Brodie means well and is intelligent, however he mostly seems to like to create clickbait videos and blab for entirely too long about mostly nothing. Also, he doesn’t seem to know what day it is. According to Catholics, today is Holy Saturday whilst tomorrow is Easter Sunday…
6 Likes
so what?
WTF is that supposed to mean?
That video … nahh
just nahh
What does this mean?
ldd "$(command -v sshd)"
linux-vdso.so.1 ...
libcrypt.so.2 => /usr/lib/libcrypt.so.2 ...
libpam.so.0 => /usr/lib/libpam.so.0 ...
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 ...
libkrb5.so.3 => /usr/lib/libkrb5.so.3 ...
libcrypto.so.3 => /usr/lib/libcrypto.so.3 ...
libz.so.1 => /usr/lib/libz.so.1 ...
libc.so.6 => /usr/lib/libc.so.6 ...
libaudit.so.1 => /usr/lib/libaudit.so.1 ...
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 ...
libcom_err.so.2 => /usr/lib/libcom_err.so.2 (...
libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 ...
libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 ...
libresolv.so.2 => /usr/lib/libresolv.so.2 ...
/lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 ...
libcap-ng.so.0 => /usr/lib/libcap-ng.so.0 ...
…=shortened
This Streamer is not only a clickbaiter but also a karen.
I saw a couple of videos from him and he had never good or usefull information… it was just time waste.
Edit:
After i saw yesterday (i wasn’t aware about this backdoor at this moment) the Xz update in pamac, i browsed in pacmac and try to find the Xz Package but i couldn’t find this packages. Is it possible that the most Manjaro User’s didn’t had it installed?
1 Like
very interesting analysis by Gynvael Coldwind regarding the bash obfuscation
in summary he writes…
Someone put a lot of effort for this to be pretty innocent looking and decently hidden. From binary test files used to store payload, to file carving, substitution ciphers, and an RC4 variant implemented in AWK all done with just standard command line tools. And all this in 3 stages of execution, and with an “extension” system to future-proof things and not have to change the binary test files again. I can’t help but wonder (as I’m sure is the rest of our security community) - if this was found by accident, how many things still remain undiscovered.
2 Likes
That’s because Pamac won’t let you search for only two characters. 
Everyone has xz installed.
1 Like
re: cyclone-github/scripts/blob/main/xz_cve-2024-3094-detect.sh
note that this script can report a (potentially) false-positive since it’s only checking the version of xz and therefore doesn’t know the difference between 5.6.1-1 and the new 5.6.1-2
(i said “potentially” since there’s still a whole lot up in the air regarding this issue)
does for me 
Oh, it does for me, too. 
I don’t know where I came up with that, maybe it was a thing once?
I have the same output as you. 
@All
I just read its recommend to disable SSH. When its in use.
Check if its running:
systemctl status sshd
Disable sshd when its in use:
systemctl disable --now sshd
Make sure it stays disabled (thanks to user @cscs):
systemctl mask sshd
1 Like
Where is it from?
Context …
They tell you what this does / checks for.
I guess, the question this command asks and answers is:
which programs implicitly call and use sshd
and: is xz among them …?
1 Like
sudo should not be required.
And wouldnt you rather mask it if you wanted to try to ensure it isnt used?
2 Likes
do not panic
sshd is not linked to xz
or vice versa
in Arch/Manjaro
and you likely do not have sshd running anyway
situation is not pretty - but you are not at risk
I think: it was a nasty backdoor in the making, it has been caught in time
2 Likes
Yeah probably no big deal for us, i just read it on this german website… maybe more interesting for Debian/Fedora or OpenSuse users.
Am I a bad person for not panicking about this like a headless chicken?
Am I a bad person for thinking it was handled quickly?
Am I a bad person for not worrying? Especially since I have only one (1) port accessible from outside my network? And it not even being SSH?
Am I a bad person for not worrying about this?
The problem for “us” is not the backdoor itself, it was quickly mitigated and probably not even active on Manjaro.
However, what should you leave worrying is the circumstances that it was possible to include this in a core library which is used by all Linuxes around the world (any probably off-world on Mars?).
6 Likes
and more worse it is validated that the hackers can run code via ssh without any account !
this is more than a security flaw of the actual ssh-service. this is a no-go and the ssh-devs must close this as soon as possible. actual ssh is doomed and it’s digital-suicide to use.
1 Like
Yeah, that’s fair enough. What p1553s me off something fiercely is this kind of clickbait reaction:
If you use Linux, I’d expect you to have half a brain and not caring about, let alone make and thrive on things like that.
AFAIK, someone need useful SSH in many different cases. If you are worried, simply set up a firewall zone for SSH and all network tools. SSH cannot connect to a random public domain if it is under your control.
PS: I have already done this setup of firewall + auto notification, sandbox, snapshots and backups a long time ago.
1 Like
you’ll have to mask the service after disabling otherwise it’s still possible that a disabled service can be reactivated !
sudo systemctl mask sshd
I think you misunderstood me.
I mean, someone needs to enable SSH for various reasons. Permanently disabling SSH is a bad idea.
1 Like