Stay Ahead With Linux Security Features
security advisory attack A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again. . Situations like that point to persistence . The attacker no longer needs the original exploit because something on the host continues restoring access behind the scenes. Finding that mechanism is often more important than understanding how the...
Jun 08, 2026
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -2 articles for you...
102
security advisorycriticalauthenticationCISA Alerts on Critical CVEs 2025-49151, 49152, 49153 in MICROSENS NMP Web+
If you’re managing industrial networks, critical manufacturing systems, or infrastructure that demands tight security, you’ll want to sit down for this one. MICROSENS NMP Web+, a popular network management platform, is in the spotlight after researchers discovered several critical vulnerabilities that essentially gift-wrap your systems for attackers. This isn’t just a fix-it-whenever-you-can scenario. We’re staring at vulnerabilities with CVSS v4 scores as high as 9.3—serious problems that require immediate attention. . These aren’t obscure bugs tucked away behind a labyrinth of layered defenses. Instead, CISA has warned they’re the kind of issues attackers can exploit with relative ease, targeting vulnerabilities in authentication and file management. If you’re running MICROSENS NMP Web+ version 3.2.5 (or earlier), it’s time to prioritize. Let’s dive into what’s at stake, how to mitigate it, and what your Linux and IT teams need to focus on today, not tomorrow, not next week. The Vulnerabilities — Breaking Down the Risks Here’s the quick rundown: three major vulnerabilities have been identified in MICROSENS NMP Web+, and they’re as bad as they sound. CVE-2025-49151 — Hardcoded Security Constants (CWE-547) This one’s a jaw-dropper. An attacker can reverse-engineer hardcoded constants to forge JSON Web Tokens (JWTs), bypassing authentication entirely. Think about that for a second: no credentials, no access control—just walk right in. The CVSS score is 9.3, and for good reason. CVE-2025-49152 — Insufficient Session Expiration (CWE-613) A less flashy but still dangerous issue: JWTs in these versions don’t expire. Once someone gains access, they can hold onto it indefinitely, effectively creating a golden ticket into your system. The CVSS score here is 8.7—still high but slightly less terrifying compared to the first one. CVE-2025-49153 — Path Traversal (CWE-22) If overwriting files and executing arbitrary code sounds like yourworst nightmare, pay attention to this one. It’s a path traversal vulnerability, allowing attackers to manipulate file paths and execute commands, even without authentication. Again, this lands at a 9.3 CVSS score—another critical severity issue. For context, these issues don’t just put a single system at risk. When exploited, the vulnerabilities could allow attackers to compromise an entire network, particularly in tightly integrated industrial control environments. The potential damage is magnified in critical infrastructure deployments—power plants, manufacturing lines, transportation systems—all key targets in the cybersecurity landscape lately. Why Does This Matter Right Now? These vulnerabilities don’t just open doors—they blow holes into the walls of systems that were already under constant threat from motivated attackers. The industrial and manufacturing spaces lean heavily on MICROSENS’ tools. These environments typically operate under tight uptime restrictions—patching isn’t fast or easy, but these CVEs aren’t the kind you let sit in your queue. Affecting industries around the globe, the vulnerabilities specifically target systems deployed in critical operational frameworks, where even slight disruptions could mean enormous downtime costs, safety implications, or worse. Attackers know this, and with the disclosed details public, there’s no reason to assume they won’t exploit it. What Should You Do — Immediately? Hands-on Linux admins, IT security pros, and network engineers—this is your checklist, plain and simple. Upgrade to MICROSENS NMP Web+ v3.3.0. MICROSENS has already released a fix in version 3.3.0. Regardless of the complexity of your patching workflow, deploying this update must be your top priority. Sticking to version 3.2.5 or earlier will only leave you exposed. Delays are not an option. Download the patched version, run your standard test environments (if you absolutely must), and roll it out. While you’re at it, triple-checkthat post-upgrade processes clear out any potential access granted to old JWT tokens, since these vulnerabilities leveraged persistent security issues. Harden Your Networks. If your systems are directly exposed to the