Cracked Linux Boxes Used to Wield Windows Botnets

m-stone writes "Online auction house eBay recently did a threat assessment to better understand the forces ranging against them. The company is keeping the fine details under wraps, but the biggest source of danger for the company is apparently botnets. You're never going to guess who was running them. '[Dave Cullinane, eBay's chief information and security officer] noticed an unusual trend when taking down phishing sites. 'The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,' he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers, who set up fake websites, hoping to lure victims into disclosing their passwords."

Confirmed

[mccalli]

I've noticed a large increase in attempts to crack my co-lo Linux servers recently, and it must be said that two got through (shared site, some customers running old content management apps and the kits hit). When we watched the behaviour of the cracked box, it was connecting back to...I think undernet.org or similar?...and sending controls via IRC. Plus doing a spot of spamming of its own bat.

Our set-up is that we have a host OS install doing nothing but running VMware Server and then any real stuff gets done in a VM, so this was easy for us to recover from quickly via VM snapshotting. But still, it's a trend that's noticeably on the increase.

Cheers,
Ian

Re:Confirmed

[mdeslaur]

Even phishers like Linux better than Windows!

Re:Confirmed

[Barlo_Mung_42]

I'm confused. Are we sure that's funny?

OT: What happened

[camperdave]

I was going to post a comment earlier, but the bar with the big "Reply" button is missing. In fact, it seems to have disappeared from all the stories. How do you start a new thread on a story?

Re:

[camperdave]

... and now it's back.

Maybe ....

[Chrisq]

Maybe the slashdot host had to pause to update a botnet;-)

Happens to sites that hosts others too...

[Shivetya]

Nothing like getting a stupidly high bandwidth bill to find out your hosting server has been hacked. Its even better when you have to fight them to prove its their fault for being hacked and not yours for being cohosted by them!

and yes they are running Linux... they apparently didn't cover all their bases and were caught by more than one known exploit and some default settings.

Just because its Linux does not make it secure, you actually have to use it correctly.

Brute Force Attacks

[superbrose]

I'm sure pretty much everybody who is running a Linux server (or any server as a matter of fact), especially with services like SSH enabled, is currently subject to brute force attacks.

When I looked at my auth log I noticed a huge amount of brute force attacks for all my servers, so I installed denyhosts [sourceforge.net], which seems to work fine.

I guess the problem is also that in many distributions SSH servers are configured to allow root logins, and if nobody looks at the log files these go totally unnoticed.

Re:Brute Force Attacks

[Russell Coker]

Run your sshd on a port other than 22. Most attackers only scan the well-known ports. Running your sshd on a different port removes a lot of the noise from your logs and allows you to concentrate on the real issues.

The "Host" sections in the /etc/ssh/ssh_config file allows you to specify which port to use for each host you connect to (so you don't need to type "-p 1234" every time you connect).

Re:Brute Force Attacks

[Anonymous Coward]

That's what I do. But everytime I ever mention it, some idiot goes "WAAAH! Security through obscurity!" They can't seem to wrap their brains around the fact that less automated attack attempts is a good thing.

It's so annoying when people latch on to a stupid mantra like that without understanding it. Just like how nowadays you can't mention rape without someone reminding you that "Rape is about power, not sex." People just love catchphrases, I think.

Re:Brute Force Attacks

[jwo7777777]

Guns don't kill people, catchphrases kill people.

Re:

[networkBoy]

While it is security through obscurity, that is not a bad thing. What people often don't understand is that obscurity is a valid security measure, just not one that you can rely on as an end-all.
Example:
SSH on 22 with no authentication -> bad
ssh on 2200 with no authentication -> just as bad
ssh on 22 with strong authentication -> good and not burdensome
ssh on 2200 with strong auth -> better and not burdensome.

As Bruce says it is all about layers of security and understanding the deficits of each

Re:Brute Force Attacks

[walruz]

Run your sshd on a port other than 22.

Or instead of that, just disable password authentication and allow only RSA/DSA keys auth. OTOH, moving the service to another port may save bandwith from the constant login attempts, but in certain scenarios (behind a router or provider with strict policies, like only allowing port 22, 25 & 80 forwardings) this may not be an option, in which case, disabling passwords is the best option IMHO.

Re:

[Russell Coker]

You are correct that there are some situations such as routers that block ports. In those cases ports such as 53 or 443 can be used (depending on what your router blocks and what other legitimate traffic you have going through your network).

Using a different port saves network bandwidth and also human bandwidth when reading the log summaries. This means that more time can be devoted to analysing log data that is not a result of simple bot-based attacks.

Disabling password based login is a really good idea!

Re:Confirmed

[Bert64]

This is nothing new, crackers have always preferred unix machines for a number of reasons. A few years ago many crackers wouldn't even bother trying to own windows machines.
You never see many people who compromise a windows machine and manually set up anything on it, windows machines are typically mass hacked and used as throwaway systems, for spamming or dossing (once a large flood of dos or spam comes from a system, it very quickly gets noticed and the system usually gets shut down). The hassle of using windows remotely (half assed command line interface etc), lack of default tools and typical low uptimes/stability discourage them being used interactively or for any kind of non-throwaway uses.

Conversely, unix machines are typically more stable, and have a far more flexible interface that's more geared up to remote cli usage. Installing something like an IRC server to collect malware is often much easier, and there's usually package management which can be used to easily install any external libraries or additional tools that might be required. There are also typically standard server apps installed and ready to use (ftpd, apache, rcp, tftp etc) which can be used to host malware, for easy download to other compromised machines (most systems have ftp/rcp/tftp clients by default, even windows).

Crackers will often turn a compromised unix machine into their "home", and keep a set of tools/exploits in a hidden directory, and use the machine for manual probing, testing of new tools and launching of other attacks, but they will rarely use windows systems for anything other than dossing/spamming or defacing a website if it hosts one.

