Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Backdoor Targeting Apache Servers Spreads To Nginx, Lighttpd

timothy posted about a year and a half ago | from the learning-to-attack-the-unpronounceable dept.

Security 136

An anonymous reader writes "Last week's revelation of the existence of Linux/Cdorked.A, a highly advanced and stealthy Apache backdoor used to drive traffic from legitimate compromised sites to malicious websites carrying Blackhole exploit packs, was only the beginning — ESET's continuing investigation has now revealed that the backdoor also infects sites running the nginx and Lighttpd webservers. Researchers have, so far, detected more than 400 webservers infected with the backdoor, and 50 of them are among the world's most popular and visited websites." Here's the researchers' original report.

cancel ×

136 comments

Sorry! There are no comments related to the filter you selected.

I have a stupid question. (1, Interesting)

Anonymous Coward | about a year and a half ago | (#43671475)

Why do the developers force us to tell the world what engine we use?

Re:I have a stupid question. (4, Interesting)

TheCarp (96830) | about a year and a half ago | (#43671507)

Are you refering to the http headers that identify the server version? If so then yes, it is a stupid question since, every webserver which I have ever configured has had an option to turn that off. Not that I ever bothered, if it was so useful, it would be turned off by default.

Fingerprinting doesn't take that long, especially for well known services. Might be of some use if you really to run something obscure. In any case, even if they don't know if you are vulnerable, how long does it take to find out? Little use there.

Re:I have a stupid question. (1)

phantomfive (622387) | about a year and a half ago | (#43671849)

It's going to be useful if someone is trying a targeted attack directly on your server. That way they know what version you are running, and can go to the correct source code trying to find a vulnerability, and not waste time on newer versions, or older versions, or patched versions, or whatever.

Is G-Wan affected ? (1)

Taco Cowboy (5327) | about a year and a half ago | (#43672525)

I have some site running lighttpd, others I run G-Wan

Is G-Wan affected ?

Thanks in advance for any tips that you can share with us.

Thanks again !!

Re:Is G-Wan affected ? (1)

phantomfive (622387) | about a year and a half ago | (#43672553)

Looks like it could be affected because the exploit wasn't in the web-server; their machines got hacked through other means and then used that access to modify the webserver. So make sure you have a good ssh password and your box is updated at a minimum.

Re:Is G-Wan affected ? (0)

Anonymous Coward | about a year and a half ago | (#43672567)

Thanks for the info !!

Looks like I ain't gonna enjoy lots of sleep from now until next weekend

Checker code: download, compile, run (1)

AliasMarlowe (1042386) | about a year and a half ago | (#43672773)

Thanks for the info !!

Looks like I ain't gonna enjoy lots of sleep from now until next weekend

You could download and compile (for your web server) the detection C code provided here [welivesecurity.com] . Then you'll have less uncertainty.

I had to cross-compile it for an old Synology box with a PowerPC 8241 processor; it seems to be clean.

Re:Is G-Wan affected ? (1)

Anonymous Coward | about a year and a half ago | (#43672621)

Not delivering traffic is standard behaviour for G-Wan; it doesn't need a backdoor or virus for that.

Re:I have a stupid question. (3, Informative)

gmack (197796) | about a year and a half ago | (#43672563)

Quite frankly, I don't think the webserver was the entry point for Cdorkd.A since as far as I read it was mainly machines with cpanel that were infected. Even if the problem wasn't cpanel Apache doesn't run with the right permissions to change it's own binary. If the entry point is elsewhere, once they are in the machine with root access discovering what web server software being used is trivial.

Rather than worrying about something as trivial as the web server software, I would be much more concerned about why none of the control panels I've come across seem to have any sort of secure design. They run as root without any sort of privilege separation and edit the config files even when daemons are available that have a database back end.

Re:I have a stupid question. (0)

phantomfive (622387) | about a year and a half ago | (#43672599)

What kind of developer thinks that a web server needs a GUI? That, in my opinion explains everything about why the control panels lack secure design.

