Posted on 09/13/2009 9:24:24 AM PDT by dayglored
A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web.
Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware.
"What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution," Sinegubko wrote here. "To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s)."
...
It's unclear exactly how the servers have become infected. Sinegubko speculates they belong to careless administrators who allowed their root passwords to be sniffed. Indeed, the part of the multi-staged attack that plants malicious iframes into legitimate webpages uses FTP passwords that have been stolen using password sniffers. It's likely the zombie servers were compromised in the same fashion, he explained.
With about 100 nodes, the network is relatively small, making it unclear exactly what the attackers' intentions are. All of the boxes examined so far have run the Apache webserver on a various distribution of Linux, he said.
"Probably it's some sort of proof-of-concept thing for hackers," he wrote. "Or maybe they have many more other compromised servers waiting for their turn."
(Excerpt) Read more at theregister.co.uk ...
But there's not suddenly some "Linux malware" -- e.g. a virus that attacks Linux -- rather, Linux/Apache admin passwords were obtained illegally and Windows malware distribution software was installed on the Linux/Apache webservers.
In other words, there are 100 Linux webservers running Apache, where "careless administrators" either used weak passwords or allowed them to leak to bad guys. Not surprising, given how many Linux/Apache webservers are on the interwebs today.
Linux Administrator: "Gee, you mean if I let bad guys have my admin passwords, they'll do something bad? Wow, who knew???"
But it's interesting nonetheless. Just not as earth-shattering as it seems from the headline.
Tech ping?
You mean ‘root123’ isn’t safe?
That's right. You should always "Leet-speak" your passwords.
Use "r00t123" instead. ;-)
It’s always an ‘inside job’ with real OSes.
There were a bunch of Linux distros recently that had root kits pre-installed.
If you are going online with your installation, always get your distro from known sources and make sure you set up the security right. Plenty of books to help you out with that.
‘admin’ is the safest.
Probably ought to Leet-speak that one too: "adm1n"
It's the only way to be sure.
Yep, good point.
The basic underlying OS can be as secure as possible (e.g. Unix) and admministrators can still compromise the server by adding insecure software to it.
And calling something "Open" doesn't guarantee security -- it only means it's possible for folks to look into it and see what might not be kosher. The vulnerabilities still have to be found and fixed.
Yes. No turning back now.
I understand that satisfaction! (Although to be fair, I BootCamped a partition on one of my Mac Minis to install the RC of Win7...)
And if you do find yourself in need of Windows (e.g. a Windows-only app), you can go to VMware's site (www.vmware.com) and download FREE tools that allow you to make and run VMs (Virtual Machines) where you can install Windows in a captive environment.
The VM is a folder with a half-dozen files that are the "memory", "disk", and other parts of the Windows installation. Bootable backup consists of a copy of the folder. Crashes or disk corruption or viruses? Revert to a backed-up copy of the folder.
I understand your resolve ("No turning back") but it's also useful to know that there are options that are in many ways better than having Windows installed "on the metal".
I tired of Windows as my primary OS at home and switched to Fedora Linux about five years ago; lasted about three years and then switched to Mac OS-X because of better VM support. Good luck!
[Disclosure: I'm not associated with VMware in any way, except as a satisfied customer the past four years. I run Mac-OS-X, Windows, Linux, BSD-Unix, and others every day, and don't engage in OS wars. I even run the VMware host software on OS-X, Linux, and Windows as need may be.]
Poor security practices will get you in trouble with any OS.
FTP sends passwords in the clear. If you don't use a secured connection, it becomes vector for compromise -- especially if the FTP password is the same as the login password for the same account.
Personally, I refuse to use FTP. I only transfer files via secure HTTPS or secure SSH. And my SSH server doesn't even accept a regular password tunneled over the secure connection: it requires a private key that is the equivalent of 256 characters. I could give you the root password and you still couldn't login.
yep, that’s why I recommend if you are setting up an online system, read and follow the security books.
Yep, that's the way to go.
We disabled PasswordAuthentication and PermitRootLogin a while back. It was initially inconvenient for some people to switch over to only using SSh/RSA keys, but there really isn't any better way to stop the password attacks.
OTOH, since individuals can set their own SSh/RSA key passphrases to whatever they want, including null, there's the problem of them losing their private key (stolen/lost laptop, etc.). We have a policy that requires any lost or stolen item with a private key to be reported immediately so that I can disable the associated public key stored on the servers...
> I could give you the root password and you still couldn't login.
True, unless you have some form of remote console such as a network KVM, or your server is a VM under a control app that gives you a virtual console. In which case the security of the KVM and virtual console app becomes your weakest link...
Before you get too entrenched with Ubuntu, give Linux Mint a shot.
Don't get me wrong -- Ubuntu's great, I use it on a couple of machines, and it shares a lot of its guts with Mint -- but Mint's interface is more like Windows', plus it comes with the cool Compiz desktop effects pre-installed.
For instance, I occasionally need to use an IIS server to produce documentation (screenshots and such) for folks I support. I can fire up a vmware instance, do what I need to do, then either shut ot down, or just leave it running if I think I may need it again in the next few days. I'm constantly amazed at otherwise technical folks who don't see the utility of this. This is really useful if you need to generate an SSL certificate for a webserver. Rather than going to the production box, they could just use a VM to generate the CSR, install the cert, then export it for use on the production machine. To me, having this kind of tool handy is a no-brainer.
Unfortunately, that doesn't seem to be universal here .
VMWare completely rocks IMO. I've tried some of the other VM solutions, and they just aren't at the level of functionality or stability of VMWare yet.
“Research has shown that E%3hl5(*n!9**B is cryptographically the most secure password that can be used. Please change all of your accounts to use this password in order to ensure better security.”
I saw something like that on the internet way back when. I wonder how many people bought it.
Everything works after installation, with OpenOffice, VLC media player, Skype etc. And no Microsoft products at all! Is that legal?
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.