Thousands of Servers Infected With New Lilocked (Lilu) Ransomware (zdnet.com) 71
Longtime Slashdot reader Merovech shares a report from ZDNet: Thousands of web servers have been infected and had their files encrypted by a new strain of ransomware named Lilocked (or Lilu). Infections have been happening since mid-July, and have intensified in the past two weeks, ZDNet has learned. Based on current evidence, the Lilocked ransomware appears to target Linux-based systems only. The way the Lilocked gang breaches servers and encrypts their content is currently unknown. A thread on a Russian-speaking forum puts forward the theory that crooks might be targeting systems running outdated Exim (email) software. It also mentions that the ransomware managed to get root access to servers by unknown means.
Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally. According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results. However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results. Why it should scare you:
- affects Linux servers
- so far the vector of infection / vulnerability is unknown
- you can craft a Google search to watch it spread!
Lilocked doesn't encrypt system files, but only a small subset of file extensions, such as HTML, SHTML, JS, CSS, PHP, INI, and various image file formats. This means infected servers continue to run normally. According to French security researcher Benkow, Lilocked has encrypted more than 6,700 servers, many of which have been indexed and cached in Google search results. However, the number of victims is suspected to be much much higher. Not all Linux systems run web servers, and there are many other infected systems that haven't been indexed in Google search results. Why it should scare you:
- affects Linux servers
- so far the vector of infection / vulnerability is unknown
- you can craft a Google search to watch it spread!
lilo ? (Score:3)
When I saw that I thought "Who would create a ransonware for lilo ?", but on a re-read I saw the "real" name.
these name are getting worse and worse
Re: (Score:1, Funny)
Re: (Score:3, Interesting)
Lilo was too simple and just worked so it had to go. Now we have monstrosities like grub that you dare not edit by hand.
Re: (Score:2, Offtopic)
But it can boot with a graphics splash screen now, and hide all the output!
Don't you know that not seeing errors means they're not there?
Re: (Score:1)
You can keep it simple with Grub if you want to maintain the config file manually. All you really need is a menuentry statement (with just the title, no options required) containing one line for loading the Linux kernel (and possibly another line for initrd). With the bonus that you don't have to reinstall Grub each time you change the config file. It only gets more complicated if you need it to do stuff that Lilo is not capable of.
Re:lilo ? (Score:5, Funny)
When I saw the name, I thought, "Don't worry. Somebody in Dallas will create an unlocker that unlocks all the variants... and presumably call it the 'Lilu Dallas Multipass'."
Re: (Score:2)
Came in here hoping to find this. You sir, made my day!
Re: (Score:2)
I saw the story almost three hours after it appeared on the home page, and I couldn't believe nobody had made the joke yet. I think Slashdot is slipping. I guess only the obvious Princess Bride jokes appear quickly these days.
Watching it spread in Google (Score:5, Informative)
Here's a shortcut [google.com] for servers with the Apache web server. Google finds a little over five pages of results, so while the issue is serious the infection rate looks to be quite low.
Some people have seemingly disinfected [googleusercontent.com] themselves.
Re:Watching it spread in Google (Score:5, Informative)
That search requires the web server to be configured to show directory listings, which very, very few do now. That would vastly reduce the number of hits in google.
Targeting Russia? (Score:1)
Re: (Score:2)
Based on the crafted google search. A majority of infections are Russian domains or hosted in Russia
Would only make sense if the attacks were created in Russia itself. Opensource oriented opposition to the Putin dictatorship? In general people who favor opensource also favor personal freedoms and democracy IMO. If not then the problem might get very serious if the attack is coming from the West. One thing for sure it might become an huge opening for Kapersky, Windows web servers and all the other competing companies that tow the line politically with the Russian dictatorship.
Php (Score:3)
No surprise. Theyâ(TM)re all php sites.
Re: (Score:2)
What difference does that make?
Re: (Score:3)
A lot of amateur php coders created a lot of vulnerable software that was never properly patched. Coding in php is easy. Writing secure code requires knowledge that your average weekend coder does not have. This is true regardless of the language. It's just that php was (at least for a while) the most popular web coding language for beginners.
see: little bobby drop tables.
Re: (Score:2)
A lot of amateur php coders created a lot of vulnerable software that was never properly patched.
Most vulnerabilities created by novices are for SQL injection attacks, which isn't specific to PHP. I'm curious what about code written in PHP do you think would allow an entire linux server to be infected with something like Lilu? A coder can't cause buffer overflows or allow remote code execution (unless they are calling shell_exec or something, which is extremely unlikely), so I can't help but wonder exactly what you have in mind that a weekend coder would be doing in PHP that would allow their system
Re: Php (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
A lot of amateur php coders created a lot of vulnerable software that was never properly patched. Coding in php is easy. Writing secure code requires knowledge that your average weekend coder does not have. This is true regardless of the language. It's just that php was (at least for a while) the most popular web coding language for beginners.
see: little bobby drop tables.
