Mystery Malware Affecting Linux/Apache Web Servers

lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"

Hummm, no ahah ?!

[DirtyFly]

I do believe tht if this story was with IIS it would be tagged ahah :)

Re:ssh + bad password

[ScouseMouse]

* Don't allow root to ssh into your machine.

I was most surprised when I found that Redhat (Our cooperate Linux of Choice) appears to allow this as the default. Certainly, The Debian box i use as a home server never used to allow that, however, checking i see that since I upgraded from Woody, it does allow remote SSH as root. Thats worrying.
Well have to fix that.

Re:Funny

[Anonymous Coward]

Ed,

Please let me know what the last critical security flaw for IIS was. I'd love to know.

Also, let me know how many critical security flaws there have been for Apache in the last year or so.

Thanks!

Re:ssh + bad password

[mandelbr0t]

Allow me to insert one step before ???

* Follow-up on your SSH logs. If you see a phishing attack, do something about it!

That something could be:

- Report the IP to the owner of the netblock who can be found at ARIN [arin.net]. All netblock owners must have an IP-admin address or an abuse address. Unfortunately, my experience is that most of these go to /dev/null. There are those who actually have responsible NOC staff, and they will act on your complaint if you send them a copy of the relevant logs.

- Block further network access from that particular netblock at your firewall. I've found this to be a very effective method. Believe it or not, you don't end up blocking the entire Internet; the places that launch such attacks are not very common.

- Rate-limit SSH access. This works well, but I've locked myself out of my own server!

Re:Funny

[plague3106]

No, not really a good guess. It could be only Apache on a certain distro, with a certain version. Apache runs on Unix as well, so you can rule all those Apache installs out (the article seems to point out Linux, IIRC).

I agree with your reasoning on the significance of the story.

Re:Software sucks.

[Anonymous Coward]

The market would immediately demand software liability if the users of software became liable for defects themselves. Your server got rooted and sent credit card information to Russia? Pay up. You can get your money back from the guy who wrote your swiss cheese web server.

Re:ssh + bad password

[ls671]

You should also have some process that completely blocks ssh login attempts from a given IP after so many failed login attempts instead of letting the hi-jacker poll your machine for as long as he wishes.

I call Bullshit!

[Anonymous Coward]

FTFA:FTFA - "The random js toolkit was detected using Finjan's patented real-time code inspection technology while diagnosing users' web traffic during December 2007..."

This is all just a ploy to bring attention to Finjan for financial gain!

All your BASE are belong to us

[davidwr]

All your BASE [w3.org] are belong to us.

Is Idiocracy coming true?

[Anonymous Coward]

Used to be that smarmy hipsters spoke in leetspeak with tongue firmly in cheek. By the next generation the ironic context was gone completely. We were left with hordes of dumbfucks using leetspeak and legitimately attempting to be cool. b1ff became REAL.

Now we have the same sort of annoying trend-slave fucks perpetuating the lolcat baby talk meme. I sure can't wait to see how utterly fucked-up and retarded the teenagers of the upcoming generation are going to sound thanks to you worshippers of the unintended consequence.

Re:ssh + bad password

[mi]

* Don't allow root to ssh into your machine.

Dangerous if you don't have easy physical access to your machine.

No, it is not. On *BSD family of Operating Systems root can only login on the local console anyway.

If you screw something up badly, you ssh in as yourself first, and then perform `su' — something, that only members of the wheel-group (gid 0) are allowed to do.

My FreeBSD machines all run a crude log-watcher [virtual-estates.com], which blocks-out machines, from where root- and similar logins are attempted, immediately.

Re:ssh + bad password

[Anonymous Coward]

Any idea how to do this? I'm an unexperienced person planning to set up a Debian home server, but these attacks have me paranoid.

Re:ssh + bad password

[Anonymous Coward]

http://hexten.net/wiki/index.php/Pam_abl [hexten.net]

Re:Ubuntu as well?

[Skrynesaver]

There is no more powerful, nor easy to use, (with training), remote control tool for servers than ssh.

GUIs provide metaphors for users, they have no place in administration.

</grumpyOldFart>

Re:ssh + bad password

[Gordonjcp]

The quick and dirty way is to move SSH to a non-standard port. This is a particularly good idea if you've got a bunch of machines behind a NAT firewall anyway, because they can't *all* have port 22.

I know "security through obscurity" isn't really secure, but it has entirely eliminated attempts to crack the root password on all the servers I run.

Re:I'm not sure I buy it

[whitehatlurker]

they can't find any evidence of hacking

\begin{snarky}
I'm surprised some of these "admins" can find their servers, let alone moderately well hidden rootkits.
\end{snarky}

Many system administrators do not have a deep background in *nix security. If they can install a Linux box, they're apparently qualified. There are many admins who are extremely competent in security matters, but I have not seen anything coming from those people. (Perhaps they weren't infected?) So, I have not heard (read) of anything from anyone describing a good analysis of an infected machine. The best so far is the cPanel note [cpanel.net]. There they do mention that "[i]t is common to see a short but successful root login via ssh 5-10 minutes before the compromise occurs" which in my mind is already a compromise.

Re:Ubuntu as well?

[schmutze]

Linux desktop users most certainly can be infected with this rootkit. We've seen 4 machines with it so far- 1 server and 3 desktops. The Apache webserver may be being used to infect windows clients with malware, but it is not the point of entry for the rootkit installation.

Re:Ubuntu as well?

[WWWWolf]

There is no more powerful, nor easy to use, (with training), remote control tool for servers than ssh. GUIs provide metaphors for users, they have no place in administration.

While SSH allows for direct neural link that allows the computer to do exactly what you think, thus bypassing the metaphors and concepts entirely? Man, I thought SSH didn't do that by default, at least not on my Linux systems; it just provided a secure connection to whatever user interface the system provided. So, where can I download DO-WHAT-I-MEAN-OSIX 2.0? =)

Command lines are a metaphor. Yes, incidentally well suited for system administration, but a metaphor nevertheless. =)