internet, you've got a much bigger problem. Move quickly to isolate NMP Web+ servers and devices behind firewalls. Not doing so is practically handing attackers the keys. Segment these systems away from your general enterprise network, ideally with strict traffic rules governing cross-communication. Secure Remote Access. If remote management is required—and let’s face it, it often is—don’t rely on default configurations. Layer in a robust VPN (that you’ve recently updated), enforce multi-factor authentication (MFA) , and closely monitor all access attempts. It’s basic hygiene but effective. Implement Defense-in-Depth Strategies. No single tool is perfect. Combine intrusion detection systems, endpoint protection, and well-tuned logging mechanisms to catch suspicious activity quickly. If something smells fishy—a strange configuration change, odd traffic spikes—investigate it immediately. Educate Your Teams. This isn’t just a sysadmin problem—it’s systemic. Make sure your entire IT and security staff understand the nature of these vulnerabilities and how they might be weaponized. A well-trained team can often act as an initial line of defense against exploit attempts. Understanding The Bigger Picture When it comes to vulnerabilities like these, patches are the lifeline, but they’re only part of a larger puzzle. An effective response requires changes to the entire security model—reducing the attack surface, limiting trust relationships, and being constantly vigilant. MICROSENS’ latest release helps close the gaps, but exploits targeting software like NMP Web+ are a reminder of the ongoing challenges in managing critical infrastructure systems. The stakes are high because the environments where this software is deployed depend on uptime,and attackers know it. But that doesn’t mean we have to stand helplessly. Proper segmentation, tight controls, and timely patches will go a long way toward keeping your systems out of harm’s way. Don’t waste time on this one. Coordinate with your teams, upgrade to MICROSENS NMP Web+ v3.3.0, and build in the kinds of layered defenses that can blunt future threats. The risks are real, but with swift action and a strong strategy, you can avoid becoming the next headline. . Critical vulnerabilities in MICROSENS NMP Web+ demand immediate action and patching to protect industrial systems.. you’re, managing, industrial, networks, critical, manufacturing, systems, infrastructure. . Brittany Day
Jul 02, 2025
•
102
security advisorycriticaldata breachSquid: Critical Advisory For 9.8 Threats And DDoS Attacks
Security professionals have discovered various cybersecurity vulnerabilities in the popular Squid caching proxy. These network security issues include request and response smuggling in HTTP/1.1 and ICAP ( CVE-2023-46846 ), Distributed Denial of Service (DDoS) in HTTP Digest Authentication ( CVE-2023-46847 ), and DDoS in FTP ( CVE-2023-46848 ). . Let's review these vulnerabilities and how to boost data and network security to combat these risks. How Can These Cybersecurity Vulnerabilities Affect My Linux Systems? These bugs can compromise sensitive data, crash servers, and harm your company's reputation. CVE-2023-46846 and CVE-2023-46847 have a National Vulnerability Database base score of 9.8 out of 10 since they can lead to cloud security breaches and other system access instabilities and blockings. What Should I Do to Protect My Linux Systems? Squid plans to mitigate these dangerous cybersecurity vulnerabilities with recent critical updates that should reduce the threat landscape for users. Systems that face attacks in network security must go through immediate privacy sandboxing and security patching to prevent new issues from arising on a server. Apply Mageia , Oracle , SciLinux , and SUSE cybersecurity solutions to combat significant downtime, system compromise, and data theft. Stay on top of the latest cybersecurity trends, computer security news, and general updates by registering under our open-source cybersecurity projects and applications. If you are a LinuxSecurity user , subscribe to our Linux Advisory Watch security newsletter and customize your advisories based on your distro(s). Having these updates will keep you from falling behind on security patching and other network security issues that could make your system more susceptible to attacks in the future. Also, follow @LS_Advisories on Twitter for real-time updates . Recommended Reading Looking to learn more about the benefits and drawbacks of Linux proxy servers and how to set up a Squid proxy server? Ourrecent feature article, Everything You Need to Know About Linux Proxy Servers , provides an in-depth discussion of the topic. Have additional questions regarding how to improve security posture? Drop us a note so we can help you out! . Examine pivotal Squid weaknesses and discover methods to bolster information and network protection against potential threats.. Squid Proxy, Cybersecurity Threats, System Protection, Network Security Updates. . Brittany Day
