Mirai malware infects Linux with Busybox

[musher0]

Hello, Mike7.

I must confess I have no Carolina Pup installed on any of my 3 boxes...

I have an old Community Edition Pup (by wanderer) on one of them,
which has glibc 2.10, IIRC. So I could compile lsof for you it on that Pup.

Also, I need a bit of time: I'm trying to solve a very strange "permission
denied" bug I've recently encountered on my Puduan-6 Pup when I try to
edit some of my scripts. (Should be in the list of new threads.)

Plus another bug I didn't post about, on the same Pup, which is opera
12.16 not doing copy-and-paste a couple of hours into my session. So I
can't post any helpful URL at the moment.

Both bugs are slowing me down. Granted, I can use a recent browser, it's
less of an issue; but the "permission denied" bug is getting my goat.

A case of the "Cobbler's Son", I suppose???!!!

BFN.

[Mike7]

musher0-

I must confess I have no Carolina Pup installed on any of my 3 boxes

That does make it tricky.

I have an old Community Edition Pup (by wanderer) on one of them, which has glibc 2.10, IIRC. So I could compile lsof for you on that Pup.

Sure, if you think that would be the same as using Carolite's glibc 2.10.1.

Also, I need a bit of time

No hurry. I'll just continue without lsof for now, as I've been doing, and hope that neither Mirai nor anything else creeps into my machine or server in the meantime.

case of the "Cobbler's Son", I suppose?

Uhhh. . . That's a new one on me. Must be a Quebec fairy tale.

M.

[musher0]

@Mike7:

I just checked the glibc on wanderer's Puppy CE-3, and unfortunately, its
version number is 2.11, not 2,10, as I initially thought. Compiling lsof on it
wouldn't make it compatible for your Carolina.

Puppy CE-3 is the Puppy with the lowest glibc I have.

Have you ever thought of upgrading to a recent Puppy?

BFN.

[musher0]