Re:I have a stupid question. (5, Funny)

Zontar The Mindless (9002) | about a year and a half ago | (#43672907)

What kind of developer thinks that a web server needs a GUI?

Where else are they going to put the ON and OFF buttons?

Re:I have a stupid question. (0)

Anonymous Coward | about a year and a half ago | (#43673987)

In the cloud?

Re:I have a stupid question. (4, Insightful)

Zero__Kelvin (151819) | about a year and a half ago | (#43673743)

CPanel is often used to allow Web Hosting customers to have control over their pay per month websites / accounts. If a company allows their customers to create email accounts, enable ssh, etc. on a shared host this is how it is typically done to reduce the huge overhead of fielding requests for such tasks from every Tom, Dick, and Harry, since you clearly cannot give them root access.

Implemented an idea poorly does not make it a bad idea.

Re:I have a stupid question. (3, Interesting)

Yebyen (59663) | about a year and a half ago | (#43673955)

> since you clearly cannot give them root access.

and yet that's what it seems to be doing here. I heard a lot of folks say that LXC was DOA, because it didn't offer any protection against the classic "escalate chrooted root user to full system access," and I am not an expert but I'd say that has changed, you _can_ give your customers root without giving them root on the host system. Check out http://docker.io/ [docker.io] </shameless>

(I heard there were alternatives to docker too, but I haven't found any other than RTFM and Edit The Damn Configs And Cross Your Fingers. Docker has just entered version 0.3 release and development is moving quickly.)

Re:I have a stupid question. (1)

Zero__Kelvin (151819) | about a year and a half ago | (#43674167)

You aren't quite getting it. The tool is designed to only allow people who have logged in (auth'd) to perform tasks that require root access, limiting said access to only certain configuration files that they should be able to change, and to make only certain kinds of changes. It has a security flaw which can be exploited. It is no different than any other software that requires root access and has a security flaw that can be exploited from a non-privileged environment. It is akin to a GUI based sudo with nice dialogs as a front end to various tools. If a particular implementation of sudo is flawed it doesn't mean the concept of sudo is flawed.

Re:I have a stupid question. (1)

Opportunist (166417) | about a year and a half ago | (#43672853)

And this is why I usually announce a version with a well known exploit and keep the firewall trained to alert me of exploits targeting that version.

No better way to tip you off to a targeted attack.

Re:I have a stupid question. (1)

mvdwege (243851) | about a year and a half ago | (#43673043)

Keyword here is 'if'.

Most attackers will just run every exploit against a service in the hope that one will stick.

Re:I have a stupid question. (0)

Anonymous Coward | about a year and a half ago | (#43672095)

Are you refering to the http headers that identify the server version? If so then yes, it is a stupid question since, every webserver which I have ever configured has had an option to turn that off. Not that I ever bothered, if it was so useful, it would be turned off by default.

Fingerprinting doesn't take that long, especially for well known services. Might be of some use if you really to run something obscure. In any case, even if they don't know if you are vulnerable, how long does it take to find out? Little use there.

So how do you do that in Apache?

Re:I have a stupid question. (2, Informative)

Anonymous Coward | about a year and a half ago | (#43672667)

So how do you do that in Apache?

You're looking for ServerTokens and/or ServerSignature.

But as the comment says:

# Changing the following options will not really affect the security of the
# server, but might make attacks slightly more difficult in some cases.

Re:I have a stupid question. (0)

Anonymous Coward | about a year and a half ago | (#43672527)

Yes, Mr. expert, can you please tell us how to do this? I would appreciate you telling me how to do this in nginx.

Re:I have a stupid question. (0)

Anonymous Coward | about a year and a half ago | (#43672585)

In nginx setting "server_tokens off" will remove version info, but there is (by design) no way to remove the "nginx" string. To get rid of this, the simplest way is to change the string in the source code and then build nginx yourself (src/http/ngx_http_header_filter_module.c).

Fingerprinting makes this probably overkill, and some browsers treat different webservers differently based upon what this value is, so I'm not sure that it should even be best practice to hide this value. I believe this is why nginx consider there being no config option to totally remove the "nginx" type as a feature rather than a bug.

