Mystery Malware Affecting Linux/Apache Web Servers

lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"

Re:Ubuntu as well?

[PrescriptionWarning]

"the current thinking is that the malware authors gained access to the servers using stolen root passwords"

so basically its most likely they used the traditional means of gaining access (not through holes, but merely through bad personal security practices regarding passwords and password management). And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD... ewwwwww

press release??

[Anonymous Coward]

"According to a press release issued earlier this month ..."

Yawn.

Re:Funny

[Undead Ed]

According to the story (did you read it), it appears to be a situation where the root password has been compromised, not the applications or operating system.

Problems with IIS were as a result of vulns in the application and/or Windows operating system - totally different problem.

Would you blame a lock company if the user left his keys in the lock?

Ed

mkdir 1

[hey]

I can see thousand of people trying to make numeric directories :)
Yes, also if you can run your tummy while patting your head you aren't infected also.
I think.... this crazy idea is the virus!

Re:Funny

[plague3106]

I read it, here's what it said: "One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."

In other words, they have no idea how the servers were compromised. Because they can't find out how, they're guessing it was a root password that was stolen. In other words, its still just as likely a flaw in some software.

Re:Software sucks.

[Anonymous Coward]

How is that flamebait? I'm dead serious. If the quality of software doesn't improve dramatically, we're going to be in a world of hurt very soon. How do you suggest we achieve that improvement if not by making authors of faulty software liable for their negligence? We certainly can't keep upgrading software every time a bug is found, if bugs keep cropping up at the current rate.

What are the common factors?

[Arrogant-Bastard]

To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)

I'd suggest enumerating factors such as OS, OS version, remote access methods (ssh, ftp, etc.), Apache versions, Apache modules, add-ons like CPanel, network/ASN, and so on -- anything could be a culprit at this point.

And that includes things that have nothing to do with Linux or Apache: for example, it's possible that the attackers acquired root passwords by infecting Windows systems used by administrators -- then just waited for them to initiate ssh sessions to their servers. It'd probably be best to leave all possibilities open and consider them equally likely until evidence starts accumulating in favor of/against them. (In re-reading that last statement, I suppose it sounds a bit trite. I'm just trying to discourage premature conclusions that anything is at fault until somebody can produce evidence to support saying so.)

Re:Funny

[Undead Ed]

"they're guessing it was a root password that was stolen"

A pretty good guess, otherwise we could expect to see millions of Apache web servers compromised (there are over 75 million Apache web servers in active service) and anticipate a much greater number of Windows clients infected.

The significance of this story is not that Windows clients are the target, the significance is that the infecting agent is originating from Apache/Linux servers.

Ed

Re:Read it careful people...

[jawtheshark]

I do not know how you interpret this, but a rooted server, Linux, FreeBSD, OpenBSD or even Windows is also a "harmed" computer. Yes, clients will get infected, but the servers are in deep trouble too.

Re:Software sucks.

[vux984]

It's high time for better software, and the only way to get that is to apply market pressure. Software liability is the answer.

1) If the market really wanted extensive 'software liability' then we'd already have it. Customers would demand it, suppliers would figure out how much it would cost to provide it, and prices would sort themselves out. Turns out the prices go WAY up, and customers (most of them) don't want to pay them.

2) What happens to Linux in a world with mandatory software liability? Who is liable? The company providing install and support? The volunteer contributor who wrote that line of code? The project maintainer who accepted the patch? ... And you wonder why your post was modded flaimbait?

Re:Ubuntu as well?

[symbolset]

It's possible to install software on a Linux webserver that exploits vulnerabilities in Windows clients. This is news?

Here's a shocker: it's possible to exploit Windows boxes with services hosted on a Commodore64.

Windows has more malware packages than legitimate software packages. They've really solved that ease of installation problem.

Re:Software sucks.

[Anonymous Coward]

Cool. I'm ready to sue open source developers -- I have to work around bugs all the time. How many major projects (servers, libraries, languages/runtimes) don't have bug fix releases all the time?

You'll have to show you took necessary precautions. Ready for that? MS is. Read up on their security precautions these days (SDL, etc.).