That would only be the case if they were created in spread sheets in vb with activex controls first would it not? So you are saying the Russians might be unintentionally hosing themselves with Windows XP hosted sites on Linux servers that have had sex change operations done on them? Weird world computers have become.
Re: (Score:2)
What difference does that make?
Too many who write routines that are then spread around never consider these aspects of php [php.net] as being important so although php can jangle and pop it can also dangle and drop!
Re: (Score:1)
.
Partial Quote:
.
I can’t even say what’s wrong with PHP, because— okay. Imagine you have uh, a toolbox. A set of tools. Looks okay, standard stuff in there. You pull out a screwdriver, and you see it’s one of those weird tri-headed things. Okay, well, that’s not very useful to you, but you guess it comes in handy sometimes. You pull out the hammer, but to your dismay, it has the claw part on
The Google count keeps ... (Score:3)
... going down.
Was 6,600 and now is 6,190. That's in ten (10) minutes.
Re: (Score:2)
... going down.
Was 6,600 and now is 6,190. That's in ten (10) minutes.
Keep in mind that Google results are not real-time. Google re-spiders certain types of sites (e.g. news sites) very frequently which fools us into thinking Google results are a real-time view of the web, but most sites down't get re-scanned that often so minute-to-minute changes are more reflective of what Google has scanned and indexed recently, rather than what has really changed in that time frame. If you think about it, it's obvious that Google can't spider the whole web every minute, or even every da
Re: (Score:2)
But I want to relaunch the spider.
This site is lilocked all the way down ... (Score:2)
http://pinpointsecurity.co.za/ [pinpointsecurity.co.za]
So it's not just php.
Re: (Score:3)
And it's been hacked for quite a long time if the modify times are to be believed. Since July... Or is this something the hacker does to mislead people?
Re:This site is lilocked all the way down ... (Score:4, Insightful)
Probably the Exim issue. Too many people are not aware that the standard config of a traditional Unix server includes an MTA and that you can send email to the machine. Although the distros I use have that limited to local mail by default.
Anyways, nobody competent ever claimed that Linux with clueless administration is secure. Linux is just way easier to secure for a competent administrator than the alternatives.
Re: (Score:3)
Probably the Exim issue. Too many people are not aware that the standard config of a traditional Unix server includes an MTA and that you can send email to the machine. Although the distros I use have that limited to local mail by default.
Anyways, nobody competent ever claimed that Linux with clueless administration is secure. Linux is just way easier to secure for a competent administrator than the alternatives.
Sounds more like a timeout call in a script to me if the number of servers hit is dropping instead of climbing. Root should not be susceptible to mail scripts so it might be incorrect configuration of users giving them too much priv on script executions. One way to really screw over user profiles that run scripts would be with a scripted fork bomb. That might not crash a high powered server if it is run in conjunction with a timeout and scripted reset. Sounds to me that this attack is more of a very well ta
Re: (Score:2)
Well, local mail delivery need root privileges. If you do not make sure to carefully drop them and to guard the mechanism that does that, an MTA can have a root-exploit. Exim does not have the excessive privilege separation that Postfix uses to contain this problem.
Re: (Score:2)
Interesting. Ubuntu reported an exim vulnerability just four days ago:
https://usn.ubuntu.com/release... [ubuntu.com]
Re: (Score:2)
Still surprising that so many systems seem vulnerable. We will see what the analysis shows.
Re: (Score:2)
Not New (Score:4, Informative)
This dates to at least before 7/20:
https://twitter.com/demonslay3... [twitter.com]
which means it's probably the old Exim exploit, not the new Exim exploit.
Re:Not New (Score:4, Informative)
Plausible. Patching and a secure configuration are non-optional on Linux servers, just as they are on any other Internet-reachable systems.
Re: (Score:2)
Re: your sig.
Starlink will be awesome. And then it will inevitably become Skynet. But first it will be awesome.
Re: (Score:2)
An Exim defect is not a Linux defect.
Don't be stupid, Exim is one of two standard Linux MTAs. However, so far there is no hard evidence that Exim was the exploit. More clueful security people than me or you are researching this as we speak. (That is the difference between Linux and Windows....)
Re: (Score:1)
Exim / Sendmail - Why? (Score:4, Informative)
Why would a distro include either of these mail servers in their default installation? They're both like a sieve when it comes to letting an attacker exploit the system. Especially when solutions exist that have been designed from the ground up with hardened security as their primary focus.