Re:

[garett_spencley]

"Conversely, unix machines are typically more stable, and have a far more flexible interface that's more geared up to remote cli usage. Installing something like an IRC server to collect malware is often much easier, and there's usually package management which can be used to easily install any external libraries or additional tools that might be required. There are also typically standard server apps installed and ready to use (ftpd, apache, rcp, tftp etc) which can be used to host malware, for easy downlo

Re:

[Bert64]

Well, the advantage of IRC, while you still need a TCP connection, if you have enough hacked boxes it's virtually impossible to differentiate your connection from the drones...

The disadvantage of an IRC based control bot, is the lack of flexibility. You can only use the functions offered by the bot, and if you need new functions you need to update your bots. Sure you could make the bot provide an interface to the underlying command line, but then your back to the original point of the windows cli sucking.

Yo

Re:

[zootread]

In the old days attackers would often make a machine their home as you describe, do you have any evidence that the serious criminals (the ones that the article is about) do this now? I suspect that only hobbyist criminals do such things nowadays.

If you use a CLI session then you either have a TCP connection leading back to where you are (a bad idea if you don't want to be caught) or you bounce the connection between multiple machines (giving serious problems of lag). An IRC (or similar server based) control

Re:Confirmed

[Library Spoff]

Although i don't run a Linux server my main use at home use of the internet is on Ubuntu.
It's patched when Ubuntu tells me. The same as my XP install.

My knowledge of Windows security is greater than that of Linux - I wouldn't really know where to start looking on my Ubuntu install. So is my XP or Ubuntu install more secure?

In theory it's the Ubuntu install, but until I spend the time to learn more about it who knows.

Re:

[NeverVotedBush]

Hard for me to say. But if you want to clean up the simple things, turn off every service you aren't actually using. If using sshd, edit /etc/ssh/sshd_config to disallow root logins, only allow protocol 2, and set allow users to just whoever needs access. The post above about using a different port for ssh is also a good idea. Security through obscurity is still security for some attacks.

Use strong passwords. Make sure all other users use strong passwords. With some exploits just needing a user account,

Re:Confirmed

[AlXtreme]

I have noticed this as well.

Linux, Apache and all the server-side scripting languages normally aren't the problem. Many hosts I have audited have old installations of (mostly) PHP-based software, and these automated attacks tend to target them leading to (sometimes multiple) botnet infections.

Many administrators didn't even know what was running on their servers. It only takes a couple of minutes to install packages like *coughthesecurityholecalled* phpBB, however if you are doing this independently from your package management system you will lose track of the installs. Even worse, the installs won't be automatically upgraded, which is a major reason for sticking with stock Debian/RHEL/SuSE package repositories.

If you choose to install software outside your distribution's package management system, subscribe to the announcement-lists of the software used. Document on which servers you installed what software. And if you leave the company, make sure your replacement can hop right in and will know what you know.

Common sense, but far too often forgotten or ignored.

Re:

[Henry V .009]

Seen the same thing here. Lots of attacks on our Linux servers. We've had individual user accounts compromised through captured .ssh keys (from a compromised off-site machine), unupdated php websites, and badly coded cgi scripts. Nothing that has gotten root, but still a pain to deal with. Shared hosting of university web sites is lots of fun, ain't it?

9 out of 10 phishers agree

[queenb**ch]

Linux is a superior operating system.

2 cents,

QueenB.

Re:Confirmed

[mccalli]

How are they trying? My logs show lots of attempts at phpbb, etc. vulnerabilities.

phpbb, Drupal and PHPNuke attempts mostly. Plus old sshd vulnerabilities, though we're up to date there and nothing got through.

Cheers,
Ian
(oh yeah, and first post! Only took a mere eight years or so...)

Re:Confirmed

[jackharrer]

I've seen the same. Actually my server has been offline for last few days as it became compromised and I don't have time to sort it out.
I got like thousands of bruteforce attacks on ftp plus some on phpBB.
I also noticed few weeks ago that when they couldn't break in they just DDosed it.

It looks like it's getting serious, especially if you're server is registered with some DNS name, not just IP.

Re:

[Bert64]

I've not been dossed per se, but some of the ssh/ftp brute force attempts and scans for common website vulns are incredibly aggressive.
My biggest problems stem from foolish users, i host a lot of customers who have the ability to run PHP apps and choose their own passwords. Fortunately, each user has their own account, so i can easily check which user owns any malicious processes or files that appear on the system.

Re:Confirmed

[mccalli]

Fortunately, each user has their own account, so i can easily check which user owns any malicious processes or files that appear on the system.

May want to be careful about that assumption. A lot of these things go out under the apache user and the mails via the www-data@somehost.invalid account.

Look for tell-tale things like apache processes running when you're an apache2-only site (they're disguised processes that are really something else, obviously). Do an ls -al in all the home directories, look for directories whose name is just a space character, check /tmp isn't mounted executable...that kind of thing.

Cheers,
Ian

Re:

[Bert64]

All of the Apache processes show up as /usr/sbin/apache2
A process just called "apache" or "./apache" would stick out like a sore thumb...
Apache doesn't run as a single user either, each site runs under it's own userid.
There is also trusted path execution enabled on the server, so the web users can only execute programs which are owned by root, and located inside a directory owned by root, so they can't upload and execute arbitrary binaries, all they could really leave running is a php script.

Re:

[Qzukk]

all they could really leave running is a php script

Of course, PHP these days has all of the network goodies needed to make "just a php script" still a serious problem. A good idea is to make sure that anything the webserver can serve can't be written from the webserver's user, i.e. uploaded data goes outside the docroot. Of course then we'll get tears about how hard it is for everyone to install forum software and their blog since they can't just unzip/untar their code and mark it all writable.