Are you sure your up to the task? If so, what open source projects are you working on?

Re:Read it careful people...

[cbart387]

I admit, I jumped the gun. I'm done conjecturing until more information comes in. I usually get annoyed when people do so, so I really have no excuse.

Re:What are the common factors?

[whoever57]

To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)

Perhaps this is the end result of all those dictionary attacks against SSH servers that we have seen for the past 2-3 years. Inevitably, some of those attacks will have been successful. Perhaps the successful logins have not ben exploited until now.

Re:Ubuntu as well?

[Anonymous Coward]

From TFA - "All reports thus far say the compromised servers are running Linux and Apache."

"And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD"

Are you really that illiterate? Just an FYI - Microsoft doesn't make Apache OR Linux. If compromised severs are being used, it is certainly not the type that "only affects windows clients". Duh. Only here would such blatant anti-MS bullshit get modded "Insightful". I took a way more "insightful" shit this morning.

Re:Software sucks.

[WaHooCrazy7]

Would you please tell me which one of the hundreds if not thousands of developers should be sued when OSS has a bug in it? Also, there is no way we could process that many law suits...

Re:Should have used *BSD

[Klaus_1250]

I'll take my chances with *BSD.

Re:Ubuntu as well?

[nicklott]

Microsoft? This story is on posted on linux.com and being hyped on a OSDN site, where do microsoft come in? They must have a pretty deep mole to get this one planted...

Re:ssh + bad password

[PinkPanther]

If someone is going to render there machine usable only by root, then I strongly doubt they've taken the time or have the knowledge to implement security precautions listed above. If they know how, they likely should and likely won't render their machine useless.

In addition, if they really might render the machine useless, they likely shouldn't have it on the 'net.

I'm not sure I buy it

[mlwmohawk]

There is something suspicious about this report. Some things can't happen the way people say they happen, and when that is the case we have to look at more likely scenarios.

I would bet the path of the TCP/IP packets route through compromised providers who have an injection strategy. Remember a few months ago how IPSs were injecting their own java script and ads into the pages of other sites?

http://ars.userfriendly.org/cartoons/?id=20070703 [userfriendly.org]

This is the most likely scenario I can think of.

Re:What are the common factors?

[Arrogant-Bastard]

That (use of data harvested from ssh attacks) is entirely possible. Some of those attacks had to successful against some hosts.

So maybe one possible line of investigation would be to see if any hosts which defended against ssh dictionary attacks (say, by throttling back or denying connections from hosts that made too many ssh tries) were compromised. (I suppose it'll also be necessary to assess the strength of their root passwords; sufficiently weak ones might not require a concerted ssh attack to be compromised.)

Sure, this could be the wrong line of reasoning -- but given that we've all seen the ssh attacks you refer to, it's probably worth investigating.

Re:Funny

[Undead Ed]

"It could be only Apache on a certain distro, with a certain version."

Yet another persuasive argument to avoid the technological mono-culture that is Microsoft Windows.

Ed

Re:Software sucks.

[mlwmohawk]

Software has to suck because the market can't afford software that doesn't suck. Kids out of high school and collage or fresh out of joe's web school. aren't qualified to write good software, yet this is what companies hire over more experienced people.

Even then, there is no ability to develop your skills because you spend 99% of your time learning new environments.

Software is HUGELY complex these days and it takes a log of study, knowledge, and skill to be any good at it. Companies don't want to hear that. They want to increase productivity by "KLOC." (Un)fortunately, there is a lot of "art" and "creativity" in software development and without well defined product specs, rigid test plans, and quality assurance which adds delays and cost to a project you won't get better code.

Standard business upside potential vs downside risk. Upside potential: first to market, profit!!! Downside risk: blame some hacker.

Re:Funny

[Knuckles]

IIS6 has never had a remote code execution hole. Ever.

That you know of.

Re:Ubuntu as well?

[Christianfreak]

Exactly. Also this gem from the article:

Other than using and safeguarding secure root passwords, not much can be done at this time to be proactive in preventing servers from being compromised,

Turn off root's log in and get rid of cPanel and similar programs as well. I understand the need for an easy to use remote admin tool (as much as I'd love people to actually learn the shell), but can't we do better than a web-based program for this stuff?

