Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Botnet Linux

Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet 230

An anonymous reader writes Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals. The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities. Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet. The full advisory is available for download only with registration, but the (Akamai-owned) Prolexic page to do so is quite detailed.
This discussion has been archived. No new comments can be posted.

Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet

Comments Filter:
  • by VGPowerlord ( 621254 ) on Wednesday September 03, 2014 @11:34AM (#47817631)

    So, to remove this do I just have to do this?
    sudo rm -r /sbin/iptables

  • Oh yes, I am familiar with this iptables malware. I once had a machine running using ipchains, but iptables somehow made its way on to my machine and pretty much just killed ipchains functionality. I could not get it working again no matter how hard I tried. In case it modified my kernel, I even downloaded the latest from kernel.org (2.4.x) and compiled a new one, but to no avail.

    I gave up and went to Windows.

  • CVEs or it doesn't exist.

    Any /. article that talks about security vulnerabilities or exploits and does not reference the relevant CVEs in the summary is a worthless piece of shit.

  • JAVA (Score:4, Informative)

    by HornyBastard ( 666805 ) on Wednesday September 03, 2014 @12:04PM (#47817951)
    From TFA.
    "Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities"

    Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java.
    To me, that indicates a JAVA vulnerability, not a Linux vulnerability.

    • To me, that indicates a JAVA vulnerability, not a Linux vulnerability.

      Right. Just like Nigerian 419 scams are conducted in English, so English is a vulnerability.

      • > To me, that indicates a JAVA vulnerability, not a Linux vulnerability.

        Right. Just like Nigerian 419 scams are conducted in English, so English is a vulnerability.

        Interesting parallel - both 419 and this vulnerability stem from people who fail to utilize the absolute minimum of self-protection mechanisms.

        And the attackers in both cases deliberately exploit these low-hanging fruits of incompetence. It's a good economic strategy - why pick the high fruit when you don't have to?

        Of course, our worries stem

    • The applications you mention are all Open Source, which people on here keep insisting are secure.

      • Re:JAVA (Score:4, Insightful)

        by c0d3g33k ( 102699 ) on Wednesday September 03, 2014 @03:12PM (#47819887)

        The applications you mention are all Open Source, which people on here keep insisting are secure.

        Nope. This is a varied community, so people here believe lots of things, but probably not as many believe this simplistic view as you think.

        FLOSS applications have the *potential* to be more secure than proprietary/closed source. They also have the potential to become more secure over time if the community/contributors have more resources available to fix security problems than a proprietary vendor. Most importantly, FLOSS applications can be scanned by anyone for bugs and security problems, and fixed by anyone. Those activities are limited for proprietary code to those who have access to it and allowed (by privilege or managerial decree) to fix it or even publicise that there's a problem in the first place.

        Depending on the situation (skillset of the development team, size of the team, interest in maintaining and fixing the code), this can either lead to a particular piece of FLOSS or proprietary code being more secure. *In general*, it seems that FLOSS code tends to be more secure because greater resources can be brought to bear, particularly over time as proprietary vendors stop supporting code for older products and move their teams on to something new (gotta keep paying the bills). In some cases that doesn't hold true and proprietary code is more secure.

    • by robmv ( 855035 )

      Should a Linux kernel privilege scalation bugs be called a C vulnerability? no, those are bugs on code that use a particular language. If you say that the bug was found on the embeeed XML parser or any other library that is part of the Java Runtime, I would say yes, but this time no

      • by HiThere ( 15173 )

        More to the point, they use particular packages written in that language.

        A Linux kernel privlege escalation bug is a Linux bug. It's only a C bug if it depends on a violation the the C language standard. C misfeatures aren't bugs, but they sure make be cautious when I use it. In particular, one C misfeature is that it's impossible to check the length of an array at run time. In any lengthy piece of code I get quite paranoid about that. But if I make a mistake it's a bug in my code. In C it's only a mi

    • by smartr ( 1035324 )

      Nope... A vulnerability in a library is not a vulnerability in the underlying programming language. Just because the JRE *is* an execution environment, does not mean that the execution environment being run by a malicious user is a vulnerability in the JRE. That's like saying, there's a vulnerability in C, because Flash is written in C and there's a Flash vulnerability. The point is there is a **critical** vulnerability in older versions of the Struts library, which is used to escalate privileges to the JRE

    • From TFA. "Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities" Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java. To me, that indicates a JAVA vulnerability, not a Linux vulnerability.

      Uh, no. It would be Struts/Tomcat architectural vulnerabilities. Not various versions of the Java Runtime have/had vulnerabilities, but in these particular cases, the vulnerabilities were within the software systems, not on the language they were written or the runtime that hosted them.

    • Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java.
      To me, that indicates a JAVA vulnerability, not a Linux vulnerability.

      Or more likely a bug in an Apache Commons library they all use.

      eg Struts is from Apache, Tomcat is from Apache, Elasticsearch is based on Lucene which is also from Apache.

  • "... may use infected Linux systems to launch DDoS attacks against the entertainment industry... " Seriously? That's our worry? or whom you are trying to scare?
  • If the administrator deliberately activates software known to make a system (Linux, Windows, ...) vulnerable to compromise, that is NOT a compromised server, it is a honeypot. If you make a honeypot, you must mitigate any damage it may cause outside your domain.

    Sue the admins of those systems into getting a job compatible with their IT skills (probably involving a toilet brush).

  • Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine

    Holy misleading headline, Batman! Any server that's not maintained is vulnerable, how is this news other than it's a Linux server botnet? OMG unpatched servers are vulnerable to hackers!

  • This underlines an important point I made previously, that part of the problem here is C/C++ and its manual memory management. Ruby, Perl and Python eliminate a whole class of programming errors by doing memory management automatically, making it easier to develop secure applications. People laugh when you say the web browser should be written in Perl, as the web server should be, but its true. The result would be a safer, and even a faster system because a Perl program would lack as many memory leaks and t

    • by HiThere ( 15173 )

      Since the problem appears to lie in Java libraries, I don't understand your argument at all.

  • I find it interesting that Akamai is complaining about server vulnerabilities, when something like 30% of all the alarms on our IPS are set off by hosts they control.

  • Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals

    Whatever happened to "the enemy of my enemy is my friend"?

    Yes, there's technical solutions like the upcoming Tor-like anonymized version of tribler [tribler.org] that will try to route around the Copyright Crooks-induced Internet Censorship.

"The one charm of marriage is that it makes a life of deception a neccessity." - Oscar Wilde

Working...