Just reread the question. If you're on an install without SSH or your SSH server is not available online (eg it is blocked by a NAT router, et al), you have nothing to fear from this news. The whole attack requires SSH.
Additionally, if you're not running a webserver (and by extension you're not on an awesome internet connection), it seems unlikely —though, and importantly, not impossible— that Windigo is going to bother you, even if you do have an exposed SSH server.
That's not to say you're free from any risk. There is other malware and there will be even more as time goes on and Ubuntu gains users. It's also stupidly easy to manipulate people. I had a little rant a few years ago: Linux isn't invulnerable. Don't say it is.
Anyway, if you're still reading, I'm going to assume you're running a SSH server on the internet.
The ESET post and PDF writeup on "Operation Windigo" should tell you everything you need in order to tell if you're at risk or are currently infected. They have sample code that can be copied out and run to test your system.
The whole thing is certainly worth a read but this isn't the security apocalypse some might suggest. The primary route by which these servers became infected was human idiocy:
No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged. We conclude that password-authentication on servers should be a thing of the past
So for all the fanfare, this is a very basic infection technique. They're either cracking passwords (dictionary-attacks most likely) or they're stealing SSH keys off client computers, backups, etc. I'd like to think it's the first.
There is nothing clever or new about this. Everybody running a SSH server faces those risks and they're really easy to protect against. Just practise basic SSH security and you'll be fine: use password protected keys and not passwords, run sshd
on a high port, fail2ban, no root user. If you ignore these basics and run a SSH server where you're allowing root logins with a password, you'll get hacked.
And just because this wasn't an exploit-based infection doesn't mean the next one won't be. Staying up to date with security-release packages is vital. Make it automatic. Making sure your PHP (et al) scripts are updated is vital, subscribe to your authors' RSS feeds.
The significance of Windigo is the sophistication and portability of the rootkit that gets installed on the servers. There is network resilience through dynamic DNS, not static IPs, multiple httpd configurations to maximise success rates, the lack of dependencies in this whole stack that makes it almost certain to run in all scenarios (even on ARM)... and by all accounts the payloads (the spam, and infection kits for client computers) are very effective. 1% success is epic when you're talking about 500K a day.
The "this is happening on Linux so Linux is insecure" inference I can see in some quarters is nonsense. This could happen on any platform and frankly, it already does. What is special here is that this has been pulled together by competent developers. Thankfully the ingress point is pretty much as simple as a burglar finding the spare key under the doormat.
The Too Long; Didn't Read version...
It seems the hacked servers were run by idiots with weak security but don't be complacent. Check to see if your servers are infected and check to see you're not making the same stupid mistakes as the people who are currently infected.
Best Answer
Key point is that Pentesters/white-hats/ethical hackers as well as black-hat target
/etc/passwd
asproof of concept
, as a test of possibility of gaining access to a system.Technically
/etc/passwd
isn't that scary. In the past it used to store private data, passwords obviously, but as of nowadays you'd need to be more worried about/etc/shadow
- most Linux systems nowadays useshadow
suite of utilities to keep a hashed and salted password in/etc/shadow
, which unlike/etc/passwd
isn't world-readable. (unless you usepwunconv
command, which actually moves the hashed passwords back into `/etc/passwd).The only more or less sensitive piece of info is the usernames. If you have
sshd
ortelnet
on the server and a username with weak password, there is a potential for a brute force attack.By the way, your very same question has been asked before. Here I merely restated some of the concepts mentioned there already.
Small addition: this is a little far-fetched, but I've noticed that you have
bash
as root shell. Now, suppose you have a user on the system that hasbash
as their shell, even worse - that user is sudoer. Now, if you bash is outdated or unpatched, an attacker could try to exploit the Shellshock vulnerability to steal data or execute a fork-bomb bring your system down temporarily. So yes, technically/etc/passwd
isn't a big deal, but it does give an attacker an idea of some of the information on what to attemptAdditional edit, 11/18/2016
Having used an Ubuntu server on Digital Ocean for a while, it came to my attention, that most brute force attacks against my server were carried out for
root
user - 99% of the entries for failed password in/var/log/auth.log
were forroot
./etc/password
, as I mentioned before, gives attacker look at the list of users, and not just system users, but human users as well, which means more potential venues for attack. Let's remember that not all users are security conscious and don't always create strong password, so an attacker's bet on human error or overconfidence has quite a high probability of being jackpot.