Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

First Botnet of Linux Web Servers Discovered

kdawson posted about 5 years ago | from the shields-up dept.

Security 254

The Register writes up a Russian security researcher who has uncovered a Linux webserver botnet that is coordinating with a more conventional home-based botnet of Windows machines to distribute malware. "Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware [on port 8080]. 'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,' Sinegubko wrote. 'To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s).'"

cancel ×

254 comments

Sorry! There are no comments related to the filter you selected.

Ok, so I got the popcorn ready.... (4, Insightful)

Kjella (173770) | about 5 years ago | (#29399807)

Just waiting for the flamefest here of Linux vs Windows botnets.

Re:Ok, so I got the popcorn ready.... (-1, Troll)

LaskoVortex (1153471) | about 5 years ago | (#29399861)

This isn't technically a botnet:

It's unclear exactly how the servers have become infected. Sinegubko speculates they belong to careless administrators who allowed their root passwords to be sniffed. Indeed, the part of the multi-staged attack that plants malicious iframes into legitimate webpages uses FTP passwords that have been stolen using password sniffers. It's likely the zombie servers were compromised in the same fashion, he explained.

These are simply rootkitted servers and they appear to have been done manually. The unique aspect of this is that it seems to be coordinated, so the MS astroturf team has decided to call it a "botnet".

Re:Ok, so I got the popcorn ready.... (4, Informative)

Timothy Brownawell (627747) | about 5 years ago | (#29399937)

This isn't technically a botnet: [...] These are simply rootkitted servers and they appear to have been done manually. The unique aspect of this is that it seems to be coordinated,

Which is what makes it a botnet.

so the MS astroturf team has decided to call it a "botnet".

"define: botnet" [google.com] ... I see nothing in there that precludes manually-compromised systems.

Re:Ok, so I got the popcorn ready.... (-1, Troll)

LaskoVortex (1153471) | about 5 years ago | (#29400041)

"define: botnet"

I suspect you are astroturfing for MS here and so will want "botnet" to mean "any set of two or more compromised computers". But that definition means that the number of windows botnets would be astronomical, so be careful about your definitions.

Instead I propose the following definition:

botnet: an automated and self propagating network of compromised machines.

If "self propagating" is essential to the definition of "botnet" then the group of manually compromised linux machines is not a botnet.

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400071)

Wouldn't you have to compromise at least one machine at some point so it can start to self propagate? Malware just doesn't come out of thin air, you know.

Re:Ok, so I got the popcorn ready.... (1)

bemymonkey (1244086) | about 5 years ago | (#29400593)

Sure seems to... at least on IE6.

Re:Ok, so I got the popcorn ready.... (5, Insightful)

Timothy Brownawell (627747) | about 5 years ago | (#29400085)

I suspect you are astroturfing for MS here

And I suspect that you are a troll.

and so will want "botnet" to mean "any set of two or more compromised computers". But that definition means that the number of windows botnets would be astronomical, so be careful about your definitions.

Did you even read what I linked to? A botnet is a collection of compromised computers that share a Command and Control channel.

Instead I propose the following definition:

Because the generally accepted definitions don't suit your purpose?

Re:Ok, so I got the popcorn ready.... (-1, Troll)

LaskoVortex (1153471) | about 5 years ago | (#29400101)

Because the generally accepted definitions don't suit your purpose?

Define "generally accepted".

Re:Ok, so I got the popcorn ready.... (0, Troll)

blind biker (1066130) | about 5 years ago | (#29400429)

Define "generally accepted".

Define "define".

Game over, I win.

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400465)

define: from the Latin words "up" and "yours"

Re:Ok, so I got the popcorn ready.... (-1, Troll)

LaskoVortex (1153471) | about 5 years ago | (#29400133)

Did you even read what I linked to? A botnet is a collection of compromised computers that share a Command and Control channel.

Ok. I went back and read the definitions.

I like this one:

The term often applies to groups of computer systems that have had malicious software installed by worms, Trojan horses or other malicious software.

And you like the one that fits your fiscal agenda. So I'm not the only one who selects their definitions, am I? You. Are. An. Astroturfer.

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400311)

Sentences. Mean. More. When. They. Arent. In. Sentence. Form.

Re:Ok, so I got the popcorn ready.... (0, Flamebait)

Anonymous Coward | about 5 years ago | (#29400383)

And. You. Are. A. Douchebag.

Re:Ok, so I got the popcorn ready.... (1, Informative)

Anonymous Coward | about 5 years ago | (#29400437)

Look at it this way. The servers in question form a network of bots. I don't think that is in any way debatable. Botnet seems to be a good shorthand version of "network of bots". Hence, the servers in question form a botnet.

Re:Ok, so I got the popcorn ready.... (2, Insightful)

suomynonAyletamitlU (1618513) | about 5 years ago | (#29400533)

So I'm not the only one who selects their definitions, am I? You. Are. An. Astroturfer.

Sorry, but by that logic, wouldn't you--explicitly--be one as well? "You X, just like I do, so you're Y." ...

