Forgot your password?
typodupeerror
Security The Internet Unix Linux

Malware Attack Infected 25,000 Linux/UNIX Servers 220

Posted by Soulskill
from the sudo-configure-your-stuff-properly dept.
wiredmikey writes "Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present."
This discussion has been archived. No new comments can be posted.

Malware Attack Infected 25,000 Linux/UNIX Servers

Comments Filter:
  • Who'da thunk (Score:5, Insightful)

    by sgt scrub (869860) <saintium@yaHORSEhoo.com minus herbivore> on Tuesday March 18, 2014 @08:17PM (#46520811)

    A weak root password and public facing root SSH access is bad?

    Managing a Linux box with a publicly facing web based interface bad?

    Installing untested web based applications released as freeware with no idea what the code does is bad?

  • by MouseTheLuckyDog (2752443) on Tuesday March 18, 2014 @08:55PM (#46521019)

    The best locks in world, which Linux does come with, do not help if the door is left unlocked.
    Microsoft OTOH has no doors.

    The biggest threat to linux in the last five years has not been the architecture of linux, but the willingness of programmers, in particular weak programmers from the WIndows world coming over and applying the same philiosophies to linux development.

  • by pla (258480) on Tuesday March 18, 2014 @09:47PM (#46521291) Journal
    I have (grudgingly) admin'ed such a server, and will readily admit it as a form of public shaming (though not of myself, as you'll soon learn).

    As TFS points out, the attackers didn't use a zero-day exploit. They didn't use an unpatched old exploit. They didn't even use the fact that huge "trusted" swaths of the filesystem, including standard executable paths (such as /usr/local/bin) had both the directory and everything contained within world-writable (no, I didn't have the option of fixing that - it would have broken "features" of the reason this box existed, as I'll soon explain).

    This system ran a fairly popular POS software suite, and absolutely depended on all its serious security flaws. The vendor had even installed what amount to pre-compromised binaries for "convenience" in diagnosing end-user problems (connect to the right port, bam, you can monitor any user's session). But even that egregious level of incompetence didn't cause the breach.

    No, the breach came from the fact that the vendor had their own company name as the root password (and had it hard-coded in literally dozens of (world-readable) scripts, so I couldn't just change it). And did I mention, the vendor required this box have a publicly facing IP or they'd refuse to honor their SLA?

    Needless to say, my first action on learning all this, I blocked it at the firewall and told the vendor that we'd let them in when, and only when, we needed assistance. That, amazingly, enough kept the box safe for about a year (and floored me that we hadn't gone down long before I got stuck with that albatross)...

    Until an upgrade. Took a total of half an hour. Didn't matter, because we had someone in as root in a tenth that time.


    But, distant past. Couldn't happen again, and no other vendor would ever have such an extreme level of cluelessness, right?

    So, currently, I work with (but thank Zeus, don't have to administer) a CRM system by an entirely different vendor, running on an outdated Linux distro. Pretty much everything I just said applies to this box. But hey the firewall keeps it safe, except the once-a-year the vendor demands access to audit our license compliance...


    So yeah, Linux systems get hacked - For reasons that wouldn't protect the otherwise-most-secure system on the planet. You want to make it stop? Tell your vendors to go fuck themselves when they rationalize having a weak root password, and piss-poor system-wide security, and ban patching known vulnerabilities because it "might" break something the vendor used. Really that simple.
  • by Baloroth (2370816) on Tuesday March 18, 2014 @10:58PM (#46521551)

    4) Passwords are short, intended to be remembered and typed. Asymmetric keys are long, meant to be transported as files (or certificate blobs). The former is vastly easier to brute force (an extremely strong password might take weeks on typical commodity hardware but most would only take minutes)

    This bit is false, an extremely strong password still cannot be brute forced (once you get over ~10 characters long, even an Amazon E3 instance [arstechnica.com] starts taking unrealistic times to brute force it). Most password cracking, even GPU powered, relies on passwords being either short or sufficiently non-random.

  • by dbIII (701233) on Tuesday March 18, 2014 @11:38PM (#46521749)

    having programmed in VB for the last 8 years doing kernel level programming

    Obvious red flag showing no clue about the topic - it's just buzzword bingo throwing impressive sounding verbage around with a lack of understanding.

    If it was a fanboy they really need to lift their game if they want to avoid other fanboys laughing at them.
    If it was some "media studies" person acting as a paid social media shill then whoever paid them got ripped off.

  • by benjymouse (756774) on Wednesday March 19, 2014 @02:32AM (#46522335)

    The best locks in world, which Linux does come with, do not help if the door is left unlocked.
    Microsoft OTOH has no doors.

    The biggest threat to linux in the last five years has not been the architecture of linux

    The biggest threat to Linux security is the number smug, amateurish Linux admins who believe they are all safe because their tribal platform is blessed with magic fairy dust that makes vulnerabilities un-possible.

    On the architectural level, the biggest threat to Linux is the outdated security model inherited from the 1970 where saving a few bytes at the expense of better layered security was all the rage. This is exemplified by:
    * The woefully outdated permission model where proper ACLs had to be bolted on, and to this day competes with and confuses security planning and auditing (Windows NT had ACLs from the start).
    * The fact that only the file system objects were considered for access control. (In Windows the security model extends to all objects: Threads, processes, synchronization objects (locks, semaphores), sockets/ports etc)
    * Security tokens do not exist. Instead of granular tokens you have to use "effective users" - breaking the Least Privilege Pinciple (Windows NT was designed with granular process tokens from the start).

    When creating a new IIS in Windows, the site is automatically set up with the most restrictive isolation. You do not even have to create a user for the site to run under - the security model already knows about identities and each site gets it own identity which must be explicitly granted permissions to read the file system.

    but the willingness of programmers, in particular weak programmers from the WIndows world coming over and applying the same philiosophies to linux development.

    That's rich. The absolutely most security-ignorant ecosystem is the LAMP community. PHP with it's abysmal security record is the worst language *ever*.

Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.

Working...