(Edited Sat., Jan. 07, 2016)
~~~~~~~~~~~~~~~~~~~~
Hello all.

I just thought of this very simple security enhancement:

In view of the mirai attack and perhaps copycats, it can't hurt to un-tick
the "world execute" bit on busybox, in your /bin directory.

It's very easy to do:
-- open the /bin directory with ROX-Filer;
-- right click on the desired executable. A sub-menu shows up.
-- in this sub-menu, click "Properties". A panel will be displayed as in the
attached picture;
-- if a tick is present in the little square at the "World / Execute" intersect,
click inside this little box. The box will become blank, the result being that
the "world execute" bit is deactivated.
-- close the panel. That's it!

If for whatever reason you need this "world execute" bit back on, just do
the above process in reverse and re-tick this little square.

Explanation:
User "root" (meaning: you) and group "root" (meaning: your group) will
still be able to access and execute the busybox executable absolutely
normally, and any script depending on it, but it will be out of reach for
any other group or user.

A seasoned "kiddo" can probably find ways around this. Nevertheless,
IMO we've just complicated his hacking a little.

IHTH. BFN.

[Mike7]

musher0-:

I just checked the glibc on wanderer's Puppy CE-3, and unfortunately, its
version number is 2.11, not 2,10, as I initially thought. Compiling lsof on it
wouldn't make it compatible for your Carolina.

That's more bad luck, for me. Couldn't you just download the Carolite-1.2 iso, install it onto a pendrive, and compile lsof off that?

Have you ever thought of upgrading to a recent Puppy?

Naturally. But the more recent puppies don't have all the bells and whistles for the EeePC (e.g. the Fn>F1 save-to-RAM/sleep functionality; the ASUS apci tools for monitoring fan speed and CPU temp.; email print-to-pdf; etc.) that Carolite has, because it was designed for my EeePC. Carolite (Carolina) is simply a highly superior, sophisticated verison of Puppy, which I suppose is why there are people keeping the Carolina repo updated with a profusion of pets (at smokey01).

Unfortunately they stopped supporting Carolite a while back. So no newer version with a more recent glibc.

Happy New Year!

Mike7

[musher0]

You could compile it yourself, you know, if you have the devx file for Carolina.

It's almost as simple as pie! If you're interested, I could provide you with the
instructions.

Happy New Year to you too!

[Geoffrey]

Unfortunately they stopped supporting Carolite a while back. So no newer version with a more recent glibc.

You could try Carolina: Vanguard Edition with Glibc2.20, it should be slim if you remove the adrive

[Mike7]

musher0-

(after lengthy holiday recess)

You could compile it yourself

I don't think you quite realize what you're saying. I've never compiled anything. I don't even know what compiling is.

I could provide you with the instructions.

I sincerely appreciate your generous offer of help, but I don't think I should get into this. I will get lost and suffering will ensue.

M.

[Mike7]

Hi, Geoffrey.

You could try Carolina: Vanguard Edition with Glibc2.20,

I seriously considered making the switch-over some time ago, and for some reasons I can no longer fully recall decided against it. I think one of the things was that Carolina is heavier than Carolite (duh). Another was on purely religious grounds: IF IT AIN'T BROKE, DON'T FIX IT. Plus, all the pretty pictures at that link scared me.

And now, just to have a newer Glibc? I dunno. . .

it should be slim if you remove the adrive

I'd like to know how the heck to get rid of the adrive in Carolite first.

M.

[musher0]

Compiling an executable for Puppy is as easy as learning to swim: you dive
in and you do the dog paddle!

[belham2]

I don't think you quite realize what you're saying. I've never compiled anything. I don't even know what compiling is.

Mike,

If a bungling dunderhead old fart like me can have a few compiling successes, then you can to! Seriously, it is intimidating at first, but then once you start banging on the keyboard telling it to "MAKE" and stuff like that, you start to think "hey, I can do this!' Seriously, it is not hard to give it a go and doesn't take that much time. You spend more time typing out replies here than you would if you'd give compiling a go (but, hey, maybe that is all of ours' secret intent---to connect with others across this blue orb of ours). Anyhooot, when compiling, the only question is not only whether it (the compiling) succeeds, but more importantly if your creation works how it is supposed to lol! And you'll know that lickety-split once you load it in and see. That's the fun, and when it does work, my Lord, the beer tastes that much sweeter that night

Compiling an executable for Puppy is as easy as learning to swim: you dive in and you do the dog paddle! Wink

....and don't worry, Musher (and Geoffrey & others) says this reply to everyone. They throw us in the big darn compiling ocean and then sees if we sink or swim. They haven't let many of us drown...at least not yet

[musher0]

You missed the pun between compiling on Puppy and doing the dog paddle?
Anyway, it's not the Big Blue, probably more like the local frog pond!

[belham2]

You missed the pun between compiling on Puppy and doing the dog paddle?
Anyway, it's not the Big Blue, probably more like the local frog pond!

Musher,

As a side note to this thread (plz excuse me, original author, Mike7, but the topic did come up concerning compiling), is there any plans for a, say, brand spanking-new complied Puduan 7.0 or such....maybe with your security busybox script (and any others) included by default.....helping protect us poor, wretched puppy souls from mirai malware

[Mike7]

musher0-

Compiling an executable for Puppy is as easy as learning to swim: you dive in and you do the dog paddle!

My air-conditioning is on the blink and it's 98 F. in Buenos Aires today. I don't think it's the right moment for experiments.

For now, I have disabled "World" in the bash and busybox permissions as you suggested.

M.

[Mike7]

musher0-

I jumped the gun and spoke too soon. Carolite has Thunar, not ROX-filer, and the Permissions tab in Properties gives only these four choices for each group: Read Only, Write Only, Read & Write, and None. There is no Execute choice for each group. At the bottom of the tab there's a tick box that says "Allow this file to run as a program". That's all there is on the Permissions tab.

So, how do I disable "World - Execute" while leaving "Owner - Execute" enabled? Can it be done with the terminal?

M.

[musher0]

(...)how do I disable "World - Execute" while leaving "Owner - Execute" enabled? Can it be done with the terminal?

M.

Hello Mike7.

Sorry for the lateness in replying.

Open a terminal and type

Code: Select all

cd /bin
chmod 774 busybox

(Permission "774" means "read-write-execute" for "user" and "group", but
"read only" for "world".)

The above I tested many times, by shutting down and rebooting after
attributing that new permission to busybox, and the Puppy boots and runs
like it always has.

However, please hold off doing it on the bash interpreter until I have
conducted more tests. Thanks. (I'll edit my previous post as well.)

Besides, busybox has the ash interpreter, so it's unlikely "kiddo" would
need both the ash and bash interpreters to do his mischief.

I'm playing it safe here. It's just that in my Puduan Pup, I have a
permission problem with geany and editors generally since I changed
some permissions on various directories. I have done some back-tracking
on the Puduan, but I haven't found the source of my bug yet.

On the other hand, I've changed only the busybox permission to 774
on the Slacko Slim 6 that I use now, so I am sure that the busybox
permission can be changed to 774 without problem.

IHTH. BFN.

[Mike7]

musher0-

Open a terminal and type

Code: Select all

cd /bin
chmod 774 busybox

(Permission "774" means "read-write-execute" for "user" and "group", but
"read only" for "world".)

Okay, will do. What's the chmod code number for putting the permissions back to their previous state (just in case there's a problem)?

please hold off doing it on the bash interpreter until I have
conducted more tests.

Okay.

M.

[Mike7]

Hi, belham2.

once you start banging on the keyboard telling it to "MAKE" and stuff like that, you start to think "hey, I can do this!'

I'm usually wrong.

They haven't let many of us drown

I'd like to see the statistics and a few comments from those who drowned. But they probably didn't leave their memoirs.

M.

[musher0]

(...) What's the chmod code number for putting the permissions back to their previous state (just in case there's a problem)?
(...)
M.

775

[drunkjedi]

What's the chmod code number for putting the permissions back to their previous state (just in case there's a problem)?

First... To know what permissions a file have do

Code: Select all

stat -c "%a %n" yourfile

Note the number in output.
Use it with chmod if you want to revert back to it.