Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Mystery Malware Affecting Linux/Apache Web Servers

Zonk posted more than 6 years ago | from the duck-and-cover-like-tommy-the-turtle dept.

Security 437

lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"

cancel ×

437 comments

Sorry! There are no comments related to the filter you selected.

Ubuntu as well? (0)

Anonymous Coward | more than 6 years ago | (#22171784)

I wonder what other OSs have the issue.

Also, if this is utilizing windows machines as well, how would a person with windows find out if their machine was compromised?

Re:Ubuntu as well? (3, Funny)

oedneil (871555) | more than 6 years ago | (#22171812)

As Ubuntu is indeed Linux, I'd venture to guess that it is affected.

Re:Ubuntu as well? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22172062)

No, Ubuntu is GNU. GNU/Linux at best.

Re:Ubuntu as well? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22172328)

Ubuntu is faggotry. So it is infected with AIDS.

Re:Ubuntu as well? (4, Insightful)

PrescriptionWarning (932687) | more than 6 years ago | (#22171862)

"the current thinking is that the malware authors gained access to the servers using stolen root passwords"

so basically its most likely they used the traditional means of gaining access (not through holes, but merely through bad personal security practices regarding passwords and password management). And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD... ewwwwww

Re:Ubuntu as well? (0, Insightful)

Anonymous Coward | more than 6 years ago | (#22172444)

From TFA - "All reports thus far say the compromised servers are running Linux and Apache."

"And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD"

Are you really that illiterate? Just an FYI - Microsoft doesn't make Apache OR Linux. If compromised severs are being used, it is certainly not the type that "only affects windows clients". Duh. Only here would such blatant anti-MS bullshit get modded "Insightful". I took a way more "insightful" shit this morning.

Re:Ubuntu as well? (1, Informative)

Anonymous Coward | more than 6 years ago | (#22172604)

And the malware infects Microsoft clients, genius.Don't get me wrong, I think this is a big deal, but his point is that unless you are running Windows OR have an Apache webserver this doesn't effect you. Linux desktop users are not effected.

Re:Ubuntu as well? (3, Funny)

Anonymous Coward | more than 6 years ago | (#22172668)

"but his point is that unless you are running Windows OR have an Apache webserver this doesn't effect you."

Well I am sure the 3% of the population that don't fit into either category are relieved as hell.

Re:Ubuntu as well? (4, Insightful)

nicklott (533496) | more than 6 years ago | (#22172588)

Microsoft? This story is on posted on linux.com and being hyped on a OSDN site, where do microsoft come in? They must have a pretty deep mole to get this one planted...

Re:Ubuntu as well? (3, Insightful)

symbolset (646467) | more than 6 years ago | (#22172304)

It's possible to install software on a Linux webserver that exploits vulnerabilities in Windows clients. This is news?

Here's a shocker: it's possible to exploit Windows boxes with services hosted on a Commodore64.

Windows has more malware packages than legitimate software packages. They've really solved that ease of installation problem.

Software sucks. (0, Flamebait)

Anonymous Coward | more than 6 years ago | (#22171802)

It's high time for better software, and the only way to get that is to apply market pressure. Software liability is the answer.

Re:Software sucks. (3, Insightful)

Anonymous Coward | more than 6 years ago | (#22172110)

How is that flamebait? I'm dead serious. If the quality of software doesn't improve dramatically, we're going to be in a world of hurt very soon. How do you suggest we achieve that improvement if not by making authors of faulty software liable for their negligence? We certainly can't keep upgrading software every time a bug is found, if bugs keep cropping up at the current rate.

Re:Software sucks. (1)

MacarooMac (1222684) | more than 6 years ago | (#22172290)

We certainly can't keep upgrading software every time a bug is found, if bugs keep cropping up at the current rate
You just watch me ..or at least, my avast! AV.

Re:Software sucks. (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22172310)

Cool. I'm ready to sue open source developers -- I have to work around bugs all the time. How many major projects (servers, libraries, languages/runtimes) don't have bug fix releases all the time?

You'll have to show you took necessary precautions. Ready for that? MS is. Read up on their security precautions these days (SDL, etc.).

Are you sure your up to the task? If so, what open source projects are you working on?

