Just reread the question. If you're on an install without SSH or your SSH server is not available online (eg it is blocked by a NAT router, et al), you have nothing to fear from this news. The whole attack requires SSH.
Additionally, if you're not running a webserver (and by extension you're not on an awesome internet connection), it seems unlikely —though, and importantly, not impossible— that Windigo is going to bother you, even if you do have an exposed SSH server.
That's not to say you're free from any risk. There is other malware and there will be even more as time goes on and Ubuntu gains users. It's also stupidly easy to manipulate people. I had a little rant a few years ago: Linux isn't invulnerable. Don't say it is.
Anyway, if you're still reading, I'm going to assume you're running a SSH server on the internet.
The ESET post and PDF writeup on "Operation Windigo" should tell you everything you need in order to tell if you're at risk or are currently infected. They have sample code that can be copied out and run to test your system.
The whole thing is certainly worth a read but this isn't the security apocalypse some might suggest. The primary route by which these servers became infected was human idiocy:
No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged. We conclude that password-authentication on servers should be a thing of the past
So for all the fanfare, this is a very basic infection technique. They're either cracking passwords (dictionary-attacks most likely) or they're stealing SSH keys off client computers, backups, etc. I'd like to think it's the first.
There is nothing clever or new about this. Everybody running a SSH server faces those risks and they're really easy to protect against. Just practise basic SSH security and you'll be fine: use password protected keys and not passwords, run sshd
on a high port, fail2ban, no root user. If you ignore these basics and run a SSH server where you're allowing root logins with a password, you'll get hacked.
And just because this wasn't an exploit-based infection doesn't mean the next one won't be. Staying up to date with security-release packages is vital. Make it automatic. Making sure your PHP (et al) scripts are updated is vital, subscribe to your authors' RSS feeds.
The significance of Windigo is the sophistication and portability of the rootkit that gets installed on the servers. There is network resilience through dynamic DNS, not static IPs, multiple httpd configurations to maximise success rates, the lack of dependencies in this whole stack that makes it almost certain to run in all scenarios (even on ARM)... and by all accounts the payloads (the spam, and infection kits for client computers) are very effective. 1% success is epic when you're talking about 500K a day.
The "this is happening on Linux so Linux is insecure" inference I can see in some quarters is nonsense. This could happen on any platform and frankly, it already does. What is special here is that this has been pulled together by competent developers. Thankfully the ingress point is pretty much as simple as a burglar finding the spare key under the doormat.
The Too Long; Didn't Read version...
It seems the hacked servers were run by idiots with weak security but don't be complacent. Check to see if your servers are infected and check to see you're not making the same stupid mistakes as the people who are currently infected.
Best Answer
That file seems to belong to package
libruby1.9.1
, which should be installed when you installed Ruby.If that package comes from the default repositories I guess that warning should be nothing to you worry about. If it comes from a PPA then you should take a closer look.
To see from where the package comes you can use
apt-cache
. From my system:Also consider checking that file in an online scanner like VirusTotal. If only clamav marks it as a potencially threath probably it is a false positive.