Re:I have a stupid question. (0)

Anonymous Coward | about a year and a half ago | (#43672565)

Well, if you have a catalog of what every website runs, it's a lot easier to run targeted exploit attacks instead of just blanketing every webserver in existence hoping to hit an exploit.

Re:I have a stupid question. (3)

Bert64 (520050) | about a year and a half ago | (#43672443)

It's all about advertising, to show just how many people use their webserver.

Re:I have a stupid question. (0)

Anonymous Coward | about a year and a half ago | (#43672735)

If you think hiding a version number or application name will help you're being naive. They'll just do something akin to the black hole exploit kit, and try every exploit known to them.

Re:I have a stupid question. (0)

Anonymous Coward | about a year and a half ago | (#43673859)

And generate a metric ass-ton of logs making the whole attempt easy to see. No, security through obscurity does not work; you are no more or less vulnerable... Masking httpd engine, plugins/modules, and version makes it more difficult for an attacker or pentester to stealthily compromise the service.

Ignoring your logs means it will make no difference; logwatch+masked service goes a long ways in making it more interesting...

Re:I have a stupid question. (0)

Anonymous Coward | about a year and a half ago | (#43673299)

it's not forced on you, it's something that can be turned off or edited into something a little more generic...

similarly....

that's why you don't use AGPL (Affero) software for web sites and apps that forces you to disclose that, AND, link to your code, besides...

and, shorted-sighted little shits that 'demand' link or attribution on public facing pages or page output source for their little project or code are also fucking stupid..

you don't tell the world what you're running. period. sure, some things are too obvious from url structure, etc, such as joomla or word press... but you shouldn't be running those either..

Why? (5, Interesting)

Guinness Beaumont (2901413) | about a year and a half ago | (#43671515)

Why isn't there a list of infected sites? Avoiding them would seem to be a priority.

Re:Why? (3, Funny)

Skapare (16644) | about a year and a half ago | (#43671589)

Are you afraid of little infected web site? Something wrong with your browser?

Re:Why? (5, Insightful)

Guinness Beaumont (2901413) | about a year and a half ago | (#43671625)

Yes. My entire family will be calling for free tech support as their machines eat crap. This affects me directly and greatly, as I'm sure it similarly affects many other frequent posters here. Also personally, yes, no browser is invincible and I'd like to avoid infection as well.

Re:Why? (0)

Anonymous Coward | about a year and a half ago | (#43671785)

Yes. My entire family will be calling for free tech support as their machines eat crap. This affects me directly and greatly, as I'm sure it similarly affects many other frequent posters here. Also personally, yes, no browser is invincible and I'd like to avoid infection as well.

It looks like Facebook, Twitter, Google, Yahoo, Hotmail, Reddit and Slashdot are among the affected sites... good luck with that!

But really, that's like telling your family: "don't open any emails that say "free" in the subject, they're infected with a virus!!!" I'm sure the sites that are known to be affected have already been notified by the researchers and they've taken steps to clean it up - so why get everyone in a tizzy over this when the known sites are likely going to be solved before it's a problem for you?

Re:Why? (0)

Anonymous Coward | about a year and a half ago | (#43672789)

You can't get them to return the favour? Sounds like a bit unbalanced situation.

Re:Why? (3, Funny)

Opportunist (166417) | about a year and a half ago | (#43672865)

Find out what they're experts in, become a complete idiot in that field and start pestering them with requests for help.

Keeps my dad away. Though I now have to pay for repairs when my car breaks down.

Re:Why? (0)

Anonymous Coward | about a year and a half ago | (#43673431)

Find out what they're experts in, become a complete idiot in that field and start pestering them with requests for help.

Not only are you an opportunist, you are a genius as well.

Re:Why? (0)

Anonymous Coward | about a year and a half ago | (#43673651)

Are you 23? Why are you doing tech support for your family. Get some hormone replacement therapy and man the fuck up.