Re:Software sucks. (0)

Anonymous Coward | more than 6 years ago | (#22172558)

Open source software does not necessarily come from outfits with no revenue. Besides, the idea is to avoid bugs, to avoid having to pay for the consequences. If the quality of open source software is higher than that of closed source software, as is often claimed, then insuring the residual risk should be cheaper for open source companies.

If you fear for the small open source authors, then the liability could be attached to a software classification. "Not for productive use in network environments" would then mean that the person or company implementing the software in such an environment would be liable for any problems which arise. They in turn would have to insure the risk or find ways to minimize the risk so that they can shoulder the risk themselves. Of course that would mean no more 1-click fire-and-forget installations of hacked-together bulletin board software.

Re:Software sucks. (3, Insightful)

WaHooCrazy7 (1220464) | more than 6 years ago | (#22172462)

Would you please tell me which one of the hundreds if not thousands of developers should be sued when OSS has a bug in it? Also, there is no way we could process that many law suits...

Re:Software sucks. (2, Funny)

Garridan (597129) | more than 6 years ago | (#22172484)

Simple! Just don't upgrade. Problem solved! Don't worry, the rootkit seems to be spreading malware to windows users. They're used to it anyway -- it won't actually harm your linux box, so what's to worry?

Re:Software sucks. (1)

morgan_greywolf (835522) | more than 6 years ago | (#22172508)

It's FUD that been spread around by Microsoft and their cronies (read: SCO) since the Caldera^WThe SCO Group sued IBM.

Microsoft certainly does not live up to this. Attached to every copy of Windows in the EULA is a disclaimer of liability, including special liability.

Re:Software sucks. (4, Insightful)

vux984 (928602) | more than 6 years ago | (#22172292)

It's high time for better software, and the only way to get that is to apply market pressure. Software liability is the answer.

1) If the market really wanted extensive 'software liability' then we'd already have it. Customers would demand it, suppliers would figure out how much it would cost to provide it, and prices would sort themselves out. Turns out the prices go WAY up, and customers (most of them) don't want to pay them.

2) What happens to Linux in a world with mandatory software liability? Who is liable? The company providing install and support? The volunteer contributor who wrote that line of code? The project maintainer who accepted the patch? ... And you wonder why your post was modded flaimbait?

Re:Software sucks. (4, Funny)

Schraegstrichpunkt (931443) | more than 6 years ago | (#22172398)

Yeah. People should be held liable when they know full well that Microsoft has a track record for bad security, but choose Microsoft products anyway.

Re:Software sucks. (1)

KublaiKhan (522918) | more than 6 years ago | (#22172644)

Ain't the software that's at fault here--it's people who give out their root passwords, or have easily cracked root passwords.

Funny (0, Troll)

robvangelder (472838) | more than 6 years ago | (#22171808)

I think it's funny that Apache is affected by the same drama that affected IIS all those years ago.
We havent really grown up, have we?

Re:Funny (0)

Anonymous Coward | more than 6 years ago | (#22171906)

Yeah, it's hilarious that Linux running Apache servers are infecting Windows based pc's with trojans that steal CC numbers, user credentials, email passwords, etc. Over 10,000+ infections since mid-December of 2007.

HAR! HAR! HAR!

Re:Funny (5, Insightful)

Undead Ed (1068120) | more than 6 years ago | (#22171922)

According to the story (did you read it), it appears to be a situation where the root password has been compromised, not the applications or operating system.

Problems with IIS were as a result of vulns in the application and/or Windows operating system - totally different problem.

Would you blame a lock company if the user left his keys in the lock?

Ed

Re:Funny (5, Insightful)

plague3106 (71849) | more than 6 years ago | (#22172042)

I read it, here's what it said: "One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."

In other words, they have no idea how the servers were compromised. Because they can't find out how, they're guessing it was a root password that was stolen. In other words, its still just as likely a flaw in some software.

Re:Funny (5, Insightful)

Undead Ed (1068120) | more than 6 years ago | (#22172182)

"they're guessing it was a root password that was stolen"

A pretty good guess, otherwise we could expect to see millions of Apache web servers compromised (there are over 75 million Apache web servers in active service) and anticipate a much greater number of Windows clients infected.