And also a troll. Because frankly, if you want to actually make a point (and at this point you really aren't) the whole ad hominem thing is something to stay away from. Who employs him, even in theory, has so astoundingly little to do with whether or not his statements are accurate that nobody's going to listen once the argument gets to that point--including the person you're talking to.

Re:Ok, so I got the popcorn ready.... (-1, Troll)

LaskoVortex (1153471) | about 5 years ago | (#29400735)

Sorry, but by that logic, wouldn't you--explicitly--be one as well?

Astroturfers get paid. You decide.

Re:Ok, so I got the popcorn ready.... (1)

node 3 (115640) | about 5 years ago | (#29400551)

Ok. I went back and read the definitions.

I like this one:

The term often applies to groups of computer systems that have had malicious software installed by worms, Trojan horses or other malicious software.

"Often" is a very different word than "always", "solely" or "only".

It's clear that how the botnet came about is not critical to the definition. The clue is right there in the name that it's referring to a network of bots.

The key detail here is that it's a number of computers under surreptitious remote control.

And you like the one that fits your fiscal agenda. So I'm not the only one who selects their definitions, am I? You. Are. An. Astroturfer.

With people like you making Linux users look like raving madmen, I'm pretty sure all the MS astroturfers have been granted the day off.

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400553)

Can I recommend to you the following Google search?

define: often [google.co.uk]

You'll notice that it varies from the definition of 'always' in several key areas. Would you like me to continue the English lesson, or are you happy to admit that this is a botnet?

Re:Ok, so I got the popcorn ready.... (3, Funny)

maharb (1534501) | about 5 years ago | (#29400129)

Why should it have to self propagate and at what degree do current bot nets self propagate without users compromising their systems.

Servers don't roam the net downloading porn and music.

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400511)

servers don't roam the net -- the net roams them (google, etc.) and then publishes strings that help identify the web application software running on the machine ("powered by xxx"). From there automating an attack is pretty trivial.

Re:Ok, so I got the popcorn ready.... (4, Funny)

Giometrix (932993) | about 5 years ago | (#29400653)

servers don't roam the net -- the net roams them (google, etc.)

Wait you forgot the "Soviet" part.

Re:Ok, so I got the popcorn ready.... (1)

PNutts (199112) | about 5 years ago | (#29400577)

Servers don't roam the net downloading porn and music.

Which is why I don't have a server at home.

Re:Ok, so I got the popcorn ready.... (2, Funny)

Anonymous Coward | about 5 years ago | (#29400609)

Servers don't roam the net downloading porn and music.

You are here by excommunicated from the secret global geek alliance for revealing the truth behind one of our most useful excuses.

And to any lay people listening in:
Computers can in fact act on their own and illegally download music or collect an unseemly amount of lesbian teen videos. No one knows why and you son/husband is just as surprised as you are.

Re:Ok, so I got the popcorn ready.... (1)

e9th (652576) | about 5 years ago | (#29400135)

You're begging the question. You come up with a proposed definition of botnet that doesn't include the compromised systems, then use that definition to say they're not a botnet.

Re:Ok, so I got the popcorn ready.... (0, Troll)

Anonymous Coward | about 5 years ago | (#29400195)

If I had mod points, I'd mod you Troll.

Re:Ok, so I got the popcorn ready.... (-1, Offtopic)

LaskoVortex (1153471) | about 5 years ago | (#29400227)

If I had mod points, I'd mod you Troll.

You don't get mod points because when you get them you mod inappropriately.

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400457)

The other anon may not, but I get mod points quite frequently.

Your posts in this thread are pedantic and intellectually dishonest. So either you're an idiot, or a troll. And your post history is a pattern of this, so I'll keep an eye on you when I get more mod points.

There, I can call it like I see it too.

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400459)

And if I didn't want AIDS, I'd rape your mother up the ass while I was installing JewBuntu "Frosty Fucker" on my open-sores hacked Kindle.

Re:Ok, so I got the popcorn ready.... (3, Insightful)

Nazlfrag (1035012) | about 5 years ago | (#29400279)

If anyone was astroturfing for MS they would never say the word 'botnet' unless they are insane.

This is definately not the first time a unix system has been comprimised by an administrator being slack about their passwords. Why it's an issue is because each system is being used to control multiple infected windows machines, something I doubt an astroturfer would want to draw attention to (excepting the previously mentioned insane ones).

It's far more likely that this sort of activity has been going on for years and it's just the first time any mainstream media has caught up on the fact.

The solution is so simple, just protect your root passwords for fucks sake, yet we know there are countless incompetent admins without any clue out there and this shit should be expected, in that it is impossible to aviod voluntary security breaches.

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400295)

Self propagating would mean that it is a worm, There are botnets created by worms and there are bot nets that are created in manual or scripted hacks.

It is a bot net, just not a self propogating bot net.