Re:Your sig [OT]

[808140]

In this case, it should be "If I was able to see further." Use of the subjunctive mood in English (If I were) indicates that the statement is contrary to hypothesis. For example, "If I were a dog, I would lick myself" implies that I am not, in fact, a dog, and am only speaking hypothetically. Whereas: "If I was a dog, it was only because I was selfish at heart" implies that you were a dog (in this case, the meaning is figurative, obviously).

Here, your sig does not introduce any information that is contra

Re:

[goombah99]

check /tmp isn't mounted executable...that kind of thing.

What does that mean? why would /tmp be a mount. And if it's a directory it has to be executable right?

Re:

[AndroSyn]

Well one could mount /tmp on its own filesystem or perhaps using tmpfs so that it ends up effectively using swap space for /tmp. Then you mount it with the noexec flag which in simple terms tells the operating system not to run executables from here. However this does not stop people from being able to run shell or perl scripts from here as they could simply do /bin/sh /tmp/somescript.sh or /usr/bin/perl /tmp/someperlscript.pl or so.

Re:

[petermgreen]

or run the dynamic linker directly and pass it your elf executable on the command line.

Re:

[geminidomino]

I assume he meant mounted with the noexec flag.

Re:Confirmed

[TheRaven64]

Having a different filesystem makes sense for /tmp, because you do not care particularly about integrity. You can mount it async and disable journalling, because you don't expect data there to persist beyond a reboot. Having it as a separate mount (which can be achieved via remount) also allows you to disable support for setuid binaries on it, or even just disable execution. That's why it's always been fairly standard practice for it to be a separate slice. The same applies to /var, which typically wants to be write-optimised, while /usr wants to be read-optimised.

Re:

[lazy_playboy]

A server should really have /tmp located on a seperate partition that is only mounted read/write and not executable.
At least, I think that's generally thought to be a good thing to do.

Re:

[MindKata]

"The truth is that us bots prefer Linux because of the GPL"

Being able to see the source code, isn't a bad thing, as you imply. If there's a hole in the code, I would sooner someone find it fast and then it gets fixed, rather than have closed code, which may have a hole in it, which no one knows about. Because given time, someone will find that hole, even if its close sourced (which is no long term protection). What open source gives is effectively better debugging of the code, as it allows people to dig o

Re:Speaking as a Bot...

[rtb61]

More likely the prefer Linux, because after going to all the time and effort of creating a botnet you don't want some other cracking asshat hijacking your botnet.

With windows of course those poor hard working crackers and continually having to rebuild their botnet as other crackers pilfer their bots as readily as they orginally gained, 24/7 no rest for the wicked.

So winbots while easy to gain are nearly impossible to keep because of course they are just so slutty, they are anybodies ;).

Re:

[NeverVotedBush]

Fortunately, each user has their own account, so i can easily check which user owns any malicious processes or files that appear on the system.

For anyone running 64-bit, there is a recently-publicized exploit that allows users to grab root. If you haven't been keeping your kernel patched, you could be vulnerable. If someone gets root then you won't be able to spot intrusions by user-owned processes.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Confirmed

[B2382F29]

Use fail2ban [fail2ban.org], and regarding banning all of China, I didn't see getting more than average attacks from there, a lot of attacks are also from US IPs, this seems to be a worldwide issue.

Re:

[spxero]

Thanks for that link- I've been looking for a program to do that, as ever other day it's a new IP, same brute force. I've got permissions set right so they can't get in, but this would make my life a whole lot easier. Thanks!

Re:

[jank1887]

"Noone will crack this baby"
give them time...

Re:

[betterunixthanunix]

I see lots of attempts on PERL and PHP scripts, many of which I cannot identify, in the logs for my personal web server. lbc.php, prx.php, awstats.pl, to name a few. Just another reason to keep SELinux in enforcing mode.

Re:

[somersault]

While I think it's true that Linux boxes really are 'more' secure, that very fact makes a lot of users (myself certainly) less security aware when using non Windows systems (Mac OS/Linux). That just means that I don't tend to worry that I'm going to get any spyware or viruses no matter what website I visit. When it comes to someone actually attacking a machine directly rather than relying on passive methods then I admit am pretty clueless, with regards to both Windows and Linux... perhaps some people here c

That's the problem - "Its Linux, so its secure!"

[Anonymous Coward]

So many people have that mentality or were converted by hearing sayings like that.

They don't realize, like any other operating system, if you want it secure, you have to work to make it secure. Everything from using good passwords, to not running unecessary services, to getting behind a firewall or two.

And, as usually, the biggest security hole is between the keyboard and the chair.

true

[Anonymous Coward]

I work in security and this is consistent with my experience.

A fair amount of it, I'm sorry to say, is due to the perception that Linux boxes are much more secure than Windows and therefore don't need (a) up-to-date patches (b) proper security reviews of any app code (which these days usually means web apps) (c) defence in depth (block outbound connections from your web server, except for a hole poked in tcp|udp/53 to/from your DNS server if needed (d) proper security monitoring. Review your firewall logs! Run an external syslogNG box! use netflow, nagios, ntop etc -- can you account for all the packet flows from the machine? If you have time to spare, look into Snort.

This is not an accident.....

[HexaByte]

This is really a nefarious attempt by Linux sysops to tarnish the fine reputation of Windows by making it look bad! Plan of action:

1) Get the enemy to do horrible things at your direction.

2) Hope no one notices that you are really calling the shots.

3) Make them look unreliable

4) Profit!

Re:

[DraconPern]

It's not just a perception, pro-linux people have been selling Linux by telling everyone it has better security. Just look at any 'top 10 list' or "Linux is better" lists and security is right up there.

