Le 21/02/2016 21:13, pl a écrit :
Le site de la distrution linux mint a été compromis et
a distribué un
iso malveilant le 20 février 2016.
=>
http://www.theregister.co.uk/2016/02/21/linux_mint_hacked_malwareinfected_i…
Si vous avez téléchargé une linux mint ce jour là => détruisez le
fichier iso, si vous avez installé une machine avec, réinstallez-là avec
un nouvel iso.
Salut,
il semble bien que la faille provienne de *WordPress* (je sais, certains
diront que c'est une évidence...), dans les commentaires du blog
officiel (<URL:http://blog.linuxmint.com/?p=2994> ), il y a certaines
recommandations, qu'en pensez vous?
1. Veed says:
February 21st, 2016 at 5:17 am
<http://blog.linuxmint.com/?p=2994#comment-124912>
“Edit by Clem: Yes, the breach was made via wordpress. From there
they got a www-data shell.”
“Edit by Clem:Another thing which is going to help is to buy more
servers and separate services even more. That way, if somebody
hacks say wordpress, there’s only wordpress on that server and
nothing else.”
—
Speculating:
(cr)acker exploits and gains shell by webserver user (which is
www-data as reported)
looks at wp-config.php, uses the username and password in the file
to gain a mysql shell (which is fine since mysql is bound to
localhost usually the cracker is the www-data user)
Probably a search made for post wanted (download links) edited
from there..
The only things I can suggest are:
– Ensure the webserver user’s shell is /bin/false or /bin/nologin
(and not /bin/sh or /bin/bash)
– Spend some quality time on planning separation of privilege for
software. webserver user should have write access to as little as
possible (just wp-content in wordpress))
– Ensure incremental, automated backups are make that are not
accessible to the webserver user
– Usage of chroot jails to really separate stuff.