Re:Can't be malware

[geminidomino]

It's for Apache/Linux so it must be well crafted code written with the best intention....

Then how do you explain PHP?

*sniff sniff* Is something burning?

Re:Can't be malware

[ray-auch]

That's the secondary infection.

The tough question is what is the malware that is infecting the servers themselves. There have been reports of this for weeks now, and apparently it may go back months (see eg. http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/ [channelregister.co.uk]), and AFAICS:

a) no one knows the initial attack vector (on the _servers_)
b) the malware (on the _servers_) seems to be difficult to detect
c) and no one seems to know how to remove it successfully either - some have suggested it is a rootkit as the apache part of the infection seems to reappear when removed.
d) possibly as a result of (b), estimates are vague on number of infected servers, but I've seen estimates from "hundreds" to "tens of thousands"
e) seems to be Linux + Apache stack that is targeted

Re:Ubuntu as well?

[stuntpope]

His main point was insightful. There are two parts to the story - one, Linux servers running Apache have been compromised. Two, these servers are infecting Windows clients through vulnerabilities in those clients. This exploit does not affect non-Windows computers.

If the current thinking is indeed that the Linux servers were inappropriately accessed through stolen passwords, how is that a security flaw of Linux or Apache? Like he asked, how is using a legitimate password equal to cracking the server?

On the other hand, turning Windows clients into bots *IS* an example of that software's (and QuickTime's and Yahoo! Messenger's) insecurity and vulnerability!

Re:Ubuntu as well?

[Ilgaz]

From TFA - "All reports thus far say the compromised servers are running Linux and Apache."

"And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD"

Are you really that illiterate? Just an FYI - Microsoft doesn't make Apache OR Linux. If compromised severs are being used, it is certainly not the type that "only affects windows clients". Duh. Only here would such blatant anti-MS bullshit get modded "Insightful". I took a way more "insightful" shit this morning.

So, Mac planet is not alone discrediting every single security alert as "FUD" :)

It seems there are other people who sees a story validated by 4 different, independent security companies as FUD. Apache is planets number 1 webserver and Linux is number 1 Webserver OS. What else would a blackhat supported by mafia would target? It is not like "I am proving Linux is unsecure", it is "I have purchased a previously unknown compromised account list and I am using it to infect millions of MS Windows users running popular but unpatched software, we will make millions from that zombie army".

I don't get why people gets defensive.

Re:Ubuntu as well?

[Sillygates]

on several systems, in a small amount of time?
In general, these systems probably don't even give users shell access, and even then, password cracking is probably out of the picture. And brute forcing a password over ssh? thats probably troublesome too, it would be hard to get over about 50 attempts/second.

On the other hand, there are a whole bunch of local vulnerabilities that can be exploited, after a system is compermised. In some cases, a weak php include vulnerability could potentially allow the apache user to execute suid root applications through such vulnerabilities as: https://rhn.redhat.com/cve/CVE-2007-5964.html [redhat.com] on a default configuration of rhel5/fedora5-7.

Every system has it's vulnerabilities.

Re:Ubuntu as well?

[Anonymous Coward]

OK, just so we're clear on this, Windows is insecure because Quicktime and Yahoo Messenger have vulnerabilities that allow a remote attacker to run software on the computer?

Good, just checking.

dom

Re:Ubuntu as well?

[SgtChaireBourne]

If the current thinking is indeed that the Linux servers were inappropriately accessed through stolen passwords, how is that a security flaw of Linux or Apache? Like he asked, how is using a legitimate password equal to cracking the server?

On the other hand, turning Windows clients into bots *IS* an example of that software's (and QuickTime's and Yahoo! Messenger's) insecurity and vulnerability!

Using a legitimate password is not equal to cracking the server. But it must be made to look so because the PR firms the M$ movement uses must cast aspersions on Apache and Linux so as to draw attention away from the actual insecure and vulnerable system. Most PHBs never read past the headlines, so this is major spin for the M$ party.