Re:Ok, so I got the popcorn ready.... (2, Insightful)

c6gunner (950153) | about 5 years ago | (#29400371)

Instead I propose the following definition:

botnet: an automated and self propagating network of compromised machines.

That's a ridiculous definition. The vast majority of botnets aren't self-propagating. A program that is self-propagating would be a worm. If it happened to maintain communication with other compromised machines, then it would also become a botnet. But self-propagation has never been a requirement in the definition of "botnet".

Of course, the easiest way to make yourself a botnet is to upload an infected file to the Kazaa network, or some similar file-sharing network. Once it's on there I suppose it becomes "self-propagating", in a way. But that's a different matter entirely.

Re:Ok, so I got the popcorn ready.... (-1, Flamebait)

Anonymous Coward | about 5 years ago | (#29400501)

fuck you up the face you poorly-assembled cuntwhich. No one could possibly disagree with you unless someone paid them to? YOU ARE A BAD PERSON AND I HOPE YOU CEASE.

You have a stupid version of "botnet" which precludes an entire class of infestation. You don't like the definition because of what unrelated correlation is usually involved. That doesn't begin to make you right. That doesn't begin to make your accusation justified. "Astroturfer for MS" isn't even ambiguous enough to seem harmlessly misspoken like "flamebait" is. You're just a horrible person who should learn the meaning of the words you use, and otherwise should go harm yourself non-trivially!

Re:Ok, so I got the popcorn ready.... (5, Informative)

mysidia (191772) | about 5 years ago | (#29400523)

Botnets do not have to be self propagating. The very first botnets were on IRC.

Where in fact, the machines weren't compromised. The owners of the machines actually ran the code (commonly Eggdrop) and voluntarily joined their bots to the botnet. They weren't even malicious.

The term "botnet" does not imply a network of compromised hosts, or even malware. It refers to a network of robotic agents that are in communication with each other.

Botnets were commonly used to form shared "party lines", to allow people to DCC CHAT their Eggdrop bots and communicate with people visiting from other channels, and other IRC networks.

At first, these were used only for communication, people joined the botnets to chat with each other, there was no way to control other bots.

At some point, some of the botnets got pretty large...

Some of the botnets had a feature where a trusted "bot owner" or "bot master" as they were called, could be made "botnet admins" by bots they were peering with... allowing these botnet admins to command other hosts to do certain things on IRC

Some botnets had member nodes run scripts that were able to do things like pingflood a user off IRC.

This would be commonly used if some bad boy had taken over a popular channel. Ping flooding a user off IRC is undesired by the victim, but one time, it may have been used to encounter other hacking techniques the "victim" of the flood had been using to sabotage IRC channels.

At some point, some IRC botnets started getting formed whose sole purpose was to flood.

Eventually the term escaped IRC... other types of botnets started forming like Peer to Peer ones, smart ones that automatically added nodes (instead of two botnet admins deciding to interconnect), and botnets whose sole purpose was to accept commands from a central point.

But the point is, the notion of a "Bot" and a "Botnet" has an origin that causes the term to not imply self replication.

Re:Ok, so I got the popcorn ready.... (2, Funny)

node 3 (115640) | about 5 years ago | (#29400595)

Instead I propose the following definition:

botnet: an automated and self propagating network of compromised machines.

It's pretty clear the definition you're really trying to propose is:
"botnet: a network of infected or compromised non-Linux machines."

Just callin' it like I want to see it.

Fixed your sig for you.

Re:Ok, so I got the popcorn ready.... (3, Informative)

mysidia (191772) | about 5 years ago | (#29400455)

No. Manually compromising servers and setting up nginx on them to serve files does not make it a botnet. "Botnet" or not has nothing to do with infection vector.

It refers to compromised machines that have a certain 'intelligence' so that they form a network of their own, and allow the botmaster to easily deploy new instructions to them all. And all bots will execute the new instructions automatically.

Manually compromising servers and installing a tool that causes all those servers to rendezvous with or receive commands from a central control point to execute instructions would make them a botnet.

The key question would be: do the compromised servers also run a program that periodically polls a control station for commands, or does the script kiddie manually command individual compromised servers?

If the servers only run nginx to serve files, or just periodically pull new files to serve from other servers (even a central one), then no, they're not a botnet, even if they've been backdoored so the blackhat can come back later and upload new malware files.

To be a botnet, there must be a button where a botmaster can deploy instructions or code to a control point, and the nodes will automatically perform the instructions directed.

Re:Ok, so I got the popcorn ready.... (2, Funny)

Zero__Kelvin (151819) | about 5 years ago | (#29400569)

Did you read the first sentence? Evidently the word manually doesn't mean what you think it does. (Manually is the opposite of automatically BTW) Here is the best definition from that page IMNSHO: The word BOTNET is short for the combination of the word robot and network . The term often applies to groups of computer systems that have had malicious software installed by worms, Trojan horses or other malicious software that allows the "botnet herder " or botnet's originator to control the .... In any case, yes, it absolutely has to be a network robot to be a bot, and those are by definition automatically spread, not manually propogated. That's the "bot" part of the term network robot.

