Stay Ahead With Linux Security Features
security advisory attack A Linux server gets cleaned up after an intrusion. The suspicious process is terminated, credentials are rotated, and the system is rebooted during maintenance. Everything seems secure. A few hours later, the same outbound connection appears again. . Situations like that point to persistence . The attacker no longer needs the original exploit because something on the host continues restoring access behind the scenes. Finding that mechanism is often more important than understanding how the...
Jun 08, 2026
threat detection scalability Building a SIEM is easier than scaling one. Most open-source deployments start as a simple "all-in-one" server. It is easy to set up, but that design rarely survives the transition from a lab to a production workload. . A SIEM watching 20 endpoints is not doing the same job as one watching 500. More endpoints mean more logs; more logs require more storage; more storage makes search heavier. Eventually, the very architecture that made your lab easy to deploy becomes the reason your production...
Jun 04, 2026
security advisory apache A newly disclosed attack technique called HTTP/2 Bomb is drawing attention because it targets the software that sits at the front of much of the Linux internet. Apache HTTP Server, NGINX, Envoy, and the ingress layers that many Kubernetes environments depend on can be forced into consuming disproportionate amounts of memory using relatively small amounts of attacker traffic. . For Linux administrators, the concern is not the HTTP/2 protocol itself. It is the possibility that a single...
Jun 04, 2026
security advisory important The compromise of Nx Console shows how much infrastructure now sits behind a single developer account. GitHub repositories, CI/CD pipelines, container build systems, Terraform projects, Kubernetes deployments. None of those systems was the initial target. The workstation was. . Attackers did not need a Linux privilege escalation bug or a remote code execution chain. They needed developers to trust a tool they were already using. For many organizations, that was enough. What Happened? Federal...
Jun 03, 2026
security advisory open-source You remove the malware. You rotate the compromised credentials. You patch the original vulnerability and close the ticket. Two weeks later, the attacker is back. . What happened? You didn't lose the battle at the exploit; you lost it at the cleanup. In many modern Linux intrusions, the malware you found wasn't the main problem—it was the fallback mechanisms left behind. These hooks quietly restore attacker access the moment you look away. If you clean a host but miss these persistence layers,...
Jun 02, 2026
Refine features
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security features
We found -2 articles for you...
102
security researchmalware analysislinux techniquesAdvanced Anti-Debugging Techniques: Detecting Breakpoints in Linux
In the previous part of our Hacker's Corner series, we covered anti-debugging using a trivial self-modifying code. Here, instead of blocking debugging completely, we will detect various debugger-induced activities.. Breakpoints A breakpoint is intentional "pause" in normal execution of a program, generally used to inspect the internals of said process in more detail. This is the *most* used feature of any debugger. On x86 CPUs, there are two types of breakpoints: hardware breakpoints and software breakpoints. While they overlap to a certain degree they are not exactly the same. In most of debugging cases, you will be using software breakpoints, which do not need any special hardware support. These are implemented using same interrupt mechanism which is used by pretty much everything else. On x86, 3rd interrupt is used to implement a breakpoint. When you set a breakpoint, your debugger overwrites target address (where you want to put the breakpoint) with INT 3 (0xCC in hex). When this instruction gets executed, debugger gets the control back from target process, and can inspect its state (registers, memory etc). To resume the execution, debugger will silently remove breakpoint, execute the instruction, and set the breakpoint again before letting the process resume (until it terminates, or breaks). Features like step over, step out are also implemented using "transparent" software breakpoints, which are set and removed automatically by debugger. Generally, you can set any number of software breakpoints; however these cannot be set on non-code address (i.e. these can break the program only when target address content is executed; but not if the address is read from or write to). Hardware breakpoints, on the other hand, are much more powerful and flexible than software breakpoints. These can be set to break not only on execution, but also on memory access (read and write both), I/O port access etc. These debuggers are set by writing into special "debug registers" which are largelyplatform specific (and not all platforms will have support for hardware breakpoints). On x86, registers DR0-3 and DR6-7 are used to set these breakpoints (DR4-5 are reserved as of now). If you have ever used "watchpoints" which let you break when certain memory address is accessed, you have used hardware breakpoints. Here, one can try looking this inside a debugger, and then claim that this is not how software breakpoints work: (gdb) break main Breakpoint 1 at 0x116d (gdb) disassemble main Dump of assembler code for function