Re:

[Metaphorically]

Don't cut the kittens!

Seriously though, accounting for every packet takes more than just being a good user, it'd be a monumental task if you've got a desktop Linux distro. I'd like to think that I know all the things that are going out on the Internet from my home network but there are limits, especially when processes are disguising their traffic.

I mean if I find some odd packets going out then discover the name of the host their going appears to be an update server for some application I use then my i

Thus proving Linux is not as secure as touted.

[Anonymous Coward]

Get the facts. [microsoft.com]

Anyone else find it funny...

[Loosifur]

...that phishers prefer Linux to Windows because of its greater stability? That's like a car thief walking through a parking lot of early 90's Fords to get to a Honda. (With apologies to Ford afficionados)

Re:

[faloi]

Don't apologize to Ford fans, give them a lift! That way you can show you care!

Seriously, though... It really does make perfect sense. It's a revenue stream for them, it's not really that different from a business setting up Linux servers for all their Windows desktops to connect to. The really important systems you want on something that's stable. I'd like to believe the availability of unsecured Linux systems is some sort of indication that more new people are starting to use it, but that be a bit o

Remote ease-of-use

[SnowZero]

This really doesn't suprise me. With tools like ssh and shells installed by default, Linux is just plain easier to use remotely. Linux machines would also tend to stay up and online, whereas (predominantly Windows) desktops are often shut off when not in use. So, Linux makes the best "control console" for a botnet. The "army" should still be made up of Windows desktop machines, due to their large numbers.

Good News & Bad News

[eldavojohn]

It's the double edged sword of software popularity.

Linux is becoming so respected and desired as an operating system for servers that phishers & hackers are slowly turning their attention towards it being profitable.

I think this will be the true test for Linux to prove that it can beat Windows in all departments.

I actually see this as good news although I must confess that when I get home I'm going to check & double check the configurations on the ports on my router and all my Linux boxes. When toying with app servers & apache, I have noticed tons of port scanners probing my Linux boxes. I paid them no mind although now ... perhaps I should.

Re:Good News & Bad News

[morgan_greywolf]

Yes. You should Here's what I do. (I guess you could say these are some security tips for those running Linux boxes at home and leaving them up on the Net):

• Run a hardware NAT firewall/router. Any ol' Linksys, Dlink or Netgear thang will do. Just remember it's not the be all and end all to security problems.
• Open as few ports as absolutely possible. I have nothing open on my router except port 22 and BitTorrent, and I don't leave BitTorrent running all the time
• Check your logs at least once a day. Look for any suspicious signs -- missing log entries, ssh connects you weren't expecting, services running that you don't normally have running, NICs going into promiscuous mode unexpectedly, excessive mail being pumped through any MTAs, etc.
• When running OpenSSH, I disallow password authentication. This prevents problems with users due to the use of stupid passwords. My sshd only accepts a valid RSA key exchange as acceptable authorization.
• Regularly update and run rootkit checkers. These are not be all end all, but they help spot obvious rootkits
• Make cron jobs that regularly scan your system for unusual permissions -- world writeable, binaries that are setuid, etc. and for suspicious files. There are programs and scripts that will do this for you. STFW or check with your distro.
• Perform MD5 checking on your files and executables, espcially.
• Regularly check your /etc/passwd and /etc/group files for new or unusual entries.
• Don't run NIS -- it's inherently insecure. You should be using OpenLDAP if you need directory authorization on your network.

Re:

[alexhs]

Many points you make are done automatically on a default FreeBSD install :

Suspicious network activities (bad logins, reverse DNS issues...) are printed on the console and e-mailed to you each day.

Every root logins also printed on the console.

System modifications (user accounts, system files permissions, disk usage, start scripts modifications) are alse mailed to you (some maybe only once a week)

I only check regularly the console, and once a month or so I check the e-mails. (It's my home server BTW, don't ne

Re:

[_Sprocket_]

It's the double edged sword of software popularity.

Linux is becoming so respected and desired as an operating system for servers that phishers & hackers are slowly turning their attention towards it being profitable.

Yes and no. What this represents is simply fluctuation - nothing novel. Linux has been targeted plenty in the past. Nobody should be surprised they're being targeted now.

Windows vs. Linux

[derian_cf]

I work for a fairly well known dedicated server provider. If I had to give a rough estimate, I'd say we're 40% Windows and 60% Linux environments. Not surprisingly, the number of boxes that get hacked (rooted entirely or not) is about equal between the two, however the purpose for which they're hacked is generally quite different. 80% of the hacked Linux boxes are used for UDP floods, things like that. Also IRC bots. Interestingly enough, in my 6 months working there, I don't believe I've ever seen a Windows box used for phishing. They're always used for FTP servers hosting movies/music/programs and/or IRC servers doing the same thing.

Linux vs. BSD

[rs79]

Can anybody comment on the ratio of cracked Linux to BSD boxes?

Useful UDP services

[canadiangoose]

I can think of a few right off the top of my head. There's SIP, RTP, OpenVPN and DNS, just to name a few. I'm sure there are more.

Interesting to note

[thegnu]

I think it's interesting to note that while we get submerged in a barrage of Windows trolls, that the hackers hack one or a few Linux boxes and use them to control the hundred or more Windows boxes they've hacked.

Still looks bad for Windows. Plus, here's betting they're servers, and not home computers behind a plain old linksys router.
-Nathan

Re:

[I'm Don Giovanni]

"that the hackers hack one or a few Linux boxes and use them to control the hundred or more Windows boxes they've hacked."

Wouldn't that be merely a function of how many Linux boxes vs Windows boxes are out there?
I know slashdotters don't like to hear that, they always argue that popularity has no bearing on how often one gets attacked and comrpomised, but using Occam's razor when pondering this new info, one would conclude that the only reason there are more Windows bots than Linux ones is that there are mo

The Money Quote

[The New Andy]

eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University.