Re:Ok, so I got the popcorn ready.... (5, Insightful)

NewbieProgrammerMan (558327) | about 5 years ago | (#29400165)

...so the MS astroturf team has decided to call it a "botnet".

I'm curious--how can I tell when an idea is being promoted by the "MS astroturf team" and not by regular not-so-clueful reporters that might mistakenly use the wrong term?

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400659)

These are simply rootkitted servers and they appear to have been done manually. The unique aspect of this is that it seems to be coordinated, so the MS astroturf team has decided to call it a "botnet".

No, they decided to create it.

Re:Ok, so I got the popcorn ready.... (5, Funny)

symbolset (646467) | about 5 years ago | (#29399905)

Just waiting for the flamefest here of Linux vs Windows botnets.

OK, I'll start. Linux webservers are so lame they don't even include the facility [slashdot.org] for users to disable them remotely in case of malware distribution.

Re:Ok, so I got the popcorn ready.... (5, Funny)

easyTree (1042254) | about 5 years ago | (#29399913)

Just waiting for the flamefest here of Linux vs Windows botnets.

It's nice to see Lo0niX has advanced to the point where it can now successfully run botnet software. I'll bet there's no gui though. I'm not up on linux commands so don't laugh but I'll wager it's something like:
  * apt get b0tnet -s -x9 -secret -warez -pr0n -infectWindows=1 -p

Rather than the point-and-click convenience you'd expect on windows.

Maybe games are next? Quake-n for linux would be nice.

How's that? :D

Re:Ok, so I got the popcorn ready.... (5, Funny)

LaskoVortex (1153471) | about 5 years ago | (#29399945)

Rather than the point-and-click convenience you'd expect on windows.

It's not that easy on MS windows. After you click the link to the tennis player nudie pix, your machine locks up. Then you have to *hard reboot* (without the help of the blue screen to let you know your computer crashed). Only after you hard reboot, usually by pulling the power cord all the way out, can you run the botnet software.

Windows really isn't as user friendly for botnets as everyone thinks it is. I hope 7 does better.

Re:Ok, so I got the popcorn ready.... (4, Funny)

Anpheus (908711) | about 5 years ago | (#29400373)

As a user of Windows 7, I found it exceedingly helpful. I was pleased when Clippy popped up and said, "It looks like you're trying to infect your computer, do you want some help?" At which point Clippy showed me how to use Aero Shake(tm) to get rid of all the distracting popups that would divert me from trying to find the source of all malware. After I encountered a fork in the road, so to speak, Clippy demonstrated Aero Snap(tm) so I could compare the sites I was surfing side by side. At long last, I found truly good malware on a *stan website. Top level domain was for some country like Miyagistan. Thankfully, I bought Windows(tm) 7 Ultimate Edition(tm) and downloaded the appropriate language pack so the viruses I downloaded would be more at home.

Running it was as easy as clicking on it and clicking "Continue." Ever since then I've been living in a peaceful coexist

Re:Ok, so I got the popcorn ready.... (4, Funny)

Kjella (173770) | about 5 years ago | (#29400183)

Rather than the point-and-click convenience you'd expect on windows.

Actually, they found Amazon had patented that so they had to go with the no-click experience. Got to respect corporate IP, you know.

Re:Ok, so I got the popcorn ready.... (0)

Anonymous Coward | about 5 years ago | (#29400657)

um, no.
ruut@pwn:~$ sudo apt-get install b0tnet -sx9 -p --secret=warez:porn --infectWindows=1

Re:Ok, so I got the popcorn ready.... (1)

noidentity (188756) | about 5 years ago | (#29400211)

I'm thinking one difference is that you can contact the the node's host and tell him to get his act together and secure his machine, whereas contacting the Windows hosts of each node of a botnet is quite a bit more difficult, and even if you did, you'd unlikely convince the operator to secure the machine (or even understand what a botnet is).

Re:Ok, so I got the popcorn ready.... (2, Insightful)

the_womble (580291) | about 5 years ago | (#29400319)

Only an idiot would claim that servers being compromised because admins choose to send passwords over the internet in plain text proves anything about how secure the software running on those servers is.

Ah.....OK, I expect LOTS of such claims.

Re:Ok, so I got the popcorn ready.... (3, Funny)

the_womble (580291) | about 5 years ago | (#29400375)

It also looks likely that the passwords were stolen from the admin's compromised windows desktops!

Re:Ok, so I got the popcorn ready.... (2, Insightful)

node 3 (115640) | about 5 years ago | (#29400635)

Only an idiot would claim that servers being compromised because admins choose to send passwords over the internet in plain text proves anything about how secure the software running on those servers is.

Unless it's a Windows web server. In that case, Administrator incompetence always proves how insecure Windows/IIS are.

Dang. (2, Funny)

SilverHatHacker (1381259) | about 5 years ago | (#29399811)

Awkward...