There is something wrong with EVERY browser (1)

Anonymous Brave Guy (457657) | about a year and a half ago | (#43671815)

There are numerous security flaws in all the major browsers. Vulnerabilities are getting fixed all the time; just look at the change log of Firefox or Chrome over the last few releases, for example. If you think you're magically virus-proof because you're running your pet OSS software, you might consider the list of popular OSS web servers in the title of this discussion.

Re:There is something wrong with EVERY browser (3, Insightful)

DarkTempes (822722) | about a year and a half ago | (#43671991)

I run lynx/links/etc in a chroot jail, you insensitive clod!

In my experience most of the major browser exploits attack vulnerable plugins (flash, java, acrobat/pdf viewer, etc) or abuse scripting.
If you restrict or disable said plugins and javascript then I'd say you're pretty darn safe.
Granted, most "web 2.0" websites work like shit without javascript enabled but some stuff still works. For the more sane of us there are things like NoScript.

It's kind of hard for plain text and images to do bad things though I suppose it's been done before.

Re:There is something wrong with EVERY browser (4, Interesting)

lindi (634828) | about a year and a half ago | (#43672279)

From Debian 7 release notes:

"Therefore, browsers built upon the webkit, qtwebkit and khtml engines are included in Wheezy, but not covered by security support. These browsers should not be used against untrusted websites. For general web browser use we recommend browsers building on the Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium."

-- http://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#browser-security [debian.org]

Re:There is something wrong with EVERY browser (3, Interesting)

Bert64 (520050) | about a year and a half ago | (#43672455)

They attack plugins because flash/java/acrobat are still installed on over 90% of potential targets, whereas the browser market is now diversified...

Re:There is something wrong with EVERY browser (3, Informative)

dkf (304284) | about a year and a half ago | (#43672805)

It's kind of hard for plain text and images to do bad things though I suppose it's been done before.

There have been vulnerabilities in PNG and JPG image format handlers in the past, so yes, there has definitely been the potential to have images do bad things. (Arguably none would be as bad as using some of the ones relating to goatse, but that's a different kind of problem.) If you hear of problems in fundamental media type handlers, for goodness sake make sure you're up to date with your security patches!

I don't know if there were any exploits of those problems in the wild though.

Re:There is something wrong with EVERY browser (0)

Anonymous Coward | about a year and a half ago | (#43673001)

You youngsters and your newfangled technologies, the proper way of browsing is Stallman's [stallman.org] :

I have several free web browsers on my laptop, but I generally do not look at web sites from my own machine, aside from a few sites operated for or by the GNU Project, FSF or me. I fetch web pages from other sites by sending mail to a program (see git://git.gnu.org/womb/hacks.git) that fetches them, much like wget, and then mails them back to me. Then I look at them using a web browser, unless it is easy to see the text in the HTML page directly.

Re:There is something wrong with EVERY browser (2)

jedidiah (1196) | about a year and a half ago | (#43672121)

There's a small number of infected sites. That clearly indicates that this is likely a case of digital burglary rather than the much lower bar of something like a viral infection. Otherwise we would be talking about thousands of sites or half the Internet.

Your screed would be more relevant if not for the fact that there are various fairly common workarounds employed on the various browsers to mitigate just this kind of nonsense.

A little paranoia goes a long way. That's far more useful than the sort of blissful ingorance that tends to be associated with non-OSS software.

Re:Why? (3, Interesting)

mwvdlee (775178) | about a year and a half ago | (#43672641)

How exactly does your browser recognize the difference between a normal page and the exact same page delivered from the exact same server at perhaps a microsecond delay?

This backdoor may simply be passing on POSTs with passwords (a webserver receives these unencrypted, you know) to another server without altering anything on the page. The only one who'd notice would be a webserver admin that happens to monitor outgoing traffic.

Re:Why? (2)

phantomfive (622387) | about a year and a half ago | (#43671871)

It could lure you into a sense of false security, letting you think you are safe by avoiding them, when really you don't know that. Other sites are probably infected too.

Also, the sites they've found are probably not infected anymore, since presumably they've been notified and resolved the problem.