I'm not denying that Linux boxes can be (and are) hacked, but the circumstances for this particular quote seem a little shady. It seems a little irresponsible (on the part of the submitter) to not mention the money trail. And it seems a little strange not to release the results... what are they afraid of?

Re:

[topham]

The described results are about what I would expect.

I've had a Linux box hacked years ago and the guy that did it was trying to control a group of other machines with it. Nothing gives you command and control of a lot of machines like a nice *nix environment.

The ratio of compromised machines is probably 10:1 windows to linux, but the purpose of the compromised machine and it's importance is Linux first, Windows second.

Good catch

[faloi]

I read the article and missed that last bit about the sponsor of the symposium. In light of them not releasing the results, it's all a little bit suspect. Next we'll be hearing about how consumers really like DRM based on unreleased results of an analysis at a RIAA conference.

To be fair, I don't have a hard time believing they'd really like some good, stable machines as their controller...but it's all a bit odd.

Mod parent up.

[Chrisq]

Mod parent up. This is highly relevant (I have done a survey, and I am not releasing results but it does indicate that I am definitely better than you. Try to refute that without access to the facts!)

Re:

[kebes]

And it seems a little strange not to release the results...

Not that I expect a corporation to be "nice" just for the heck of it, but it would be very useful for Internet security at large if they released a list of the "most often exploited" third-party Linux apps. TFA implies that the primary attack vector is third-party apps with known, unpatched vulnerabilities:

Although Linux has long been considered more secure than Windows, many of the programs that run on top of Linux have known security vulnerabili

Re:

[jedidiah]

We need a Unix hall of shame for applications that are most likely to be exploited.

This can help everyone avoid those apps or perhaps even get them fixed (through the pressure of public humiliation).

Re:

[I'm Don Giovanni]

Whew!!
Thank God. Now we can just dismiss this info as paid-for FUD.

Strange comments

[Russell Coker]

Iftach Amit says "Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks". If you root-kit a machine then regardless of OS you can create whatever packets you want. Bypassing the IP protocol stack and sending raw data on the wire can't be particularly difficult if you are trying to conceal processes from the equivalent of "ps" and avoid other methods of detecting your code.

While I agree that Linux is a reliable OS, I doubt that is a reason for attackers to target it for running phishing web servers either. A good reason for targeting an OS is that you know it well and can easily write code for it. Given that many insecure machines can be obtained running any OS you please it makes sense that attackers will target their attack on machines that they know well. Maybe the criminals in question just enjoy Linux programming!

http://survey.netcraft.com/Reports/200708/ [netcraft.com]

Then there's the issue of where servers are located, if you want reliable servers on the net then often the location of the server (in terms of a server room with UPS etc) is more important than the OS. What's the server market share for Linux? The above URL shows Apache leading the field for web servers and most Apache installations run on Linux...

It seems that if you want to own some web servers then aiming at Apache on Linux gives the largest number of potential targets - whether that gives the largest number of vulnerable targets is another matter.

New overlords?

[ealar dlanvuli]

"We see [linux servers] as part of the command and control networks for botnets."

Fear our new linux overlords?

Vigilante botnet destruction

[glindsey]

I've been thinking about this for a while. I seem to remember somebody who wrote and article about reverse-engineering a trojan in order to determine the IRC channel name and password the bot used to connect to the botnet -- fascinating stuff. Anyways, this is all plain text being sent over your network, and there will be certain strings you can expect to see in any IRC connection. Wouldn't it be possible to write a packet sniffer that searches for IRC activity being attempted over your network, captures

Re:

[glindsey]

Wrote an article. ARGH. I never used to make those sorts of typos. It must be a natural part of the aging process. For me, anyway.

We new this would happen, so lets fight.

[Zombie Ryushu]

We knew this would happen, so lets do what we can.

Upgrades. Don't run old versions of Linux Support has run out on. Upgrade.

Lets put emphasis on security, and develop new models.

Hear! Hear!

[asphaltjesus]

If this is true, which ATFA, we won't ever know because it's a secret, you are right on. Linux has vastly superior auditing tools to the win32 world, it is only a matter of lazy admins _not_ using them.

Nice work on the call to action. Not enough of that on /.

something doesn't make sense

[weighn]

... vast majority of the threats we saw were rootkitted Linux boxes

to control (windows) botnets of 1/n in size?*

* I haven't RTFA

Conflicting Info

[HaydnH]

From tfa:

Cullinane: "The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,"

Alfred Huger: "We see a lot of Linux machines used in phishing, We see them as part of the command and control networks for botnets, but we rarely see them be the actual bots. Botnets are almost uniformly Windows-based."

Seems like people are jumping on this as "linux bad!" where in fact the article is fairly neutral, Colinane has one opinion, Huger has another (and generally more accepted) opinion. Haydn.

Re:

[howlingmadhowie]

almost, but they're not opinions. they're are both stating fact. Cullinane however has not disclosed his results or his research and is speaking at a microsoft sponsored event.

helps to have a static IP address

[dominux]

windows boxes in botnets are mostly going to be home computers on dynamic IP addresses. Linux boxes are more likely to have a static IP address, lots of bandwidth and they don't crash much or get turned off.

I've seen a few of these

[wizman]

The company I work for performs emergency Linux support services. We get a lot of calls from peoples boxes who are attacked. I've seen at least two eBay/PayPal phishing sites recently. In both cases, it had nothing at all to do with Linux itself.

Case #1: Customer running a web server had vulnerable PHP applications (I believe it was an outdated WordPress). Someone was able to use this vulnerability to wget a few php scripts and bury them under some subfolders.

