Mystery Malware Affecting Linux/Apache Web Servers 437
lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"
Hummm, no ahah ?! (Score:2, Interesting)
Re:ssh + bad password (Score:3, Interesting)
I was most surprised when I found that Redhat (Our cooperate Linux of Choice) appears to allow this as the default. Certainly, The Debian box i use as a home server never used to allow that, however, checking i see that since I upgraded from Woody, it does allow remote SSH as root. Thats worrying.
Well have to fix that.
Re:Funny (Score:2, Interesting)
Please let me know what the last critical security flaw for IIS was. I'd love to know.
Also, let me know how many critical security flaws there have been for Apache in the last year or so.
Thanks!
Re:ssh + bad password (Score:3, Interesting)
Allow me to insert one step before ???
* Follow-up on your SSH logs. If you see a phishing attack, do something about it!
That something could be:
- Report the IP to the owner of the netblock who can be found at ARIN [arin.net]. All netblock owners must have an IP-admin address or an abuse address. Unfortunately, my experience is that most of these go to /dev/null. There are those who actually have responsible NOC staff, and they will act on your complaint if you send them a copy of the relevant logs.
- Block further network access from that particular netblock at your firewall. I've found this to be a very effective method. Believe it or not, you don't end up blocking the entire Internet; the places that launch such attacks are not very common.
- Rate-limit SSH access. This works well, but I've locked myself out of my own server!
Re:Funny (Score:2, Interesting)
I agree with your reasoning on the significance of the story.
Re:Software sucks. (Score:1, Interesting)
Re:ssh + bad password (Score:5, Interesting)
I call Bullshit! (Score:2, Interesting)
This is all just a ploy to bring attention to Finjan for financial gain!
All your BASE are belong to us (Score:2, Interesting)
Is Idiocracy coming true? (Score:0, Interesting)
Now we have the same sort of annoying trend-slave fucks perpetuating the lolcat baby talk meme. I sure can't wait to see how utterly fucked-up and retarded the teenagers of the upcoming generation are going to sound thanks to you worshippers of the unintended consequence.
Re:ssh + bad password (Score:3, Interesting)
No, it is not. On *BSD family of Operating Systems root can only login on the local console anyway.
If you screw something up badly, you ssh in as yourself first, and then perform `su' — something, that only members of the wheel-group (gid 0) are allowed to do.
My FreeBSD machines all run a crude log-watcher [virtual-estates.com], which blocks-out machines, from where root- and similar logins are attempted, immediately.
Re:ssh + bad password (Score:1, Interesting)
Re:ssh + bad password (Score:2, Interesting)
Re:Ubuntu as well? (Score:4, Interesting)
GUIs provide metaphors for users, they have no place in administration.
</grumpyOldFart>
Re:ssh + bad password (Score:3, Interesting)
I know "security through obscurity" isn't really secure, but it has entirely eliminated attempts to crack the root password on all the servers I run.
Re:I'm not sure I buy it (Score:3, Interesting)
\begin{snarky}
I'm surprised some of these "admins" can find their servers, let alone moderately well hidden rootkits.
\end{snarky}
Many system administrators do not have a deep background in *nix security. If they can install a Linux box, they're apparently qualified. There are many admins who are extremely competent in security matters, but I have not seen anything coming from those people. (Perhaps they weren't infected?) So, I have not heard (read) of anything from anyone describing a good analysis of an infected machine. The best so far is the cPanel note [cpanel.net]. There they do mention that "[i]t is common to see a short but successful root login via ssh 5-10 minutes before the compromise occurs" which in my mind is already a compromise.
Re:Ubuntu as well? (Score:2, Interesting)
Re:Ubuntu as well? (Score:2, Interesting)
While SSH allows for direct neural link that allows the computer to do exactly what you think, thus bypassing the metaphors and concepts entirely? Man, I thought SSH didn't do that by default, at least not on my Linux systems; it just provided a secure connection to whatever user interface the system provided. So, where can I download DO-WHAT-I-MEAN-OSIX 2.0? =)
Command lines are a metaphor. Yes, incidentally well suited for system administration, but a metaphor nevertheless. =)