Re:Why? (2)

znrt (2424692) | about a year and a half ago | (#43672419)

It could lure you into a sense of false security, letting you think you are safe by avoiding them, when really you don't know that. Other sites are probably infected too.

methinks the whole interntets build upon a false sense of false security. the OP is right, there is no reason not to disclose the list.

Also, the sites they've found are probably not infected anymore, since presumably they've been notified and resolved the problem.

this is a bold assumption, and a clear indication of a false sense of security :-)
(besides in contradiction with your previous statement)

Re:Why? (1)

phantomfive (622387) | about a year and a half ago | (#43672441)

How is it a contradiction?

Re:Why? (1)

jrumney (197329) | about a year and a half ago | (#43672027)

Avoiding them would seem to be a priority.

1. slashdot.org
2. ....

Too late!

Re:Why? (3, Interesting)

dotancohen (1015143) | about a year and a half ago | (#43672633)

Why isn't there a list of infected sites? Avoiding them would seem to be a priority.

Here is how to make sure you are not one of the infected sites: Compile and run this:
http://www.welivesecurity.com/wp-content/uploads/2013/04/dump_cdorked_config.c [welivesecurity.com]

If you don't want to vet that, you can get a first-aproximation with "ipcs", just look for the Apache PID, which you can get from "ps aux | grep apache2".

Name the 50 sites (5, Insightful)

PNutts (199112) | about a year and a half ago | (#43671529)

The actual quote is, "50 are ranked in Alexa’s top 100,000 most popular websites." Quite different than the summary but would still be interesting to know.

Re:Name the 50 sites (0)

Anonymous Coward | about a year and a half ago | (#43671695)

Where is this list? I would want that information as a high priority. That Alexa put some list together and these sites happen to be on the list of affected sites - is immaterial. Incomplete reporting across the board - not one of the links from the posting have any more info than the kernel in the posting has. Journalism, if one can still call it that, is in a dismal state. Give people the information they need, don't leave them hanging, wondering, searching... /rant ends/

Re:Name the 50 sites (1)

phantomfive (622387) | about a year and a half ago | (#43671863)

That Alexa put some list together and these sites happen to be on the list of affected sites - is immaterial.

It's material because it means that you had a nontrivial chance of actually running into them.

Also, releasing that information is less useful than you think, because presumably those sites have been notified and resolved the problem. The real security worry is the sites that are infected but we don't know. They are definitely out there.

Re:Name the 50 sites (0)

Anonymous Coward | about a year and a half ago | (#43672137)

Ok, point taken. If its non-trivial to run across these sites, this makes disclosure of the list even more important. Which 50 of Alexa's top 1000 sites on the planet are they? CNN.com? Reuters.com? Ubuntu.com? Microsoft.com? Facebook? Flikr? The public need to know.

Re:Name the 50 sites (0)

Anonymous Coward | about a year and a half ago | (#43672575)

Most likely it's microsoft.com

Re:Name the 50 sites (1)

daveime (1253762) | about a year and a half ago | (#43673545)

It's material because it means that you had a nontrivial chance of actually running into them.

Well that really depends if the affected sites are #1 to #50 or #99950 to #99999 now doesn't it ?

Should have used Microsoft Windows Server 2012 (-1, Flamebait)

Anonymous Coward | about a year and a half ago | (#43671569)

This is what you get for trusting mission critical servers to open sores software.

Re:Should have used Microsoft Windows Server 2012 (0, Troll)

Anonymous Coward | about a year and a half ago | (#43671585)

yeah cos the alternative is SOOOO much better

fuckwit

checksums (2)

ncohafmuta (577957) | about a year and a half ago | (#43671615)

Why is this hard to detect if you're monitoring the checksums on your server binaries?

The hack resides in memory. (2)

mtb_ogre (698802) | about a year and a half ago | (#43672161)

From what I understand, the hack doesn't affect the binaries on disk, it runs in memory only. Checksum based file checkers don't check running executable.