The significance of this story is not that Windows clients are the target, the significance is that the infecting agent is originating from Apache/Linux servers.

Ed

Re:Funny (2, Interesting)

plague3106 (71849) | more than 6 years ago | (#22172538)

No, not really a good guess. It could be only Apache on a certain distro, with a certain version. Apache runs on Unix as well, so you can rule all those Apache installs out (the article seems to point out Linux, IIRC).

I agree with your reasoning on the significance of the story.

Re:Funny (0)

Anonymous Coward | more than 6 years ago | (#22172360)

Because they can't find out how, they're guessing it was a root password that was stolen. In other words, its still just as likely a flaw in some software.
Not to be pedantic, but without any knowledge of how the security breech occurred, we should assign the bulk average probabilities. On average, more servers (esp. Linux servers) are compromised using stolen/guessed credentials than through exploiting security flaws (though both occur).

So, it's not "just as likely" that it's a flaw in software--it's more likely that this is a case of stolen credentials, although it's still possible that this is a case of a software exploit. (The fact that this attack isn't propagating very quickly further suggests that this is due to an isolated security problem (e.g. weak password) and not due to a widespread problem (e.g. software flaw)).

Re:Funny (5, Funny)

studpuppy (624228) | more than 6 years ago | (#22172240)

Would you blame a lock company if the user left his keys in the lock?"

Depends. How good is my lawyer?

Re:Funny (1)

Trigun (685027) | more than 6 years ago | (#22172346)

How many lawyers are good?

Re:Funny (2, Interesting)

Anonymous Coward | more than 6 years ago | (#22172348)

Ed,

Please let me know what the last critical security flaw for IIS was. I'd love to know.

Also, let me know how many critical security flaws there have been for Apache in the last year or so.

Thanks!

Re:Funny (0, Redundant)

Anonymous Coward | more than 6 years ago | (#22172434)

Would you blame a lock company if the user left his keys in the lock?
Why not?
Such fallacious arguments are de rigeur for the gun control weenies.
What is the point of any technology if we have to be responsible for it, or something st00p3d like that?

Re:Funny (1)

davidsyes (765062) | more than 6 years ago | (#22172438)

In retrospect, I now wonder if this affected 1and1 late 2006 to early 2007. There were 3 times that one of my sites on 1and1 was affected. As in just inaccessible tho it would run for weeks and I hadn't changed anything. But, 1and1 were fast enough to fix it in under an hour. I used to be "paranoid" that some government agency was just trying to block my page (not necessarily the US, but maybe an Asian government). But I relaxed and nixed that line of thinking as no content was changed. It's been many months since I changed ANYthing on it.

Anyway, we all know the US, Russian, Chinese, and other governments regularly appear in the news condemning one another for staging shocking, penetrating attacks on each others military and infrastructure networks. Of course, we should not assume Japan, Israel and others are NOT conducting their own probes and audits, either.

If there IS malice involved, I'd venture to say the testers left the vuln as a message, or they slipped up and got discovered, but their tool bag was not left behind full...

But, then, I wouldn't put it past ms to be involved with this to undermine IT departments using heterogeneous servers. OH NO....

Re:Funny (0)

Anonymous Coward | more than 6 years ago | (#22172636)

No, you go one step further and do what the UK does and arrest the locksmith who installed the lock!

Re:Funny (2, Informative)

Vellmont (569020) | more than 6 years ago | (#22171964)


I think it's funny that Apache is affected by the same drama that affected IIS all those years ago.

Except IIS had security hole after security hole.

There's been no such security hole found in apache yet. So I'd wait before making comparisons to IIS.

Re:Funny (1, Funny)

Anonymous Coward | more than 6 years ago | (#22172196)

IIS6 has never had a remote code execution hole. Ever.

Should have used IIS (5, Funny)

Anonymous Coward | more than 6 years ago | (#22171832)

This is why serious businesses choose a serious web server: Microsoft Internet Information Services running on Microsoft Windows Server.

Re:Should have used IIS (3, Funny)

Shaman (1148) | more than 6 years ago | (#22171974)

Hahahahahaha hah aha aha aha hahahahaaha bwahahahaha ...wait, you're joking, right?

