From owner-freebsd-questions@freebsd.org Thu Nov 19 22:27:23 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 086A7A33CE1 for ; Thu, 19 Nov 2015 22:27:23 +0000 (UTC) (envelope-from brandon.wandersee@gmail.com) Received: from mail-io0-f177.google.com (mail-io0-f177.google.com [209.85.223.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C322A1045 for ; Thu, 19 Nov 2015 22:27:22 +0000 (UTC) (envelope-from brandon.wandersee@gmail.com) Received: by ioir85 with SMTP id r85so105251953ioi.1 for ; Thu, 19 Nov 2015 14:27:16 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=references:from:to:cc:subject:in-reply-to:date:message-id :mime-version:content-type; bh=cJeKqKPjCBfIYmke3PRKl6+M3leWLgLauwwRPH2DUJc=; b=aQc4n4HhseJp44ViXhYDsRks+DNy20a0ipIXapO6mNoKSwb8z5SHMYwZn7iTisNu+C QAwzln+exP5+uiFkvRF765oCBfmoHCaB1QjPMsgrOodG0txbahPe7i1bdbFuXwWRhwlU 5QXrolvaPhFqnqZ4coMZuuAYdOn4Z+oV540V/+nFzSlZBe/E2zJT1IxTlkAO7DU3U8/4 0zVL1U4CHa2JkfMIRBZojl3K3/1BuAxn+3X9DJShH7/saCiVpQr0ltuBJy0aqN8nvOJN Nwy+l+XZrwc0fsmU6O3Wnx3Ckiqcqq8hWR1nzrgmaYQX7RJ04iQgf+7o6+EZYhOF0q+4 mPNQ== X-Received: by 10.107.154.67 with SMTP id c64mr10358652ioe.53.1447971630558; Thu, 19 Nov 2015 14:20:30 -0800 (PST) Received: from WorkBox.Home.gmail.com (63-231-132-20.mpls.qwest.net. [63.231.132.20]) by smtp.gmail.com with ESMTPSA id or1sm4118213igb.4.2015.11.19.14.20.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 19 Nov 2015 14:20:29 -0800 (PST) References: <20151119064434.GB1925@c720-r276659.oa.oclc.org> From: Brandon J. Wandersee To: Matthias Apitz Cc: freebsd-questions@freebsd.org Subject: Re: ransomware virus on Linux In-reply-to: <20151119064434.GB1925@c720-r276659.oa.oclc.org> Date: Thu, 19 Nov 2015 16:20:28 -0600 Message-ID: <86y4dtiqc3.fsf@WorkBox.Home> MIME-Version: 1.0 Content-Type: text/plain X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Nov 2015 22:27:23 -0000 Matthias Apitz writes: > Any comments? >From what I've been able to glean, this seems a little bit overblown. I don't doubt the effects are significant for the people experiencing them, but it seems extremely limited. The program is said to "take advantage of" an outdated, running instance of the Magento e-commerce software, so I have to think that it can only be executed via Magento. It also encrypts only directories that would absolutely require root privileges to modify--e.g., it specifically encrypts /home, not individual user directories, so even if you deliberately executed it as a regular user it would have no effect. So it only affects improperly configured servers that run outdated versions of one specific piece of software. It's not something most of us will have to ever worry about, and the onus really falls first on Magento to prevent this sort of remote execution (which it apparently did before the malware even made it into the wild), and then on sysadmins to update to the newer, secure version. -- ================================================================= :: Brandon Wandersee :: :: brandon.wandersee@gmail.com :: ================================================================== 'A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.' - Douglas Adams ==================================================================