Case #2: Customer had a non-root account with a weak password. This account was in the "root" group, giving it write access to a number of system files. Cracker was able to brute force the password quite easily, make a directory called eBay under /var/www/html, and stick some php code in there.

In both cases, the php scripts were logging username and password guesses into a text file. The text file was within the same web root, allowing the cracker to easily grab the latest passwords over http instead of needing to re-crack. Also, in both cases, there were at least a dozen usernames and passwords in the text files.

The lesson: Keep your web apps up to date, use strong passwords, and don't add anyone to the root group.

double standard

[nomadic]

Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers

So when phishers target windows servers, it's because windows has horrible security, but when they target linux servers, it's because linux is just awesome?

Here's what I know...

[erroneus]

APlus is a hosting company that offers BSD and Fedora Core (note that I say Fedora Core, not Fedora... they only offer up to FC6 at the moment) in their hosting operation. They lease boxes with Plesk installed to people and businesses with hosting needs. Before I arrived on the scene where I work, we were already hosting with them and the box was running on Fedora Core 2.

One day it was noticed that the site was malfunctioning and so a call was placed with APlus. We were informed that there was some sort of compromise and initially, at least, it was stated that it had something to do with Plesk. (Later queries denied that Plesk was at fault) After a day or so, a V.P. in charge of this stuff sent out a broadcast email to all of their hosting clients explaining that, in no uncertain terms, that it was the CUSTOMERs' fault that this had occurred.

Well, let's ignore the crappy customer-service issue this brings about.

The fact that this company offers up Fedora as their preferred flavor for hosting is ridiculous! It's a development distribution primarily aimed at the desktop with somewhere between 1 and two year update availability. Since a lot of their machines were running Fedora Core releases at least as old as Fedora Core 2, I'd say a good portion of the blame rests on APlus for their CONTINUED selection of Fedora as their distribution of supported choice. It has a SHORT LIFE! It stops getting updated after a year or so. It's idiotic to run a server with such a short support life cycle. Forget about blaming customers for not keeping their boxes updated. It couldn't be done with the distros that were affected in the first place.

But yes, my box was affected by this attack as well... and they STILL will not identify the actual point of compromise though they still deny it was Plesk. I find it ironic that I was, at the time, already talking to them about moving my box to CentOS and porting the web site code (that their developers created) to it. Interestingly, all sales people I spoke with said "we don't do that." And when I pointed out that it was their company that created the code, they said "we don't do that."

So over that weekend, I managed to port the web site code and database over from the original host to a CentOS5 box. I don't know PHP. I know a *little* about programming and I know how to use Google... that was enough to get be by. (Apparently, "this" became a reserved word in current versions of PHP and the old code named objects "this$" a lot!)

Anyway... it had been a mess and the best resolution was to move away from APlus. It's unfortunate that I cannot get the truth from them about what exactly happened... we just get blamed without specifics as to what or how it happened.

Re:

[Limburgher]

Actually running a server on Fedora can be done responsibly. I run a small hosting company entirely on Fedora. If you keep it patched and properly configured, it's highly secure. It's also easy to upgrade when the new releases come out, especially if you read the Release Notes beforehand, using yum, though that's not officially supported for some reason.

Discalimer: I am a Fedora maintainer.

Not surprising

[eli pabst]

It has nothing to do with one operating being more secure than another. Windows 2003 server is pricey and is likely to be deployed at a company with at least some form of IT support and is therefore more likely to be properly maintained. Someone running a server in their basement or a mom and pop business is more likely to choose Linux. I've seen plenty of cracked linux boxes where someone threw up a box with PHPbb or LAMP and left it running unpatched for several years. Usually they only realize it is

Probably been going on longer than thought

[MECC]

I ran a linux box with 22 open just to see what would happen about 2 years ago. Within a week someone was trying to brute force their way in (auth.log showed thousands of attempts using simple usenames).

*sigh*

Re:

[rubycodez]

but you can force the choice of good passwords in most linux distros. just like you can monitor for most of the signs of an owned machine that people are mentioning in other threads.

Root not needed to host phishing scams

[rjamestaylor]

I am a supporting system administrator for Linux/UNIX servers at a large hosting
company. I have come across many Linux servers that are compromised and being
used to host phishing scams, spamware, IRC servers, etc. Rarely, however, do I
see a "root'ed" server -- that is, a server on which an unauthorized
person or program has gained root privileges illicitly. In fact, having root
access is not necessary to host web content, send mail or provide other
Internet-facing services.

All that is needed is the privilege to put content served by the web server in
place. That could be a script for server-side execution, page or fragment for
browser- (client-) side execution, etc. If you can upload to the web content
(DocumentRoot or include) directories and the web server automatically servers
that content, you, too, can host a phishing scam or illicit media for download.

If a directory in the DocumentRoot tree on a web server can be written to by the
web server (the apache or nobody system account) then it is easy to inject one's
illicit content on that server. OS is irrelevant at that point. In fact, if a
web server has world- or apache-writable directories in the web content area the
OS *must* allow any web client to upload whatever they desire to that server.
It is the responsibility of the owner of the server to restrict who gets to
upload what content to his/her server.

I try to explain to web designers that granting write access to the
apache/nobody user is BAD, but often I hear back: "Ya, but, I can't make
the script work without opening the permissions." Usually, this is done on
PHP Content Management System portal sites that allow content to be uploaded
directly from the web browser by arbitrary users. There is a little bit of
effort required to make doing this difficult -- and it can be tricky to get
right -- but forcing the script to work by removing world/apache write
privileges is EASY:

$ sudo chmod -R 777 /var/www/html

Ugh. Then, when that same customer is complaining that, "Hey! I've been
hacked!" I respond, "no, you haven't. You been compromised. You
allowed *anyone* to upload *anything* to your server and set apache to
automatically server that content. You were trusting *everyone* on the Internet
to behave. Your trust was broken and now your server is distributing phishing
scams/malware/kidde porn/spam."