LOLserver? (5, Funny)

KublaiKhan (522918) | more than 6 years ago | (#22171988)

IIS are serious server. This are serious thread.

Re:LOLserver? (5, Funny)

Anonymous Coward | more than 6 years ago | (#22172132)

Is can be rootkit tiem now plz?

Re:LOLserver? (3, Funny)

davidsyes (765062) | more than 6 years ago | (#22172156)

That are be unpossible.

Re:LOLserver? (2, Funny)

snarfies (115214) | more than 6 years ago | (#22172620)

I see what you did there.

Re:Nimda Code Red Chunked Encoding...... (2, Funny)

angus_rg (1063280) | more than 6 years ago | (#22172014)

Bozo the Clown serious?

Re:Should have used *BSD (2, Insightful)

Klaus_1250 (987230) | more than 6 years ago | (#22172550)

I'll take my chances with *BSD.

Re:Should have used IIS (0)

Anonymous Coward | more than 6 years ago | (#22172660)

I find it odd the example website they gave in their report (go register and download the PDF) --- IS RUNNING IIS !!!

If you're curious what the website is, just grab that PDF and google the content on their page, you'll find is quickly and easily.

Nothing in the report struck me as ... well ... factual. I'm guessing they're just trying to drum up business for themselves.

LISTEN UP (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22171854)

Right you open source cunts, I want this shit fixed fucking pronto. I know you were going to sit down an evening of masturbating to underage anime and eating cheetos, but tough fucking shit - this needs to be fixed.

Re:LISTEN UP (1, Funny)

Anonymous Coward | more than 6 years ago | (#22172054)

Underage anime? Does that refer to pictures drawn after 1990?

Re:LISTEN UP (1)

0racle (667029) | more than 6 years ago | (#22172624)

Whoa there buddy. Are you saying anything before 1990 is not underage?

GOD DAMNIT! How am I becoming old?

Wait (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22171860)

I was under the understanding that this type of thing does not happen to Linux. This must be a mistake I think the poster meant to say Windows and IIS instead of Linux and Apache.

Something's fishy! (4, Funny)

linumax (910946) | more than 6 years ago | (#22171876)

Last night I discovered a directory named 53 4B 59 4E 45 54 in my home folder.

Re:Something's fishy! (5, Informative)

JeepFanatic (993244) | more than 6 years ago | (#22171914)

If you run those values through a hex to ascii converter you get SKYNET

Re:Something's fishy! (1)

ls671 (1122017) | more than 6 years ago | (#22172376)

Do you mean you MUST use a converter to solve it ? ;-)

Re:Something's fishy! (1)

iknowcss (937215) | more than 6 years ago | (#22172646)

Aww, take the fun out of it ;)

Re:Something's fishy! (5, Funny)

Trigun (685027) | more than 6 years ago | (#22171982)

Are those Bra sizes? You're into some weird shit man.

Hummm, no ahah ?! (2, Interesting)

DirtyFly (765689) | more than 6 years ago | (#22171918)

I do believe tht if this story was with IIS it would be tagged ahah :)

Re:Hummm, no ahah ?! (1)

calebt3 (1098475) | more than 6 years ago | (#22172654)

Don't you mean 'haha'?

press release?? (2, Insightful)

Anonymous Coward | more than 6 years ago | (#22171920)

"According to a press release issued earlier this month ..."

Yawn.

Re:press release?? (1)

westlake (615356) | more than 6 years ago | (#22172400)

"According to a press release issued earlier this month ..."
Yawn.

Interesting.

Someone posts a story about compromised Apache servers and all it rates from the Geek is a yawn.

Am I safe? (1, Funny)

Solra Bizna (716281) | more than 6 years ago | (#22171926)

Does this rootkit work on a hardened Gentoo install with no LKM support on SPARC64? :P

-:sigma.SB

Re:Am I safe? (5, Funny)

Anonymous Coward | more than 6 years ago | (#22172004)

Does this rootkit work on a hardened Gentoo install with no LKM support on SPARC64? :P

Maybe; they're still compiling it.

Re:Am I safe? (4, Funny)

GreggBz (777373) | more than 6 years ago | (#22172032)

Yes, but you have to compile it.