Nov 13, 2023
•
102
intrusion detectionincident responsenetwork attackLinux Honeynet Incident Responses: Analyzing Attacks and Observations
Among other benefits, running a honeynet makes one acutely aware about "what is going on" out there. While placing a network IDS outside one's firewall might also provide a similar flood of alerts, a honeypot provides a unique prospective on what will be going on when a related server is compromised used by the intruders. . As a result of our research, many gigabytes of network traffic dumps are piling up on the hard drives, databases are filling with alerts, rootkits and exploit-pack collections are growing. This paper is an attempt to informally summarize what was happening to our exposed Linux machine connected to the Internet. The moment is even more appropriate since we are now changing the platform of the victim machine.. Our Linux honeypot survived dozens, if not more, system compromises including several massive outbound denial-of-service attacks (all blocked by the firewall!), major system vulnerability scanning and serving as an Internet Relay Chat (IRC) server for Romanian hackers - and other exciting stuff. I. Battleground: services and ports First, let us summarize the common exploits hurled at the exposed Linux machine. It won't likely be news to people who monitor activity outside their firewalls, but it may provide some insight into current security threats to others. Scans, "innocuous" connection attempts and various spam (on port TCP 25 and UDP 13x) are not included. a. RPC statd - the attack is SO ancient, that one might think that nobody will hope to find a vulnerable box with that flaw. After all, who in his right mind will be fielding (for example) Linux Red Hat 6.0 when half a dozen Red Hat releases have come out since that time. We are talking August 2000 - it was indeed during the last millennium. Heavy scanning for this vulnerability was going on all through 2001 and even parts of 2002. One might think that all machines with that hole are either secured by the owners or by the intruders, upgraded or taken offline. However, lots of "hopefuls" are still trying the longcemented "door". Thus, the log files continue to be peppered with the classic: Mar 4 11:51:31 victim 29> Mar 4 11:51:31 rpc.statd[493]: gethostbyname error for ^X...^X...^Z...^Z...%8x%8x%8x%8x% 8x%8x%8x%8x%8x%62716x%hn%51859x%hn................................................ .................................................................................. .................................................................................. .................................................................................. .................................................................................. .................................................................................. .................................................................................. ....................../1..|Y.A^P.A^H...A^D.....^A.f...^B.Y^L.A^N..A^H^P.I^D.A^D^L. ^A.f...^D.f...^E0..A^D.f......1..?.. and snort continue spewing forth the good old: Jan 24 20:46:41 bastion snort: [1:1282:1] RPC EXPLOIT statdx [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {UDP} 10.0.0.10:931 -> 1.2.3.4:1024 And here is how this attack looks to the anomaly-based Bro NIDS, recently deployed in our honeynet: 1047644757.152094 10.0.0.10/939 > 1.2.3.4/portmap: bad_RPC_program 1047644757.152094 10.0.0.10/939 > 1.2.3.4/portmap: bad_RPC Bro detects a different stage of the same attack. b. WU-FTPD - this attack can also be categorized as "Stone Agey", but it is still very popular among the amateur attackers. It is this attack that led to those impressive statistics publicized by the Project Honeynet - default Red Hat box will be "owned" within 3 days from being connected to the internet. An extremely popular choice, this attack is used in countless autorooters, exploit scanners and other "tools for beginners". Here is how the attack looks to snort: Jan 26 20:37:16 bastion snort: [1:1378:7] FTP wu-ftp file completionattempt { [Classification: Misc Attack] [Priority: 2]: {TCP} 10.0.0.10:33761 -> 1.2.3.4:21 Jan 26 20:37:16 bastion snort: [1:1622:5] FTP RNFR ././ attempt [Classification: Misc Attack] [Priority: 2]: {TCP} 10.0.0.10:33761 -> 1.2.3.4:21 and to Bro: 1048402337.496125 FTP_ExcessiveFilename 10.0.0.10/1641 > 1.2.3.4/ftp #94 excessive filename: 00000000000000000000000000000000..