Re:The hack resides in memory. (2)

ls671 (1122017) | about a year and a half ago | (#43672393)

I think they said there is a modified httpd although. It should be enough to raise suspicion.

https://www.net-security.org/secworld.php?id=14836 [net-security.org]

And they still don't know the initial vector (3, Insightful)

Skapare (16644) | about a year and a half ago | (#43671629)

We also don’t have enough information to pinpoint how those servers are initially being hacked, but we are thinking through SSHD-based brute force attacks.

So does this mean I need to remove sshd? Doubtful. More likely the initial vector is social engineering or weak passwords (social stupidity). That makes this whole infection uninteresting ... it's just an app from the web server perspective. OK, so it can break into your browser with a zero-day. Fix the browser.

Re:And they still don't know the initial vector (-1)

Anonymous Coward | about a year and a half ago | (#43671835)

SSHD brute force attacks would, in fact, be successful if the compromised accounts had weak passwords. Thank you for putting two and two together for the rest of us.

Re:And they still don't know the initial vector (1)

jedidiah (1196) | about a year and a half ago | (#43672129)

...and the server wasn't using any of the various forms of brute force attack countermeasures.

These come prepackaged now but you could easily craft one yourself out of basic Unix tools. Did that very thing before discovering fail-to-ban.

A little paranoia goes a long way.

Re:And they still don't know the initial vector (3, Informative)

nedwidek (98930) | about a year and a half ago | (#43672759)

And if not fail2ban, a good first step is updating the firewall rules to have a rate limiter on sshd. Mine allows only 2 attempts to connect a minute.

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --set
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 2 -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT

Re:And they still don't know the initial vector (3, Informative)

phantomfive (622387) | about a year and a half ago | (#43671839)

So does this mean I need to remove sshd?

No, it means you need a more complicated password.

And it seems to be just a guess, they probably came to 'sshd' by following a line of reasoning starting with the only thing they could think of that all the hacked servers have in common.

Re:And they still don't know the initial vector (3, Informative)

mtb_ogre (698802) | about a year and a half ago | (#43672169)

[quote]No, it means you need a more complicated password.[/quote] Or better still, generate a key and turn off passwords entirely [wordpress.com] .

Re:And they still don't know the initial vector (4, Informative)

lgftsa (617184) | about a year and a half ago | (#43672015)

Worried about exposed sshd? Install pam-abl and watch the brute force attackers waste their time. With my config, three failures from any IP address in an hour (or 6 per day) and that IP is locked out for a week through PAM. They can still try, of course, but even if they somehow guess the correct password, it must be in their first three guesses each week.

There's no indication to the attacker that pam-abl is there, and there's very little chance of a DOS attack against legitimate logins.

Oh, and you've denied root logins from the internet, haven't you?

Warning: Source tarball, but if I debian-ized it, then anyone can.

Re:And they still don't know the initial vector (3, Informative)

thetoastman (747937) | about a year and a half ago | (#43672153)

There are quite a number of ways to harden access

1. pam-abl (as noted above)
2. denyhosts
3. VPN (openvpn works for me)
4. Hosting ISP firewall

Also as noted above, do not permit direct remote root access. Doing anything less is just advertising yourself as a platform for malware.

The first three are quite easy to set up. There is really no excuse for not setting up a least a minimum level of security on your system. That plus careful use of mod_security, and you've done quite a bit towards thwarting the casual drive-by cracker.

. . . . just my two cents

Re:And they still don't know the initial vector (0)

Anonymous Coward | about a year and a half ago | (#43672639)

Warning: Source tarball, but if I debian-ized it, then anyone can.

apt-get install libpam-abl

pam-abl doesn't solve this (2)

dutchwhizzman (817898) | about a year and a half ago | (#43672909)

They have vast botnets, once an IP gets blocked, they just continue from the next IP. I haven't seen brute forcing coming from the entire botnet by default myself, but I'm sure there are crackers that have figured this out by now. You're merely obfuscating the weakness with your solution. Sure, it's effective against quite a few types of drive-by attacks, but the only solution is to stop accepting passwords and require PKI for ssh auth.