Re:Am I safe? (-1, Flamebait)

Anonymous Coward | more than 6 years ago | (#22172114)

Being that you're probably one of the few losers actually using it, I would say yes, you're safe. You're too insignificant of a demographic to be targeted, and the only people who still care about Gentoo are the same Gentools that have been running it since the beginning...oh, yeah, except the Gentoo Foundation members, who don't give a shit either by the looks of things.

So yeah, feel all proud and smug that your piece of trash SPARC machine won't be affected. Chances are the rest of the world is passing you by, too.

Re:Am I safe? (5, Funny)

bigredradio (631970) | more than 6 years ago | (#22172248)

Your safe. NOTHING will run on that system. ;-)

Re:Am I safe? (0)

Anonymous Coward | more than 6 years ago | (#22172366)

I think we need to take a closer look.

Only one real way to tell: configure ssh access for root, then post login/password combo with ip address.

Its open source, which is secured by many eyeballs looking at your server to keep it safe.

Ron Paul will fix IT!! (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22171930)

HEY YOU APACHE MOTHERFUCKERS!! CALL Ron Paul and will save the FUCKING DAY, BITCHES!!


RON PAUL 2008!!!!

RON PAUL WANTS TO GENOCIDE APACHES (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22171980)

He'll use the software, but won't like the name.

RONNIE PAUL 2K8!

mkdir 1 (4, Insightful)

hey (83763) | more than 6 years ago | (#22171968)

I can see thousand of people trying to make numeric directories :)
Yes, also if you can run your tummy while patting your head you aren't infected also.
I think.... this crazy idea is the virus!

Re:mkdir 1 (1)

CastrTroy (595695) | more than 6 years ago | (#22172084)

I rushed off to try it myself. I used to be on a shared hosting service (hostreflex) that had their servers pwned once. Something would go out in the header of every PHP file that would get the browser to run the virus. Luckily my virus scanner blocked it. I'm not sure if anybody's computers got infected, but my site is pretty low traffic anyway. As soon as I found out the problem, I replaced my home page with a plain text file. No more problem. Needless to say I switched hosting companies pretty fast after that.

Well... (2, Funny)

Anonymous Coward | more than 6 years ago | (#22172102)

I did a mkdir 09F911029D74E35BD84156C5635688C0 and all I got was a DMCA rm -f 09FA* request.

Re:mkdir 1 (1)

gEvil (beta) (945888) | more than 6 years ago | (#22172106)

Yes, also if you can run your tummy while patting your head you aren't infected also.

Uh oh. I have no idea how to run my tummy. Crap, I must be infected!

Re:mkdir 1 (0)

Anonymous Coward | more than 6 years ago | (#22172262)

Actually, GPP is incorrect. It's when your tummy runs and runs and runs that you may have an infection.

Re:mkdir 1 (2, Funny)

wanderingknight (1103573) | more than 6 years ago | (#22172414)

lucas@bilkis:~$ man mytummy
No manual entry for mytummy

Re:mkdir 1 (1)

mpoulton (689851) | more than 6 years ago | (#22172614)

Uh oh. I have no idea how to run my tummy. Crap, I must be infected!

If you crap, then you DO know how to run your tummy!

Re:mkdir 1 (1)

mblase (200735) | more than 6 years ago | (#22172186)

I can see thousand of people trying to make numeric directories :)
Yes, also if you can run your tummy while patting your head you aren't infected also.

I heard that if you can spread your fingers and your hand covers your entire face, your server is infected.

Re:mkdir 1 (2, Informative)

grub (11606) | more than 6 years ago | (#22172210)


I can see thousand of people trying to make numeric directories :)

I just mkdir'd a numeric directory then remembered I run OpenBSD on my net-facing servers. :P

Re:mkdir 1 Un-cross keys, avoid the Lahar... (1)

davidsyes (765062) | more than 6 years ago | (#22172218)

Are your R's and B's "Crossover" keys, or Virtual Keys, or VirtualBox keys?

Run your tummy makes me think of being run over, or loosing a hot bowel of a lahar surmounting, umm, surpassing even Mt. Pinatubo.

