Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

Mystery Malware Affecting Linux/Apache Web Servers

Posted by Zonk on Thu Jan 24, 2008 03:46 PM
from the duck-and-cover-like-tommy-the-turtle dept.
Security Software Apache
lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"
+ -
story

Related Stories

Firehose:Mystery malware affecting Linux/Apache Web servers by lisah (987921)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

Mystery Malware Affecting Linux/Apache Web Servers 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Should have used IIS (Score:5, Funny)

    by Anonymous Coward on Thursday January 24 2008, @03:51PM (#22171832)
    This is why serious businesses choose a serious web server: Microsoft Internet Information Services running on Microsoft Windows Server.

  • Something's fishy! (Score:5, Funny)

    by linumax (910946) on Thursday January 24 2008, @03:54PM (#22171876)
    Last night I discovered a directory named 53 4B 59 4E 45 54 in my home folder.

  • mkdir 1 (Score:5, Insightful)

    by hey (83763) on Thursday January 24 2008, @03:58PM (#22171968) Journal
    I can see thousand of people trying to make numeric directories :)
    Yes, also if you can run your tummy while patting your head you aren't infected also.
    I think.... this crazy idea is the virus!

  • What are the common factors? (Score:5, Insightful)

    by Arrogant-Bastard (141720) on Thursday January 24 2008, @04:07PM (#22172122)

    To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)

    I'd suggest enumerating factors such as OS, OS version, remote access methods (ssh, ftp, etc.), Apache versions, Apache modules, add-ons like CPanel, network/ASN, and so on -- anything could be a culprit at this point.

    And that includes things that have nothing to do with Linux or Apache: for example, it's possible that the attackers acquired root passwords by infecting Windows systems used by administrators -- then just waited for them to initiate ssh sessions to their servers. It'd probably be best to leave all possibilities open and consider them equally likely until evidence starts accumulating in favor of/against them. (In re-reading that last statement, I suppose it sounds a bit trite. I'm just trying to discourage premature conclusions that anything is at fault until somebody can produce evidence to support saying so.)

    • Re:What are the common factors? (Score:5, Insightful)

      by whoever57 (658626) on Thursday January 24 2008, @04:27PM (#22172440) Journal

      To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)
      Perhaps this is the end result of all those dictionary attacks against SSH servers that we have seen for the past 2-3 years. Inevitably, some of those attacks will have been successful. Perhaps the successful logins have not ben exploited until now.

  • The register's older writeup on this ... (Score:5, Informative)

    by chris.dag (22141) on Thursday January 24 2008, @04:07PM (#22172126) Homepage
    The Register has been on this for a while and although the story is older it is better written and has more interesting details: http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/ [channelregister.co.uk]

    my $.02 of course

  • ssh + bad password (Score:5, Informative)

    by Panaflex (13191) <convivialdingo.yahoo@com> on Thursday January 24 2008, @04:11PM (#22172170)
    I see this type of attack all the time, the fact that someone automated it and gave it a zombie machine is not surprising.

    * Don't allow root to ssh into your machine.
    * Disable ssh1.
    * Limit sudoers.
    * Have good passwords.
    * ???
    * PROFIT!!

    Seems like a formula everyone should know.

    • Re:ssh + bad password (Score:5, Interesting)

      by ls671 (1122017) on Thursday January 24 2008, @04:44PM (#22172718) Homepage
      You should also have some process that completely blocks ssh login attempts from a given IP after so many failed login attempts instead of letting the hi-jacker poll your machine for as long as he wishes.

  • I'm not sure I buy it (Score:5, Insightful)

    by mlwmohawk (801821) on Thursday January 24 2008, @04:40PM (#22172676)
    There is something suspicious about this report. Some things can't happen the way people say they happen, and when that is the case we have to look at more likely scenarios.

    I would bet the path of the TCP/IP packets route through compromised providers who have an injection strategy. Remember a few months ago how IPSs were injecting their own java script and ads into the pages of other sites?

    http://ars.userfriendly.org/cartoons/?id=20070703 [userfriendly.org]

    This is the most likely scenario I can think of.

    • Re:Funny (Score:5, Insightful)

      by Undead Ed (1068120) on Thursday January 24 2008, @03:57PM (#22171922)
      According to the story (did you read it), it appears to be a situation where the root password has been compromised, not the applications or operating system.

      Problems with IIS were as a result of vulns in the application and/or Windows operating system - totally different problem.

      Would you blame a lock company if the user left his keys in the lock?

      Ed

      • Re:Funny (Score:5, Insightful)

        by plague3106 (71849) on Thursday January 24 2008, @04:02PM (#22172042)
        I read it, here's what it said: "One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."

        In other words, they have no idea how the servers were compromised. Because they can't find out how, they're guessing it was a root password that was stolen. In other words, its still just as likely a flaw in some software.

        • Re:Funny (Score:5, Insightful)

          by Undead Ed (1068120) on Thursday January 24 2008, @04:11PM (#22172182)
          "they're guessing it was a root password that was stolen"

          A pretty good guess, otherwise we could expect to see millions of Apache web servers compromised (there are over 75 million Apache web servers in active service) and anticipate a much greater number of Windows clients infected.

          The significance of this story is not that Windows clients are the target, the significance is that the infecting agent is originating from Apache/Linux servers.

          Ed

      • Re:Funny (Score:5, Funny)

        by studpuppy (624228) on Thursday January 24 2008, @04:15PM (#22172240)
        Would you blame a lock company if the user left his keys in the lock?"

        Depends. How good is my lawyer?

    • Re:Software sucks. (Score:5, Insightful)

      by vux984 (928602) on Thursday January 24 2008, @04:18PM (#22172292)
      It's high time for better software, and the only way to get that is to apply market pressure. Software liability is the answer.

      1) If the market really wanted extensive 'software liability' then we'd already have it. Customers would demand it, suppliers would figure out how much it would cost to provide it, and prices would sort themselves out. Turns out the prices go WAY up, and customers (most of them) don't want to pay them.

      2) What happens to Linux in a world with mandatory software liability? Who is liable? The company providing install and support? The volunteer contributor who wrote that line of code? The project maintainer who accepted the patch? ... And you wonder why your post was modded flaimbait?

    • Re:Software sucks. (Score:5, Funny)

      by Schraegstrichpunkt (931443) on Thursday January 24 2008, @04:24PM (#22172398) Homepage
      Yeah. People should be held liable when they know full well that Microsoft has a track record for bad security, but choose Microsoft products anyway.

      • Re:Ubuntu as well? (Score:5, Insightful)

        by nicklott (533496) on Thursday January 24 2008, @04:35PM (#22172588)
        Microsoft? This story is on posted on linux.com and being hyped on a OSDN site, where do microsoft come in? They must have a pretty deep mole to get this one planted...

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.