[494].. c. IIS exploits - we have observed dozens of different Unicode strings and .ida requests aimed to hurt the Microsoft IIS web server. Starting from the classic one used by the worms in 2001 to the more obscure modern variant: Here is the excerpt of the HTTP protocol decode by Bro: /scripts/..%2f../winnt/system32/cmd.exe?/c+dir /scripts/..%35c../winnt/system32/cmd.exe?/c+dir /scripts/..%5c%5c../winnt/system32/cmd.exe?/c+dir /scripts/..%5c../winnt/system32/cmd.exe?/c+dir /scripts/root.exe?/c+dir /scripts/..\xc0/../winnt/system32/cmd.exe?/c+dir /scripts/..\xc0\xaf../winnt/system32/cmd.exe?/c+dir /scripts/..\xc1\x1c../winnt/system32/cmd.exe?/c+dir /scripts/..\xc1\x9c../winnt/system32/cmd.exe?/c+dir /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir /msadc/..%5c../..%5c../..%5c/..\xc1\x1c../..\xc1\x1c../..\xc1\x1c. ./winnt/system32/cmd.exe?/c+dir /MSADC/root.exe?/c+dir /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%uc bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090 %u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a It is obvious that those cannot affect the Linux Apache web server of the honeypot and are provided here only due to their extreme volume. It is interesting to note that some IP addresses receive much more than their share of such hits. This phenomenon is notexplained yet. d. OpenSSL flaw that allows the non-root access is a very popular choice as of today. While not giving root, it seemingly helps the script kiddies to learn about local exploits. It is suspected that its popularity is in part due to readily available and reliable exploit openssl-too-open (...) Here is the log trace of the openssl hit in Apache errror_log: [Mon Mar 3 06:40:48 2003] [error] mod_ssl: SSL handshake failed (server ns1.bkwconsulting.com:443, client 10.0.0.10) (OpenSSL library error follows) [Mon Mar 3 06:40:48 2003] [error] OpenSSL: error:1406908F:lib(20):func(105):reason(143) And here is the snort message: Feb 2 00:45:53 bastion snort: [1:1887:1] EXPERIMENTAL WEB-MISC OpenSSL Worm traffic [Classification: Web Application Attack] [Priority: 1]: {TCP} 10.0.0.10:2328 -> 1.2.3.4:443 e. MS-SQL Slammer, while being called a flash worm, is still knocking on the UDP 1434. The volume has subsided as most of the affected hosts are taken offline, butol Slammer is till there, slamming away at closed ports of the Linux honeypot. Here is what snort says upon seeing it: Mar 10 22:01:11 bastion snort: [1:2003:2] MS-SQL Worm propagation attempt [Classification: Misc Attack] [Priority: 2]: {UDP} 10.0.0.10:1140 -> 1.2.3.4:1434 f. Here are some other less frequent attacks that flash by. A number of hits against vulnerable PHP were observed. The attack did not succeed and was seen only once or twice: Mar 10 14:57:15 bastion snort: [1:1425:6] WEB-PHP content-disposition [Classification: Web Application Attack] [Priority: 1]: {TCP} 10.0.0.10:57774 -> 1.2.3.4:80 Mar 10 14:57:15 bastion snort: [1:1423:7] WEB-PHP content-disposition memchr overlfow [Classification: Web Application Attack] [Priority: 1]: {TCP} 10.0.0.10:57777 -> 1.2.3.4:80 g. What is not there? Old bind attacks (very popular in 1999) are gone, hopefully for good, and new ones (based on the recent Bind bigs) failed tomaterialize. SSH bugs are not actively exploited, while version surveying is observed pretty often. It is not clear why this is the case. Here is a summary of all events and attacks: The color indicates alarm severity. It resembles what is reported by DShield.org. Web attacks (80,443) "top the charts", and are followed by the recent MS-SQL hits (1434) and FTP (21) - the all time favorite. Proxy scans (1080, 3128,8080) are also very popular. Strangely, SNMP (161,162) is also in the picture, though appear to be just probes and not exploit attempts. II. Artifacts - exploits, rootkits and tools Intruders who visit our friendly neighborhood honeynet, rarely come empty-handed. They bring all sorts of gifts, such as exploit scanners, autorooters, rootkits, DoS tools and other goodies. Most of the captured kits are very simple, use only publicly available technology and carry all the signs of being created by unskilled people. They often corrupt the system and utilize such amazingly "stealthy" capabilities as using the root directory of the system to store their files or changing the root password ("owned means owned, right?") Exploits and automated exploitation tools, while seeming impressive, use very old attacks (such as those described above) and are not even attempting to hide their activities. Most of those tools are designed to scan huge pools of IP addresses for one or two vulnerabilities, manifesting the ultimate "opportunity hack" of going for the "low-hanging fruit". However, new