main: 0x0000000000001169 : push rbp 0x000000000000116a : mov rbp,rsp 0x000000000000116d : lea rsi,[rip+0xe91] # 0x2005 0x0000000000001174 : lea rdi,[rip+0x2f05] # 0x4080 0x000000000000117b : call 0x1040 0x0000000000001180 : mov rdx,rax 0x0000000000001183 : mov rax,QWORD PTR [rip+0x2e46] # 0x3fd0 0x000000000000118a : mov rsi,rax 0x000000000000118d : mov rdi,rdx 0x0000000000001190 : call 0x1050 0x0000000000001195 : mov eax,0x0 0x000000000000119a : pop rbp 0x000000000000119b : ret End of assembler dump. (gdb) Here, we cannot see any interrupt instruction; not because there is none; but because our debugger is lying here. It will show you disassembly as it looked before setting any breakpoints so that it matches with what compiler generated from source. Detecting Software Breakpoint Since we know that software breakpoints are set by overwriting 0xCC at first byte of instruction, we can easily check for such breakpoints in our code: - Find where our target function (or any chunk of code) is located in memory - Read 1 byte from address - If byte is 0xCC, a breakpoint has been set A trivial implementation looks something like this: #include bool isBreakpointPresent(unsigned char *func) { bool result = *func == 0xCC; return result; } void secret() { for (int i = 0; i <10; ++i) { std::cout
Jul 18, 2022
•
102
security researchprocess managementanti-debuggingAdvanced Anti-Debugging Techniques Using Self-Modifying Code
In our previous Hacker's Corner article, we covered some simple anti-debugging. Here, we will see some better techniques. . Self-Modifying Code Last time we tried to attach to own process, and used that as detection/prevention mechanism for debugging by someone else. Here, we will improve it by making it much harder to run code under debugger. This technique relies on using incorrect code, and patching it dynamically to make it correct. The patching part is done by same ptrace mechanism. Here, we have to ensure that our incorrect code should not kill the code. Instead we should be able to intercept the error, and then patch the code on the fly before re-attempting the execution. There are many ways to achieve this: 1. Raising a signal like SIGCONT 2. Forcibly triggering CPU fault (like illegal instruction fault) 3. Segmentation Fault 4. and many more... For sake of example, we will use an illegal syscall (that does not even exist) for our incorrect code. To ensure that we get a signal right before said code is called, we will raise SIGCONT, and capture that. The scheme goes something like this: Parent Process 1. Fork 2. Run protected function in child process 3. Wait for child process to change its status 4. Continue the process until it hits a syscall. 5. Check if syscall number matches to illegal syscall number used. 6. Change the syscall to correct one. 7. Let the process run. Go back to step 3. Child Process 1. Attach to self 2. Raise SIGCONT 3. Run the code which is using illegal syscall The syscall we are going to use is syscall number 10000, which is slightly modified version of **write** syscall: Original Syscall - Syscall number: 1 - RAX: 1 - RDI: File descriptor - RSI: Pointer to buffer - RDX: Number of bytes Our Syscall - Syscall number: 10000 - RAX: 10000 - RDI: Pointer to buffer - RSI: File descriptor - RDX: Number of bytes This means, patching the code is as simple as: 1. Put 1 in RAX 2. Swap RDI and RSI The complete code for this will looksomething like this: #include #include #include #include #include #include #include #define SYS_CUSTOM_write 10000 void print_custom(char *str) { syscall(SYS_CUSTOM_write, str, 1, strlen(str)); } void tracee() { ptrace(PTRACE_TRACEME, 0, 0, 0); raise(SIGCONT); std::cout
Jul 13, 2022
•
102
security researchcybersecuritydns securityRemembering Dan Kaminsky: DNS Security Pioneer and Cybersecurity Influencer
On Saturday, April 24th, 2021, the computer security world was shaken by the news of the sudden death of Dan Kaminsky , a renowned hacker best known for his contributions in the realm of DNS security. Kaminsky was 42 years old. . A regular speaker at prestigious cybersecurity conferences including DEFCON and Black Hat - both of whom have expressed their condolences on Twitter, Kaminsky is best known for his groundbreaking DNS cache-poisoning research that prompted an industry-wide movement to address a major Internet security weakness. Kaminsky is also credited with raising awareness of the severity of the 2005 SONY rootkit infections. In 2010, the Internet Corporation for Assigned Names and Numbers (ICANN) named Kaminsky as one of the Trusted Community Representatives for the DNSSEC root. A graduate of Santa Clara University with a Bachelor's degree in Operations and Management of Information Services, Kaminsky most recently served as co-founder and chief scientist at Human Security (formerly known as White Ops), an anti-fraud startup. There is now a move to see Kaminsky inducted into the Internet Hall of Fame, an accolade we feel he thoroughly deserves. On behalf of the cybersecurity community, we take this time to reflect on and celebrate Dan Kaminsky’s accomplishments and contributions in the field of computer security. He will be greatly missed, but his legacy will undoubtedly live on. . Honoring Dan Kaminsky, a pioneer in the realm of DNS protection and a major figure in the world of cybersecurity.. Dan Kaminsky, DNS Security, Infosec Legacy, Cybersecurity Research. . Brittany Day
Apr 26, 2021
•
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More