Forgot your password?
typodupeerror
Security The Internet Unix Linux

Malware Attack Infected 25,000 Linux/UNIX Servers 220

Posted by Soulskill
from the sudo-configure-your-stuff-properly dept.
wiredmikey writes "Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present."
This discussion has been archived. No new comments can be posted.

Malware Attack Infected 25,000 Linux/UNIX Servers

Comments Filter:
  • by whoever57 (658626) on Tuesday March 18, 2014 @09:43PM (#46521271) Journal
    The report only mentions in passing how the servers are compromised, which is that the operators of the botnet use credentials that have already been stolen to "infect" new machines. I personally think it likely that brute force attacks against ssh passwords are also used.

    The summary states:

    The servers are being hijacked by a backdoor Trojan

    but I think this is an inaccurate summary since the Trojan is being installed on machines where the attackers already have root credentials.

    Perhaps some unknown vulnerability is also being used to gain root access, but the report does not claim this.

  • Re:Who'da thunk (Score:4, Interesting)

    by dbIII (701233) on Tuesday March 18, 2014 @11:30PM (#46521697)
    I found out close to ten years ago that a weak password on any account on an internet facing machine that had been modified by an idiot for his own convenience is a bad idea on a machine with ssh access (lots of "chmod 777", including in /etc, is a sign of an idiot loose on a linux system). A workaround is to make sure that ssh access is limited to only those users that actually use it.
    It's something to watch out for with IPv6 and all of us getting internet facing machines again - a firewall on the router is not enough to protect us from traffic on ports we want to pass through (unless we want to stop all incoming ssh or redirect it to the router - good in some circumstances but what if someone wants to log directly into their box while travelling?)

"The value of marriage is not that adults produce children, but that children produce adults." -- Peter De Vries

Working...