Linux (5, Funny)

Anonymous Coward | about 5 years ago | (#29399823)

It's ready for the botnet!

Re:Linux (1)

ColdWetDog (752185) | about 5 years ago | (#29399867)

Yeah, the desktop was so twentieth century.

Re:Linux (5, Funny)

noidentity (188756) | about 5 years ago | (#29400185)

Maybe the year of the Linux desktop is near, with the OS finally getting a botnet that doesn't require Wine to run. Take that, Apple!

Re:Linux (1)

CAIMLAS (41445) | about 5 years ago | (#29400337)

Yes! Awesome! It took long enough for one of these Linux botnets to manifest!

Now all we needd is for Windows to be ready for the Internet, and we'll be in the next era of secure computing!

Next Logical Step (0)

Anonymous Coward | about 5 years ago | (#29400347)

Next logical step: GNU Hurd is ready for the desktop!

Stupid people use linux too (5, Insightful)

tetsukaze (1635797) | about 5 years ago | (#29399853)

We can blame our hate pet OS for all of the internet evil out there, but we need to remember one important thing: people are almost always the week link in security. If someone knows what they are doing, it is very hard to penetrate a linux server... or a windows server. There will always be those that can break through the best security, but there is a lot of low hanging fruit and not just on the windows tree.

Re:Stupid people use linux too (1)

easyTree (1042254) | about 5 years ago | (#29399939)

So..., you're blaming ubuntu?

Re:Stupid people use linux too (5, Insightful)

FlyingBishop (1293238) | about 5 years ago | (#29400017)

Actually, I would say the people to blame are those hosting providers who keep using ftp with weak usernames and weak passwords as the preferred way to access your website.

There was a time when the client software was insufficient to the task, that time is long gone. WinSCP is mature and easy to use. No, browsers don't offer sftp:// support natively, but the browser is not very secure anyway. Hosting providers need to get their heads out of the sand and upgrade to secure authentication.

Re:Stupid people use linux too (1)

the_womble (580291) | about 5 years ago | (#29400719)

No, browsers don't offer sftp:// support natively

Konqueror does!

In addition some file managers do (Nautilus, Dolphin,...), there are GUI tools that allow you to mount a Fuse sftp filsesystem, and you can use rsync over ssh on the command line or with a GUI and most ftp apps these days suppors sftp.

Note that these are not cheap shared web hosts, these are virtual or dedicated servers. The admins had the choice and decided to be lazy. If they were being paid to do this (some will be people running their own servers for fun or profit), they should be fired.

Re:Stupid people use linux too (0)

Anonymous Coward | about 5 years ago | (#29399967)

and microsoft eventually researched and understood this week link in security...which is why they now patch monthly.

(you made a great point, but I couldn't resist, sorry...ironically, my captcha was 'unworthy')

Re:Stupid people use linux too (4, Interesting)

bjourne (1034822) | about 5 years ago | (#29400525)

Well, it seems that stupid people [lwn.net] actually [linux.com] *build* [theregister.co.uk] linux [wiggy.net] too [slashdot.org] !

Re:Stupid people use linux too (2, Interesting)

bbernard (930130) | about 5 years ago | (#29400747)

Absolutely! There's plenty of stupid to go around.

1. Where was the firewall admin to prevent external systems from connecting to these webservers over port 8080?
2. Why did the admins use insecure tools or insecure systems to allow their credentials to be sniffed?
3. Where was the IDS/IPS to notice the sudden change in traffic?
4. Where was the load balancer/reverse proxy to intecept this junk?
5. Where was the routine review of logs to notice the dynamic DNS updates from computers with (presumably) static DNS entries somewhere?
6. Where was the periodic pen/vulnerability test against these systems?

And here it comes (4, Funny)

Anonymous Coward | about 5 years ago | (#29399863)

Does this mean Linux finally has reached a point of user friendliness equal to Windows?

Re:And here it comes (1)

NickFortune (613926) | about 5 years ago | (#29399977)

Does this mean Linux finally has reached a point of user friendliness equal to Windows?

Yes, but it's probably just a one-off trough.

Re:And here it comes (4, Funny)

swilly (24960) | about 5 years ago | (#29400121)

Unfortunately not. It appears that the servers were manually hacked, which is far less user friendly than the automated hacks that Windows makes so very easy.

Linux still has a ways to go, I'm afraid.

What's new here? (2, Insightful)

Anonymous Coward | about 5 years ago | (#29399865)

What's so special about this one that we haven't seen in the last 5 years? Linux or BSD systems have been durned into rogue IRC servers (for C&C purposes) for zombies all the time.

Whether sweeps for vulnerable AWStats installations, badly configured PHP installations or archaic PHPBB installs, webservers are hammered with automated exploits all day. Maybe "DataCha0s 2.0" rings a bell for some.

Publicity Stunt (0)

Anonymous Coward | about 5 years ago | (#29399871)

This is it. Liinux has finally made it to the big time! Now it can go into rehab.

