Why your Linux PC isn't vulnerable to the devastating XOR DDoS mal

October 4, 2015

Basically if your not running ssh you have nothing to worry about and if you are running ssh, simply configure it like you normally would...

No, your Linux desktop isn’t vulnerable

The XOR DDoS malware was first identified in September of last year. Some websites are reporting that this takes advantage of a security vulnerability on Linux systems to infect them. It doesn’t. Instead, it finds Linux systems with SSH servers accessible to the Internet and attempts to brute-force their passwords, guessing over and over until it’s allowed in.

Secure shell (SSH) is a server that gives access to a remote shell on a computer, allowing anyone who logs in to run any commands they like. Typical Linux desktop systems just don’t have an SSH server enabled and configured by default, so they’re just not vulnerable to this attack. That’s the end of the story —you only need to worry about the XOR DDoS malware if you’ve enabled an SSH server and made it accessible to the Internet.

Poorly configured Linux servers are vulnerable

You’re under fire if you’ve installed an SSH server on a Linux system and made it available to the Internet. XOR DDoS scans the Internet for these systems and attempts to guess passwords until it’s allowed in. It then installs the XOR DDoS malware on the computer, which uses rootkit-like techniques to disguise itself.

This is just taking advantage of poorly configured SSH servers. A properly configured SSH server should be running on another port so it’s harder to find, require a private key rather than just a password, and should automatically block login attempts after a few failed ones. This would prevent the attack. Restricting access to the SSH server to specific IP addresses that need it would also help.

XOR DDoS is just one malicious actor trying to crack poorly configured SSH servers. Anyone running a public SSH server will see frequent attempts to attack it in their server logs....