Skip to main content

Thread: Duqu Command & Control Servers included Hacked Linux Systems by D. Dieterle

-

some interesting information released yesterday in follow duqu analysis report kapersky labs. highlights article include:

  • the duqu c&c servers operated november 2009.
  • many different servers hacked around world, in vietnam, india, germany, singapore, switzerland, uk, netherlands, belgium, south korea name few locations. of hacked machines running centos linux. both 32-bit , 64-bit machines hacked.
  • the servers appear have been hacked bruteforcing root password. (we not believe in openssh 4.3 0-day theory – scary!)
  • the attackers have burning desire update openssh 4.3 version 5 control of hacked server.
  • a global cleanup operation took place on 20 october 2011. attackers wiped every single server used in distant past, e.g. 2009. unfortunately, interesting server, c&c proxy in india, cleaned hours before hosting company agreed make image. if image had been made earlier, it’s possible we’d know lot more inner workings of network.
  • the “real” duqu mothership c&c server remains mystery attackers’ identities.

wait minute, “most of hacked machines running centos linux“. linux gets hacked? of think linux invulnerable, may eye opener.
interesting though how did it? leads more questions. recovered sshd log server in germany caught might evidence of brute force password attack:

odd logged in, 1 of first things done update openssh (used remote access) 4.3 5, snip recovered bash shell history shows :

has led quite debate, saying hackers got in using openssh 0 day exploit, while others claiming needed updated features of 5 make command , control more uniform across board.
interesting see how many times files , manuals referenced in above capture. why powerful stuxnet attackers breached iran’s secure nuclear facilities , have created several 0-day attacks need reference files frequently?
simple solution not familiar distribution of linux. more familiar red hat linux enterprise linux centos based on.
brute force password hacking or stuxnet 0-day, duqu shows linux vulnerable hackers too. , it’s growing install base, supplanting windows desktops in many facilities, expect become more of target.

really interesting stuff. lot posting! thought kapersky blog post referred read.

https://www.securelist.com/en/blog/6...ontrol_servers


Forum The Ubuntu Forum Community Ubuntu Community Discussions The Cafe Duqu Command & Control Servers included Hacked Linux Systems by D. Dieterle


Ubuntu

Comments

Post a Comment

Popular posts from this blog

Falang and too many redirects - Joomla! Forum - community, help and support

-
hello i don't know if i'm posting in right place , i'm apologise have searched solution long time , couldn't find . my problem starts when have install component falang (translation component ). after time decided uninstall , problem starts. go extension tab meny in left column press manage button, list on right found falang component , delete it, when did website not accessible did stupidest thing install falang package file 1 more time , here problem, when trying open website message showing: "website redirected many times. try clearing cookies. err_too_many_redirects" i have cleared cookies didn't help. have used tool "header checker tool" , result "301 moved permanently " please because don't know do. thank you setka Board index Joomla! 3.x - Ask Support Questions Here Extensions for Joomla! 3.x
Read more

Infinite loop detected in JErrorInfinite loop detected in JError - Joomla! Forum - community, help and support

-
after migrating site new server see error below infinite loop detected in jerrorinfinite loop detected in jerror please can me it means there mis-configuration configuration.php file. can refer post - viewtopic.php?t=830509 https://docs.joomla.org/infinite_loop_d ... joomla_1.7 Board index Joomla! 3.x - Ask Support Questions Here General Questions/New to Joomla! 3.x
Read more

logged out from joomla! - Joomla! Forum - community, help and support

-
Image
good morning you! since joomla! version still running on 3.7.5, trying update current version 23.8.1. tried, got white page due incompatibility 1 of extension (page builder pro). decided first upgrade extension, , trying again. tried update, received error message of dublicated tables. went phpmyadmin , deleted these tables manually. same error appeared again, when tried update part. extension. in order rid of extension, tried remove extension via extension manager. hit "remove" button, got logged out. while trying log admin, got message: you not have access administrator section of site. . yes, changed _user table in phpmyadmin, , checked configuration.php, i'm still not able lock admin. however, checked , browsed internet solution, couldn't find hint, excepted, had similar issue , asked post output of "forum assistant". have no idea if narrow problem, @ least gotta try! of appreciated! thank in advance! part i: forum post assistant (v1.3.5) : 2nd november ...
Read more