Milo (0)

Anonymous Coward | about 5 years ago | (#29399877)

It's a bullshit - running app on port 8080 is as easy as finding how in some crappy script and using system()-like function. Modification pages content by FTP (because user set password like "123test" or it has worms on it's windows) has nothing to do with Linux botnets.

Missing in the summary (3, Informative)

gmuslera (3436) | about 5 years ago | (#29399885)

"With about 100 nodes". The average windows botnet (at least the one that make into the news) have from hundreds of thousands to millons of nodes. Not sure how "automatic" was the creation of this botnet, or how much at risk are generic linux users. Considering how are installed some and how careful are some admins about "security", is not amazing that a few out there could be rooted.

In fact, if those servers already had apache, and some old vulnerable web application that enables somewhat transfer and execute binaries, in no recently patched kernels 2.4+ there are ways to escalate priviledges and get root to install what is needed. But probably normal users using modern distributions or admins caring a little about security are safe.

stolen root credential (4, Insightful)

pikine (771084) | about 5 years ago | (#29400049)

The article speculated that, since the iframe code was injected to legitimate webpages using stolen FTP credentials, it may be that a few "root" credentials are obtained the same way. FTP credentials can be stolen by malware running on the client computer, for example a computer an admin uses to control the server, from well-known FTP client software.

Re:Missing in the summary (3, Interesting)

eln (21727) | about 5 years ago | (#29400167)

A Windows machine being run by someone who cares about security and updates it regularly won't end up in a botnet either, so I'm not sure what your point is.

Re:Missing in the summary (3, Insightful)

Sir_Lewk (967686) | about 5 years ago | (#29400209)

At the moment that may be true, but that has certainly not been the case many times before.

Re:Missing in the summary (4, Funny)

rohan972 (880586) | about 5 years ago | (#29400277)

"With about 100 nodes". The average windows botnet (at least the one that make into the news) have from hundreds of thousands to millons of nodes.

That's irrelevant. A linux botnet would be so much more productive than a windows botnet that you don't need nearly as many nodes.<\straightface>

Re:Missing in the summary (2, Interesting)

CAIMLAS (41445) | about 5 years ago | (#29400379)

Really, this is a pretty trivial "jump" from the normal way of things.

You've got manually installed rootkits, and most of them have C&C tools. How is this much different, other than optimizing the C&C mechanisms? There's nothing here to suggest this is anything "new": the mechanisms, whatever used, still appear to be tightly constrained to "manual rootboxing" - a time consuming process compared to a "real" automated botnet.

All evidence points to this being more of someone's "pet" botnet than it does any sort of improvement on the malware concept. Same old thing, different implementation. Let me know when there's a polymorphic, multi-OS botnet with a non-distributed model and pluggable payload and vector - which uses traffic heuristics to hide its traffic on a network and runs "quiet" (compared to common botnets/worms). Then I'll start being concerned.

Shouldn't that read... (0)

Anonymous Coward | about 5 years ago | (#29399889)

... First *Discovered* Botnet of Linux Web Servers ?

Reporters Fail (5, Informative)

99BottlesOfBeerInMyF (813746) | about 5 years ago | (#29399925)

The only part of this article that is news is the part that is incorrect. Botnets of Windows machines often have compromised Linux servers working as a control channel or update channel. It is not at all unusual. What would be unusual would be for a worm or virus to actually compromise Linux machines in an automated fashion and make them bots. That does not seem to be what has happened here as the Linux systems seem to have been manually hacked in a normal, directed attack.

Basicaly, nothing new or newsworthy happened here, except someone mistakenly referred to the compromised Linux servers as bots.

Re:Reporters Fail (1)

Midnight Thunder (17205) | about 5 years ago | (#29400045)

Basicaly, nothing new or newsworthy happened here, except someone mistakenly referred to the compromised Linux servers as bots.

Well, you are assuming that calling a machine a bot is dependent on the fact it was infected. In many ways a bot is any machine that is doing the bidding of the people in control, no matter how control was achieved. Now whether the machine was 'infected' or 'hacked' is a different matter.

Re:Reporters Fail (3, Interesting)

99BottlesOfBeerInMyF (813746) | about 5 years ago | (#29400103)

Well, you are assuming that calling a machine a bot is dependent on the fact it was infected.

Not really. Calling a machine a bot or zombie is generally an indication that they are the regular "peon" part of a botnet. I mean technically the control channel and update channel and the terminals machines the operator is using are part of the botnet. They just are not generally referred to as bots because they are part of the system doing the controlling instead of being the end systems used to launch attacks.

My main point was, the summary and title here led readers who use the specific terms one way to think that is what was happening. The comments from researchers led people to think that. That is why this was news. It's not news to discover Linux systems hacked by hand are being used to control Windows bots, because that happens all the time and is, perhaps, the most common kind of botnet.

Re:Reporters Fail (2, Insightful)

Aladrin (926209) | about 5 years ago | (#29400199)

'Botnet' has never meant 'auto-infected' and if they assumed that, they were careless. The summary makes no attempt to fool them into thinking anything other than the facts.