Re:pam-abl doesn't solve this (0)

Anonymous Coward | about a year and a half ago | (#43673643)

I'm glad you live in a perfect world where nobody needs password only access. Also I hope you like the 100% cpu spinning from the SSHD still getting a crapload of connections because they still keep connecting endlessly even though you don't accept passwords. Most of these things are pretty stupid, but hey you just keep using public keys and think the world is perfect because you are using those. Nevermind the fact that key management in typical SSH usage is TERRIBLE. But hey, you are the security expert here, right?

Re:And they still don't know the initial vector (0)

Anonymous Coward | about a year and a half ago | (#43672931)

sorry, any decent timing attack will definitely detect and likely exploit pam-abl to make your passwords less secure. most open source security code is terrible at this, and coming in a tarball is not a good indicator of project maturity.

Re:And they still don't know the initial vector (0)

Anonymous Coward | about a year and a half ago | (#43673711)

Do you have proof of this or are you just talking out your ass?

Re:And they still don't know the initial vector (1)

OhANameWhatName (2688401) | about a year and a half ago | (#43672317)

So does this mean I need to remove sshd?

I got an e-mail in my spam folder last week so I pulled all the hard disks.
Unlike you other lameoids, my server aints gettin hacked.

Re:And they still don't know the initial vector (0)

Anonymous Coward | about a year and a half ago | (#43673327)

Dude, way to make the rest of us look bad.

Fix (5, Funny)

Frankie70 (803801) | about a year and a half ago | (#43671659)

You can download a fix here [iis.net] .

Re:Fix (1, Funny)

Anonymous Coward | about a year and a half ago | (#43671711)

Yes, indeed. Why suffer from this minor malware when you could have all the best ones infecting you? Lightweights!

Re:Fix (-1)

Anonymous Coward | about a year and a half ago | (#43674157)

Trollolloll. Don't get me wrong, I've spent the last 20 years building webapps on Apache (and Nginx nowadays) but IIS is a fine server.

FUD is the malware that spreads amongst the Slashdot hivemind.

Re:Fix (1)

hcs_$reboot (1536101) | about a year and a half ago | (#43672791)

At first it made me laugh... but then wondered... maybe you were serious after all??

Cpanel? (1)

Anonymous Coward | about a year and a half ago | (#43671663)

is this for cpanel or apache?

Re:Cpanel? (1)

fazey (2806709) | about a year and a half ago | (#43671763)

... What?
The intruder is backdooring the binaries. It has nothing to do with cPanel. Not to mention cPanel runs easyapache, but if it became an intended target, im sure it could be infected just the same...

Re:Cpanel? (2)

c0lo (1497653) | about a year and a half ago | (#43672163)

is this for cpanel or apache?

TFA [net-security.org]

"We still don’t know for sure how this malicious software was deployed on the web servers," the researchers admit. "We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit a vulnerability in a specific software."

Curious (1)

Anonymous Coward | about a year and a half ago | (#43671729)

Only 2 weeks back, when this was reported everyone blamed cPanel. Now that exposures in NGNIX and LighHTTPD have been found, comments (guesses) as to the attack method are proposed, but very few realistic ideas. TFA seems to indicate that it's more pervasive than many of the people commenting want to believe. I'm just waiting for them to find IIS infected as well.

Re:Curious (0)

Anonymous Coward | about a year and a half ago | (#43672653)

LighHTTPD is infected too?? Damn, I thought it was just Apache, nginx, and LigHTTPD

Not an apache/nginx/lightttpd vulnerability (2, Informative)

gmuslera (3436) | about a year and a half ago | (#43671733)

Those servers somewhat (i.e. a vulnerable web app, weak ssh passwords, local privilege escalation on a shell got in in some way, or a combo of all of those) got rooted, and instead of modifying web pages (easier, but also easier to detect and fix), replacing the entire web server (easier to detect or to roll back) or changed the configuration of i.e. mod_rewrite modules (that with a configuration manager could had been detected/roll back to the original one). got some new modules replaced/added, modules that in particular had that functionality.

