Le 21/02/2016 21:13, pl a écrit :
Le site de la distrution linux mint a été compromis et a distribué un iso malveilant le 20 février 2016.
=> http://www.theregister.co.uk/2016/02/21/linux_mint_hacked_malwareinfected_is...
Si vous avez téléchargé une linux mint ce jour là => détruisez le fichier iso, si vous avez installé une machine avec, réinstallez-là avec un nouvel iso.
Salut,
il semble bien que la faille provienne de *WordPress* (je sais, certains diront que c'est une évidence...), dans les commentaires du blog officiel (URL:http://blog.linuxmint.com/?p=2994 ), il y a certaines recommandations, qu'en pensez vous?
Veed says: February 21st, 2016 at 5:17 am http://blog.linuxmint.com/?p=2994#comment-124912
“Edit by Clem: Yes, the breach was made via wordpress. From there they got a www-data shell.”
“Edit by Clem:Another thing which is going to help is to buy more servers and separate services even more. That way, if somebody hacks say wordpress, there’s only wordpress on that server and nothing else.” —
Speculating:
(cr)acker exploits and gains shell by webserver user (which is www-data as reported) looks at wp-config.php, uses the username and password in the file to gain a mysql shell (which is fine since mysql is bound to localhost usually the cracker is the www-data user) Probably a search made for post wanted (download links) edited from there..
The only things I can suggest are: – Ensure the webserver user’s shell is /bin/false or /bin/nologin (and not /bin/sh or /bin/bash) – Spend some quality time on planning separation of privilege for software. webserver user should have write access to as little as possible (just wp-content in wordpress)) – Ensure incremental, automated backups are make that are not accessible to the webserver user – Usage of chroot jails to really separate stuff.