Besides which, at this point, we don't -know- how it spreads. We just know that it exists... Which to me, is news.

Re:Reporters Fail (2, Informative)

c6gunner (950153) | about 5 years ago | (#29400405)

We just know that it exists... Which to me, is news.

It shouldn't be. Or, at least the general concept shouldn't be. The original IRC bots were written to run on *nix, because they were meant to be used for channel control/moderation, and so needed to run on an always-on server. Which usually meant a shell account on a linux or BSD machine. Small channels only employed one bot, but larger ones used several working in tandem. So, really, the earliest bot-nets were all *nix based - they just weren't malicious.

Re:Reporters Fail (4, Insightful)

burnin1965 (535071) | about 5 years ago | (#29400673)

It is not at all unusual. What would be unusual would be for a worm or virus to actually compromise Linux machines in an automated fashion and make them bots.

There is a continuous flood of SSH brute force attacks on any *nix machine connected to the internet. All one has to do is monitor their log files for verification.

They are not even sophisticated attacks, they are attempting to login using lame passwords, i.e. after watching the attacks for awhile I set up a box to see what they were doing and created a user name test with the password test based on the fact I could see them using test as one of the users for the attack and suspecting it was a dumb password attack.

It wasn't long before the system was "compromised" and likely recorded on the other end as a successful attack. Several hours later the account was again accessed and various applications downloaded and executed as the test user. One of these applications connected to the EFNET IRC network and joined a channel.

Using another system I connected to the IRC network in way I thought would be inconspicuous and monitored what was happening. Sure enough there were two individuals chatting it up in the channel and sending commands to hundreds of compromised systems.

While reviewing the various compromised systems I noted that they were all *nix machines of one type or another. This was a few years back so I believe you are correct in stating that this is nothing new. What would have been new is if a botnet like this was discovered to be from a real hack and not some lame password login scan.

I don't have a problem with it being called a linux botnet, but until they can come up with an explanation for the means by which the systems were compromised, other than the likely lame password attacks, its not really news.

Hmm.. what does this mean... (1)

Cheesetrap (1597399) | about 5 years ago | (#29399931)

So Russian phishers actually care about uptime? Who woulda thunk it! :p

In other news, when millions upon millions of computers are in botnets, some of them are probably going to be non-windows systems. Shock, horror. Related reading [about.com] .

Imagine a Beowulf cluster of Linux botnets... (0, Funny)

Anonymous Coward | about 5 years ago | (#29399951)

Boggles the mind; I, for one, welcome our new Linux botnet Beowulf cluster overlords.

related? (0)

Anonymous Coward | about 5 years ago | (#29399969)

Sounds an awful like clampi/ligats

http://news.cnet.com/8301-27080_3-10298233-245.html

If this is the same thing or similar, it is much more than 100 nodes and is quite nasty. If you get this, good luck getting rid of it.

It's Windows fault!! (0)

Anonymous Coward | about 5 years ago | (#29399999)

Obviously it's shoddy Windows that caused the Linux machines to go down!

One bad apple ruins the whole bunch.

disclaimer: I use OS X.

You could be right (4, Insightful)

DrJimbo (594231) | about 5 years ago | (#29400255)

Actually, you might be correct. FTFA:

It's unclear exactly how the servers have become infected. Sinegubko speculates they belong to careless administrators who allowed their root passwords to be sniffed.

... With about 100 nodes, the network is relatively small, making it unclear exactly what the attackers' intentions are.

If Sinegubko is right and the attack vector was sniffed passwords, then it is likely that those passwords got sniffed by an existing Windows Botnet.

Re:You could be right (3, Informative)

corychristison (951993) | about 5 years ago | (#29400571)

Absolutely. It also mentions that they were FTP passwords. FTP is all in cleartext, no encryption or obfuscation.

There is SFTP. But I don't know many providers that offer it. I avoid FTP in all cases and use SSH and SSHFS to talk to and transfer files to and from my servers.

I also use Linux on my home machines (including my laptop).

Doesn't matter who's hosting (3, Informative)

KDingo (944605) | about 5 years ago | (#29400063)

If your customers put up vulnerable software on your shared, dedicated, or virtual hosting service and they don't update it or you don't detect it, someone's going to find it and exploit it.

Had something similar happen to my me. If you're monitoring server load, a webserver sending spam will definitely raise an alarm. As for services on odd ports, block everything except the real ports. Blocking outgoing traffic on IRC ports helps too in minimizing damage. The script kids are already making use of the recent Linux local root exploit (wunderbar_emporium) so make sure you do some yum updates!

Re:Doesn't matter who's hosting (1)

yahwotqa (817672) | about 5 years ago | (#29400537)

Not all updates are yummy...

nginx? (5, Funny)

Anonymous Coward | about 5 years ago | (#29400091)

nginx, so that's what the worm is called? I'd better check my company's webservers so they aren't running this evil hacker malware.