If you ever think you need to "open up" permissions so your PHP script
will "run right" you either need a different PHP script or help making
the script run "safely." It's harder than chmod'ing 777 but it's
definitely worth doing.

One server I worked on had a lazy owner who allowed apache full write and
execute access to his web content directories. He would not upgrade his PHP
scripts to patched versions that plugged well-publicized holes. After repeated
warnings I received a frantic call from him that his server was
"hacked" and running a banking phishing scam. I checked the weblogs
and found that 20,000 people had clicked the phishing scam links from their
webmail inbox and retrieved the malware-ladden web pages with Internet Explorer
-- meaning many of these people were sending their data right to the
Russian/terrorist criminals for funding their illicit operations. The customer
asked that I call the FBI to "find out who is responsible" and I said
I didn't need to make that call to find out: he was responsible.

That customer is now fully-turned around and is complying with the necessary
steps to ensure that his server is not used for illicit purposes any longer.

Root was never required for these compromises. Just poor administration.

How they hack

[pikine]

The first rootkit I got in my life was a Linux box running BIND for a local DNS cache. That was 5 years ago. BIND before version 9 is so lousy that everyone using it should expect to get rootkit someday. I was tweaking the firewall setting. I forgot to block port 53 because I hadn't been using that box all that much, and I forgot it was running BIND. The rootkit tried to replace /sbin/init, but my DSL connection died halfway so that didn't complete, and it left my machine unbootable.

About 3 years ago, I sen

Would the average Slashdotter learn something?

[suv4x4]

That the OS doesn't matter. What matters is your goal.

On the desktop, people hack Windows machines since that's what most desktop Machines are. On the server side, people hack more Linux machines since that's what most servers are.

Hacked Linux machines are hacked with a specific purpose in mind, and so are Windows machines. In fact, in both cases, the attack vector is usually an application running on said OS. Be it PHP script, server daemon, your browser or even music player on Windows.

Just like the articl

Hosted Environments

[Evets]

One of the problems are dedicated server hosts. I picked up a dedicated box a while back and I was startled to find that I was put in a position to scramble to secure the box immediately upon receiving my ssh password.

Of course, I could have paid extra to get a more secure box, but budget was an issue, and my plans were pretty simple for the machine.

Another problem is that a lot of webmasters with dedicated boxes and virtual servers end up running older and insecure versions of software - from mail servers to web servers, etc. because the software is all wrapped as part of Plesk or something similar. When security patches come out, the turnaround time for updates from the software providers is far from instantaneous.

A third problem is efficiency. If your system has been rooted, it's easy to not notice as long as the person who rooted you isn't abusing your system resources.

Recovering a rooted system is a problem as well - sys admins in general could stand to take a lesson from rootkits to protect their own system. I've seen two instances myself where overwritten binaries like ps and ls could not be reverted without a great deal of effort.

Further - people who get "Managed" servers expect that they have a secure system and that their system is being monitored for security issues regularly. From what I've seen, "Managed" means that vendor provided packages get updated automatically and uptime may be monitored, but that's a far cry from someone actually managing a system.

Linux can be secure, but I think the vast majority of web servers out there are wide open targets, much like all those windows ME boxes attached directly to cable modems.

rootkited Linux boxes cause of phishing ..

[rs232]

"According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected"

Must be a slow day at Computerworld. Like, how do they equate Linux with an increase in phishing. How did eBay discover all these rooted Linux boxes? Who gathered the data, how was it gathered? Why would phishers use rooted Linux boxes when that would draw attention to themselves, why not hire a box in a server farm or why not just hack eBay [slashdot.org].

Some comments on rootkits

[ajs318]

There's a particularly nasty rootkit out there which overwrites certain system programs (such as ls, ps, netstat, md5sum and a few others) with modified versions, then does a chattr to stop you overwriting them (though lsattr is left alone). And while attempting to clean up a machine so infected, I've seen Perl scripts changing the value of $0. This means even if you've got a "clean" ps around (like a copy of busybox in your own non-root home directory ..... you do have a non-root login, don't you?), it will report the "wrong" thing. Another clue that this rootkit is installed, is that (at least on Debian and Slackware) coloured directory listings don't work properly, and invoking ls generates a non-fatal error message. (The "special" ls must be based on an older version.)

The www-data (Debian / Ubuntu) or apache (Fedora) user should not be running any process other than apache2 or httpd. If you see something like "accepting connections", that's a sign that someone could be running something nasty.

In general, watch for world-writable directories (they list with a green background in Debian) because that's one of the first steps in cracking a box ..... install a script in a user's home directory, then persuade it to run. Beware of badly-written PHP scripts which don't chmod uploaded files to make them non-executable (turning off short open tags is also surprisingly effective). And what you think might be a DDoS (repeated attempts to retrieve mail on nonexistent accounts via POP3) might actually be a password-guesser. Block the /24 with an iptables rule at once. Note, if you aren't within walking distance of your co-lo, make your first firewall rule
iptables -I INPUT 1 -s 10.20.30.40/32 -j ACCEPT
(replace 10.20.30.40/32 by a subnet specifier which will always contain your own IP address -- get this from your broadband company -- and just to make you all jealous, my one ends in /32 because my IP is static) and never, ever use -I INPUT 1; use -I INPUT 2 or -A INPUT instead. It's too easy to block yourself out with an injudiciously-applied rule (and I do live within walking distance of my co-lo). If you see a process running that looks suspicious, leave it running long enough to examine its /proc entry before applying kill -9. Give users who don't need shell access a "shell" of /bin/true or /usr/games/fortune -o; but be sure to include whatever "shell" you gave them in /etc/shells -- otherwise they will not be able to use FTP. (If they don't have any web space on your server, just e-mail, then use /bin/false and don't put that in /etc/shells. That will make it harder to use an ftpd-based exploit.)

