /proc/sys/kernel/yama/ptrace_scope
0 is the more permissive setting, and 1 is the safer one (from https://wiki.ubuntu.com/SecurityTeam/Roadmap/KernelHardening#ptrace)

[sledgehammer]

You can check with:

Code:

$ cat /proc/sys/kernel/yama/ptrace_scope

Rodrigo, I get a "command not found"

Do you know what I need to add or change in my system to enable ptrace?

[wigums]

One question I wanted to have the researcher answer for me is this: Why did SELinux not stop the trojan from functioning on Fedora 19?

things that make you say hmmmmm
(dont forget who wrote selinux)

[rbistolfi]

You can check with:

Code:

$ cat /proc/sys/kernel/yama/ptrace_scope

Rodrigo, I get a "command not found"

Do you know what I need to add or change in my system to enable ptrace?

Hi John,

Maybe you didnt remove the "$" character? Thats justva  convention that means "run the following command in a terminal". The command would be:

Code: [Select]

cat /proc/sys/kernel/yama/ptrace_scope

[MarkGrieveson]

Like John, it also doesn't show up on my computer.  

Code: [Select]

vector:/~
mark:$ cat /proc/sys/kernel/yama/ptrace_scope
cat: /proc/sys/kernel/yama/ptrace_scope: No such file or directory
vector:/~
mark:$


[CrazyDog]

Thanks for the replies everybody.  I appreciate it.  I do some financial stuff with my bank online and just wanted to make sure I was safe.  I believe that Vector is the safest choice out there. 

[rbistolfi]

Like John, it also doesn't show up on my computer.  

Code: [Select]

vector:/~
mark:$ cat /proc/sys/kernel/yama/ptrace_scope
cat: /proc/sys/kernel/yama/ptrace_scope: No such file or directory
vector:/~
mark:$


Maybe. John was getting "Command not found". Your kernel doesnt seem to have ptrace scope enabled, whats the output of "uname -r" in your system? I am in 7.1 and it is enabled here. I will check it out, we could build a new kernel for 7.0 if needed. If anyone wants to experiment with this in 7.0 please let me know.

[vincent2]

$ uname -r

3.10.10


$  cat /proc/sys/kernel/yama/ptrace_scope
1

better install kernel 3.10.10, you'll be more secure!

kernel 3.11 could be more

[retired1af]

kernel 3.11 could be more

And why should we do that when 3.10 is the stable tree? Hmmm?

[MarkGrieveson]

Code: [Select]

vector:/~
mark:$ uname -r
3.0.8


[rbistolfi]

Thanks Mark, we will have 3.10 packages to test in a couple of hours.

[sledgehammer]

I updated the kernel once and it worked, but forgot how.  I think I followed the instructions in:

http://forum.vectorlinux.com/index.php?topic=10385.msg66371#msg66371

Do they still work?  I see the new kernel in untested but I may not try it this weekend as I am pretty busy with the computer and don't want to screw it up.

[MarkGrieveson]

Those instructions look like they're for a system using lilo rather than grub.  Perhaps they would work with just skipping the lilo step.  Anyway, I think I'll wait for the announcement that a new kernel has made it to testing, as rbistolfi mentioned.

[sledgehammer]

I use lilo, but I think your suggestion to wait a good one.