Oh my... all of them had been infected. No worries though, I managed to clean them all up. A good day's work well done.

just checked (1)

Rikiji7 (1182159) | about 5 years ago | (#29400175)

no one infected.

See, I told you Linux was insecure (1)

mysidia (191772) | about 5 years ago | (#29400235)

Time to switch to FreeBSD, TrustedBSD, and hardened OpenSolaris :)

Oh, and to be secure, you really should have an IDS on your network anyways, use strong unique passwords for each system (random >10 character passwords), and never store those passwords on a computer, except the hash in the system password file.

Re:See, I told you Linux was insecure (0)

Anonymous Coward | about 5 years ago | (#29400389)

Real men use OpenBSD and only use one port.

Re:See, I told you Linux was insecure (0)

Anonymous Coward | about 5 years ago | (#29400489)

Mysdidia for teh win!

Stop bickering and solve the problem (3, Insightful)

Temujin_12 (832986) | about 5 years ago | (#29400317)

Rather than getting consumed in an OS holy-war, perhaps we should focus on how exactly these systems were compromised and how to detect whether your server has been compromised. Linux servers being compromised is not a new thing. If you run old-enough libraries and software on them or configure things improperly, they'll eventually be compromised.

Does anyone know if a particular vulnerability was used to gain access to systems?

Does anyone know how to detect whether your system is compromised in this manner (is doing "ps -aux nginx" simple enough to detect it)?

Spare everyone the OS holy-war and fanboism and let's figure out what the problem is, how to detect it, and what to do to fix it.

Re:Stop bickering and solve the problem (1)

Exception Duck (1524809) | about 5 years ago | (#29400427)

There are other forums for that.
Here we just do OS holy wars.

Re:Stop bickering and solve the problem (1)

Runaway1956 (1322357) | about 5 years ago | (#29400613)

My thoughts, exactly. I RTFA'd, and found no mention of any specific vulnerability or method used to gain access to the servers. In fact, it isn't even clear to me that it's a *nix specific hack. The one common denominator seems to be - Apache.

Want to bet on how the servers were taken over? (1)

harlows_monkeys (106428) | about 5 years ago | (#29400507)

My bet is on a poorly written PHP (which stands for "Please Hack Promptly") app.

Re:Want to bet on how the servers were taken over? (3, Informative)

corychristison (951993) | about 5 years ago | (#29400607)

Actually, the article says that FTP passwords were used. Meaning they were probably sniffed either on FTP Users personal computer, or over the wire somewhere between the user and the server on one of the hops, which could be dangerous.

Moral of the story, use SSH!

Lord of the Botnets (1)

Mr. Lwanga (872401) | about 5 years ago | (#29400539)

One Botnet to rule them all,
One Botnet to find them,
One Botnet to bring them all
and in the darkness bind them.

packagement mgmt and repos play a small role here (5, Interesting)

drougie (36782) | about 5 years ago | (#29400565)

It's nice to be able to apt-get yourself the latest stable copy of apache2 and php5 and mysql and postfix humming with just a command or two, also nice to be able to apt-get upgrade them after you apt-got updated. Those who maintain, clean and contribute to the large public repositories that apt and yum and rpm and pkg_add, good people and they generally do a bang up job for 99% of the Linux and UNIX and UNIX-like folks. However, when you maintain servers which are not completely hidden behind a nat with these programs for years and once in a blue moon compile something you downloaded in a gzipped tar, you put yourself on admin autopilot and that can bite you in the ass.

Give you one example: I installed RoundCube, the most badass webmail client there will ever be, ever, with apt (the first time). Ran it for a while without incident. Had my system on weekly cron apt updates so I figured I was safe. Eventually I discover someone made it onto my system and put a malware installing js line in my web pages. Looking through the guy's bash history I discovered they got in through a RoundCube vulnerability. I checked out RoundCube's site [roundcube.net] , something I should have done first thing but did not, and it turns out their stable version was much newer than what apt realized and that this vulnerability would not have been on my system about five months ago had I downloaded straight from their site and stayed on the ball with their support resources which are things that are less necessary when you just let apt-get rip.

Bottom line, apt-get update/upgrading would not patch a glaring vulnerability in software I found with apt originally with the default Debian sources.list and I doubt it would have on most other distros' package management systems. It wasn't RoundCube's fault, the patched release was their Stable build for a long time but I was left wide open to anyone who went on a rootkit site and googled for roundcube hosts and I got nailed. Learned my lesson and I don't fault the repository maintainers for being behind the ball a bit on less popular software in their enormous archives but if you ask me software should not be available on the default repositories for Linux variants that the maintainers are not confident that they can keep up to date or don't have some kind of way to be quickly and effectively notified by the authors/vendors in the event of a critical upgrade being available and to put it live right quick. Put it on the people who want to install such software themselves -- if they can make it past that hump I'd say their odds of running the software safely will be substantially higher than Joe Yum. And spreading awareness of cvs/svn would be nice too.

Can't believe I just admitted I got compromised.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>