Is nothing particulary new in this, more than the malware authors not being just script kiddies and actually did some serious programming for it. Somewhat I hope that they give back to the community releasing the source, not the malware backdoor itself, but with a modified, non malware version with an useful use (i.e. something that dynamically blacklists IPs/useragents/languages for actions, receiving the input from another kind of system, like a honeywords [slashdot.org] service) if not available yet.

Those idiots at Microsoft (1)

Anonymous Coward | about a year and a half ago | (#43671735)

If they'd used Linux instead, this wouldn't have happened.

Re:Those idiots at Microsoft (0)

hcs_$reboot (1536101) | about a year and a half ago | (#43672797)

Oh you mean if MS wouldn't have existed, many people wouldn't have converted themselves to virus makers and the world would be better?

I can't believe it, Jim. (-1, Offtopic)

jtownatpunk.net (245670) | about a year and a half ago | (#43671907)

That girl's standing over there listening and you're telling him about our back doors?

Re:I can't believe it, Jim. (0)

VortexCortex (1117377) | about a year and a half ago | (#43672033)

That girl's standing over there listening and you're telling him about our back doors?

Clearly, that girl is interested in back doors because he has a package at his front door.

Re:I can't believe it, Jim. (0, Offtopic)

Anonymous Coward | about a year and a half ago | (#43672109)

That girl's standing over there listening and you're telling him about our back doors?

Mister Potato Head! Mister Potato Head! Back doors are not secrets!

screw it (4, Funny)

clam666 (1178429) | about a year and a half ago | (#43672031)

I knew this was a mistake. Secure my ass. I'm going back to Windows.

Re:screw it (0)

Anonymous Coward | about a year and a half ago | (#43672579)

Hey why stop there, Novell 3.11 !

Re:screw it (1)

Volguus Zildrohar (1618657) | about a year and a half ago | (#43673149)

I don't think you're familiar with the stereotypes. You'd only need to secure your ass if you were going to OS X.

and this is why.... (-1)

smash (1351) | about a year and a half ago | (#43672149)

Having a working knowledge of a variety of platforms is a good idea. Given that the vulnerability seems to be common to all these servers when run on Linux, now would be a prime time to flick services over to FreeBSD (or something else) until the root cause has been determined.

That no one knows the actual method of infection yet though is a fair cause for concern; it means you can't effectively defend against it when running that platform.

Re:and this is why.... (5, Funny)

Anonymous Coward | about a year and a half ago | (#43672235)

FreeBSD runs the same software stack, so it would make little difference.

That's why our organization uses a custom server software written in 68K assembly running on MacOS 7.6.1 on a cluster of Quadra 610s.

Re:and this is why.... (1)

H0p313ss (811249) | about a year and a half ago | (#43672445)

That's why our organization uses a custom server software written in 68K assembly running on MacOS 7.6.1 on a cluster of Quadra 610s.

Well played sir, well played indeed.

Re:and this is why.... (1)

Anonymous Coward | about a year and a half ago | (#43672617)

610s? I can get 40 605s in a rack that fits 10 or so 610s.

Which 10G AAUI modules are you using for your AppleTalk SAN?

Re:and this is why.... (0)

Anonymous Coward | about a year and a half ago | (#43673397)

FreeBSD runs the same software stack, so it would make little difference.

That's why our organization uses a custom server software written in 68K assembly running on MacOS 7.6.1 on a cluster of Quadra 610s.

My organization uses custom server software written in 6502 assemly language running on a cluster of VIC-20s. We upgraded from Sinclair ZX-81s just this year.

The only backdoor I'm interested in (-1)

Anonymous Coward | about a year and a half ago | (#43672205)

The only backdoor I'm interested in is the one on a nubile woman.

Re:The only backdoor I'm interested in (0)

Anonymous Coward | about a year and a half ago | (#43673185)

I'm sorry, your sister is not relevant to this discussion.

do77 (-1)

Anonymous Coward | about a year and a half ago | (#43672361)

for successful significantly else To be an teeth into when
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?