Note that the binaries in this rootkit are 32-bit ..... so running 64-bit Debian (which has *no* 32-bit libraries) will break them. Personally, I'd like to see a patch that will make Perl give a segmentation fault if any script tries to alter $0. In fact, I'd like to see a kernel patch that will break any binary that was not compiled locally.

This isn't a Linux botnet. PHP is a pox.

[Tracy Reed]

A friend emailed me about this just this morning. Here is what he wrote and my reply:

> I'm going to chalk this up (tentatively) to the increasing popularity of
> Linux, which means that a subset of users will be those who don't actually
> know what they're doing, and how to protect a box-- something long the norm
> in the Windows world:
>
> http://computerworld.co.nz/news.nsf/scrt/CD0B9D97EE6FE411CC25736A000E4723 [computerworld.co.nz]
>
> While there, he noticed an unusual trend when taking down phishing sites.
>> "The vast majority of the threats we saw were rootkitted Linux boxes,
>> which was rather startling. We expected Microsoft boxes," he said.

I am not surprised in the least that this was their conclusion. I don't chalk it up to the increasing popularity of Linux at all. I have never (not once) run across a Linux box operating in a botnet. Nor can anyone name a botnet software that infects Linux boxes. In the last 5 years I have found only one Linux box that had a security issue and that was because of PHP (*spit*) which had an XML-RPC exploit a while back and allowed someone to make the box host a fishing website that looked like some bank website. It seems very rare that a Linux desktop (not a webserver) would fall victim to this. I have never seen a security incident such as a botnet on a Linux desktop. I have seen that phishing page on the Linux server that hosted the bogus PHP install. That's it.

And I suspect that they are using terminology incorrectly. A Linux box hosting a fishing site is not part of a botnet. I can understand how Linux boxes would be more popular for fishing websites. PHP is popular and is a pox on Linux as PHP released a bunch of absolute garbage which only happens to run on Linux. It can run on Windows also but that is the expensive and less reliable way to do it so few people do. If people make a conscious decision to install software on Linux that lets just about anyone use the box for whatever they want such as PHP often does I don't think counts against Linux security.

Glancing over the article I immediately spotted this:

"eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University."

I challenge anyone to find a single MS sponsored paper or symposium which DOESN'T come to a conclusion favorable to MS and unfavorable to Linux. Just one. And they won't release the raw data. How much is a large botnet? 10? 100? Among millions of infected MS machines. I would also like to know what this alleged Linux botnet software is called.

I am positive that Linux will not be nearly so adversely affected by users who do not know what they are doing. Linux is very different from Windows and is architected for performance, security, and utility instead of being architected to make someone a boatload of money and maintaining monopoly lock-in. (See the fine the EU just imposed on MS.)

Some technical features which help ensure that even if Linux becomes popular on the desktop it won't suffer the same fate as Windows:

* Linux users don't run as admin/root.

* Email programs do not automatically execute attachments.

* Does not depend on filename extensions for anything.

* Does not auto-run anything from inserted media (Worth a laugh: http://www.foxnews.com/story/0,2933,299155,00.html [foxnews.com] )

* System of mandatory access controls (SE Linux) which really locks things down (some people still turn that off but it is improving rapidly, I use it on my desktop).

* Linux also takes advantage of NX (non-executable memory) which is a recent feature of x86 cpu's

Re:

[weeboo0104]

Yes, the linux community will quickly find and provide patches for the vulnerabilities.
Unfortunately, the admins of the servers will get behind in their patching or just complacent.

Someone I travel to work with got called at 4am one morning by his co-lo with the message "You're box is trying to root all the other boxes in the cages, we're pulling the network cable indefinitely."

It was later determined that he got rooted through a 4 month old SSL vulnerability. The patch was available, he just assumed tha

Re:

[Yetihehe]

"You're box is trying to root all the other boxes in the cages"

They're imprisoning linux servers in cages? Those bastards... Information wants to be free, not in the cages. Please think of the servers.

Re:

[jimicus]

All the patches in the world won't do any good with a badly operated server.

The problem is spin

[weighn]

The problem is not in reliability, but in ignorance. Must Linuzzz administrators think they are "inmune" ...

here they all come, out of the woodwork. At first glance this MS spin doctor makes a half-point, but by "Must Linuzzz administrators" El Lobo means most "ubuntu users"*. Anyone using Linux (or hopefully anything with an outward facing IP address) to run public services knows they are not immune and takes appropriate care ... stop drinking the kool-aid for chrisake

* this phrase is not meant to be inflammatory, I use it too :-)

Re:

[betterunixthanunix]

Despite all the vulnerabilities, Red Hat Enterprise Linux 5 has top ratings for security from the NSA, when configured with SELinux in Enforcing mode (and buffer overflow protection, and other features) [Windows does not and has never had these security ratings]. Basically, if you are running a publicly accessible web server, you should have these features configured on your system (the easiest way would be to use Red Hat, but you can certainly get those features on any Linux system). Also, you should be

Re:

[TheRaven64]

There are three things that make a server machine, Linux or otherwise, more attractive than a home machine:

• Upstream bandwidth. A server is likely to be on a 10Mbit or 100Mbit upstream pipe, while a home machine will rarely have more than 0.5Mbits. You get between 20 and 200 times the available bandwidth to launch new attacks with a cracked server.
• Uptime. Home machines are rarely on for more than 8 hours a day, servers are on 24/7. In terms of daily bandwidth, you get at least three times as much from