Re: [PLUG] Python-backdoor

Rich Freeman via plug on 23 Jun 2020 07:35:03 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Python-backdoor

From: Rich Freeman via plug <plug@lists.phillylinux.org>
To: jeff <jeffv@op.net>
Subject: Re: [PLUG] Python-backdoor
Date: Tue, 23 Jun 2020 10:34:45 -0400
Cc: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Reply-to: Rich Freeman <r-plug@thefreemanclan.net>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Tue, Jun 23, 2020 at 10:03 AM jeff via plug
<plug@lists.phillylinux.org> wrote:
>
> not to worry, developed by the good guys for cybersec learning
>
> https://www.hackermilk.info/2020/06/python-backdoor-fully-undetectable-and.html

This doesn't really seem like an exploit so much as a rootkit.  It is
just a program that runs and logs keys/etc.  It would be an obvious
payload for an exploit, but such things are hardly new.  I guess it is
novel in that antivirus programs aren't detecting it yet.  You could
probably create such a program for Linux/X11 fairly easily - I'm sure
many already exist.

>
> vtop – A Linux Process and Memory Activity Monitoring Tool
>
> https://www.tecmint.com/vtop-monitor-linux-process-usage/
>

Looks interesting, though I'm not sure if there aren't already 47
alternatives that don't involve node.js.  The text console graph is
nice though - that isn't something I've seen before I think.

I personally prefer atop because it can show IO use and it detects
short-lived processes through accounting (useful when compilers are
running or you have something spawning lots of short-lived processes).

If you're concerned about grouping related processes I'd suggest
looking at systemd-cgtop which is good for monitoring services.  Note
that to get full capability out of it you might need to enable
accounting in the units of interest or globally in system.conf.

> Firmware Flaw Allows Attackers to Evade Security on Some Home Routers
>
> https://www.darkreading.com/vulnerabilities---threats/firmware-flaw-allows-attackers-to-evade-security-on-some-home-routers/d/d-id/1338150

It is unclear exactly what is being exploited.

They say that they're downgrading firmware from the web admin
interface, but if you can get into that then the router is already
compromised.  I think most Buffalo routers let the owner flash their
own firmware (such as OpenWRT), so if you can log into the admin
interface then obviously you can take full control over it.  Locking
it down to only run signed firmware would obviously fix that, but then
you're unable to run OpenWRT.  I guess they could at least have some
way to toggle running unsigned firmware so that the average buyer who
never changes the default password is safe.

Maybe the article is just poorly written and there is an actual
exploit that lets them reflash the firmware without having the admin
password.  That would clearly be a problem.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Python-backdoor
  - From: jeff via plug <plug@lists.phillylinux.org>

References:
- [PLUG] Python-backdoor
  - From: jeff via plug <plug@lists.phillylinux.org>

Prev by Date: [PLUG] Python-backdoor
Next by Date: Re: [PLUG] Python-backdoor
Previous by thread: [PLUG] Python-backdoor
Next by thread: Re: [PLUG] Python-backdoor
Index(es):
- Date
- Thread