and innovative tools do get brought in by the tide. For example, the covert channeling binary or the IPv6 tunnel tool were discovered by the Honeynet Project. III. Example Incidents Here are brief descriptions of several incidents that recently occurred in our honeynet. The classic WU-FTPD incident starts from an anonymous login to the FTP server. Then in a few minutes or hours the server is hit by the TESO "wurm" exploit. It has a recognizable signature of trying to create a directory 7350 (TESO). In a fewseconds, intruder tries to get his rootkit from a drop site (often some free storage site or even a Yahoo account) which is then deployed. Most observed rootkits start a ssh daemon on high port as a main backdoor method. On the next session (which occurs within hours or even days), we often see him getting scanners and trying to exploit more machines. The more recent openssl incidents are more interesting since the attacker does not have root upon breaking into the system (such as, user "apache"). One might think that owning a system with no "root" access is useless, but we usually see active system use in these cases. Here are some of the things that such non-root attackers do on such compromised systems: 1."IRC till you drop" Installing an IRC bot or bouncer is a popular choice of such attackers. Several IRC channels dedicated entirely for communication of the servers compromised by a particular group were observed on several occasions. Running an IRC bot does not require additional privileges. 2."Local exploit bonanza" Throwing everything they have at the Holy Grail of root access seems common as well. Often, the attacker will try half a dozen different exploits trying to elevate his privileges from mere "apache" to "root". 3. "Evil daemon" A secure shell daemon can be launched by a non-root user on a high numbered port. This was observed in several cases. In some of these cases, the intruder accepted the fact that he will not have root. He then started to make his new home on the net more comfortable by adding a backdoor and some other tools in "hidden" (".. " and other non printable names are common) directories in /tmp or /var/tmp. 4. "Flood, flood, flood" While spoofed DoS is more stealthy and harder to trace, many of the classic DoS attacks do not require root access. For example, ping floods and UDP floods can be initiated by non-root users. This capability is sometimes abused by the intruders, using the fact that even when the attack is traced the only found source would be acompromised machine with no logs present. 5. "More boxes!" Similar to a root-owning intruder, those with non-root shells may use the compromised system for vulnerability scanning and widespread exploitation. Many of the scanners, such as openssl autorooter, recently discovered by us, do not need root to operate, but is still capable of discovering and exploiting a massive (thousands and more) system within a short time period. Such large networks can be used for devastating denial of service attacks (for example, such as recently warned by CERT). Worms and other automated entities are also common. We observed many different OpenSSL worms (for their taxonomy, see this), including some with novel components such as Windows OpenSSL exploit, DoS agents, IRC bot deployment by the worm, automated local exploitation via ptrace bug, different backdoors, etc. Windows worms are also on the prowl. CodeReds, MS SQL and others are not gone. Their traces surface in the logs on the regular basis. They seem to be leading their own lives with ups and downs, sudden bursts of activity, and never seem to go away. Many other "fun things" are also hitting the shores of our honeynet. Among them are such beasts as the packets from 255.255.255.255, port 31337, various kinds of spam (email, MS RPC, web forms), a lot of various reconnaissance attempts (mostly scans and pings). Scans for proxies (1080,8080, 3128) are also extremely popular, as mentioned above. Anton Chuvakin, Ph.D., GCIA, GCIH is a Senior Security Analyst with netForensics, a security information management software company that provides real-time network security management solutions. His areas of infosec expertise include intrusion detection, UNIX security, forensics, honeypots, etc. In his spare time he maintains his security portal Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA Information Security Publications. . Investigations have uncovered terabytes of data packets showcasing multiple events and intrusions within our Unix honeypot.. Honeynet Research, AttackObservations, Incident Responses, Intrusion Detection, Security Threats. . Brittany Day
Apr 22, 2003
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More