There's qmail (the original secure mail server system), but I don't recommend it since it is limited in functionality due to lack of active development (primary due to the original licensing clauses). But, I must say, there has never been a serious security exploit for this system.
And there's Postfix, which was also designed with security in mind, and is under active development. Since Postfix isn't as strict as qmail, it is much easier to configure into a reliable modern secure mail server.
And Postfix doesn't do everything wrong like Qmail (Score:5, Informative)
Postfix is good.
DJB, the author of qmail, is REALLY hard to work with because his default position is always "devil's advocate". He's quite smart, but he always wants to do it the opposite of how it's normally done. If he built a car, without a doubt he'd put the brake on the left, accelerator on the right, and come up with a semi-plausible argument for why that's better. The headlight switch would be in the center of the dash and the radio controls would be on sticks behind the steering wheel, just because that's the opposite of how most cars are built. He'd come up with an argument for why it's better to reverse it from what you're accustomed to.
That's what he did with qmail. Anything you expect of a Unix / Linux software, qmail is the other way around. A lot of this stuff there is no clear right or wrong. It doesn't matter if the brake or the accelerator is on the left - it matters more that it's consistent. Qmail author DJB considers "consistent with how things normally are" to be a problem.
Just as an example, normally, and by multiple official standards, the directory layout is: /usr/bin for executables /var for system data /etc for configuration
None of that is true for qmail.
If you're like me, you'll find qmail really annoying.
Re: (Score:3)
Lol I said that backwards, didn't I :) (Score:2)
Funny, I meant to say that the other way around. DJB's got me talking the wrong way around. ;)
Re: (Score:2)
Postfix is good.
Exim is good too. They both suck ass for configuation, and both are great MTAs. I prefer the way Exim sucks to the way Postfix sucks. Suffered through both, several times each.
Re: (Score:1)
Use a real MTA - sendmail.
Original is still the best.
Re: (Score:2)
All my servers run nullmailer.
Oh, wait...
Re: (Score:2)
Re: (Score:2)
I used to use qmail, with the patches, but it's just not up to the task any more. And you have to install a separate service management system. It is small and well-written, but not standard as the other commenter mentions, and its main issue is that it is just out of date.
Exim does seem to be increasing in frequency of vulnerabilities in the last couple of years, which is a shame as it is also well-supported and widely used. The documentation is good and it has a lot of nice features. I suppose however I s
Re: (Score:2)
"There's qmail (the original secure mail server system)"
Hah, I still use that stuff! Admittedly not on an Internet facing port (it's got backscatter issues), but I'm glad to see it's still secure.
Still, I'll be switching too Wietse's postfix real-soon-now....
And this is where LAMP once again will shine. (not (Score:3)
So roughly 7000 Lamp stacks of roughly 400 million lamp stacks on the web have been infected and already the news is full of it. Nice. Very nice. In 48 hours we will know the attack vector for sure and have somewhere between 5 and 15 fixes for it. And only 0.000002%of the entire install base of the platform will have been effected and will need to pull their backup from last week.
This is why I chose LAMP over that newfangled thing that came around last quarter 98% of the time. So be it that WordPress was coded on crack. Any critical hole is patched within hours and fixes are pushed automatically. I just have to check if the new version is up.
I like this.
(not joking) it was supposed to say. :-) (Score:2)
EOM
Re: (Score:3)
Re: (Score:2)
Yes, but is it web scale [youtube.com]?
Re: (Score:2)
Re: And this is where LAMP once again will shine. (Score:2)
It runs on 60% of current web hosts and I'm making a good living off of it. If those are the traits of a dead language, count me in. To me it looks perfectly alive and the reasons for that are manifold. And often surprisingly counter-intuitive.
You are doing it wrong (Score:2)
If the sole copy of your web site is on the server itself... you are doing it wrong...
The real problem is the exploited server. Who cares if the web site files become corrupted?
Catch it in the act (Score:2)
Re: (Score:1)
Is there a way to detect that a file with .lilocked extension is being created and lock that PID down? Would be nice to catch it in the act so we can identify the source of the infection.
if you have root access to the server then i'm sure that you can run ps, watch, strace, iostat, etc to monitor where it's coming from. Now, with that being said, if you have root access, I hope that you are patching your systems and you likely wouldn't have this problem anyway. Sadly all the samples I've found via hunting on VT and referenced in any public sources look like the Decrypter tool and not the malicious binary as well.
Fortis Sinanl Yeni Kadköy'de yüzde 0,99 (Score:1)