Re:mkdir 1 (1)

garcia (6573) | more than 6 years ago | (#22172404)

From the linked article:

This isn't always the case in older variants of the rootkit. To be certain your server isn't compromised, it's best to sniff packets for a brief 3-5 minute period. You can do this using the command below:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"


That's another way to check apparently.

Re:mkdir 1 (1)

ls671 (1122017) | more than 6 years ago | (#22172548)

I just tried it and damn I think I am infected since the system won't let me create the directory named "1".

$ mkdir 1
mkdir: cannot create directory `1': File exists

Read it careful people... (3, Informative)

cbart387 (1192883) | more than 6 years ago | (#22172024)

The servers are linux (because of an access issue. The computers being hurt by this are windows. At least that's how I read the article (see quote from article below).

According to a press release issued earlier this month by Finjan, a security research firm, compromised Web servers are infecting thousands of visitors daily with malware that turns their Windows machines into unwitting bots to do the bidding of an as yet unidentified criminal organization. Security firms ScanSafe and SecureWorks have since added their own takes on the situation, though with varying estimates on the number of sites affected. All reports thus far say the compromised servers are running Linux and Apache.

Re:Read it careful people... (5, Insightful)

jawtheshark (198669) | more than 6 years ago | (#22172222)

I do not know how you interpret this, but a rooted server, Linux, FreeBSD, OpenBSD or even Windows is also a "harmed" computer. Yes, clients will get infected, but the servers are in deep trouble too.

Re:Read it careful people... (2, Insightful)

cbart387 (1192883) | more than 6 years ago | (#22172352)

I admit, I jumped the gun. I'm done conjecturing until more information comes in. I usually get annoyed when people do so, so I really have no excuse.

Re:Read it careful people... (1)

cbart387 (1192883) | more than 6 years ago | (#22172226)

I take that back. :/ It seems like there's too many unknowns to jump to conclusions. I'm done conjecturing ... it won't serve any point at this time.

Re:Read it careful people... (1)

primadd (1215814) | more than 6 years ago | (#22172446)

My site is still pretty new, life measured in months. Still I do get 20k attack tries a day! Searching for all kinds of old and bug ridden php/cgi scripts. Their stupid scripts seem to like my server as it returns a 301 if you connect using HTTP 1.1 but without a Host inside the header - apparently confuses the script. Heres a small example of the last few seconds.

"GET /phpchat//chat/messagesL.php3 HTTP/1.1" 301 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 301 337 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /chatroom//chat/messagesL.php3 HTTP/1.1" 301 336 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /chats//chat/messagesL.php3 HTTP/1.1" 301 333 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /forum//chat/messagesL.php3 HTTP/1.1" 301 333 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 301 341 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 301 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 301 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

--
free customizable social bookmarking widget for your site! [primadd.net]
at the moment there are 7 different styles [primadd.net] and 2 GPL'ed plugins [primadd.net] available
account creation optional, feedback more than welcome

Can't be malware (2, Funny)

Anonymous MadCoe (613739) | more than 6 years ago | (#22172076)

It's for Apache/Linux so it must be well crafted code written with the best intention....

Isn't that always the case with FOSS. If it was for Microsoft then it would be _real_ malware....

Re:Can't be malware (0)

Anonymous Coward | more than 6 years ago | (#22172350)

If you RTFA you'd see that the malware is Javascript that attempts to exploit vulnerabilites in Windows, QuickTime, and Yahoo! Messenger. Sounds like that meets your definition of "_real_ malware"

What are the common factors? (4, Insightful)

Arrogant-Bastard (141720) | more than 6 years ago | (#22172122)

To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)

I'd suggest enumerating factors such as OS, OS version, remote access methods (ssh, ftp, etc.), Apache versions, Apache modules, add-ons like CPanel, network/ASN, and so on -- anything could be a culprit at this point.

And that includes things that have nothing to do with Linux or Apache: for example, it's possible that the attackers acquired root passwords by infecting Windows systems used by administrators -- then just waited for them to initiate ssh sessions to their servers. It'd probably be best to leave all possibilities open and consider them equally likely until evidence starts accumulating in favor of/against them. (In re-reading that last statement, I suppose it sounds a bit trite. I'm just trying to discourage premature conclusions that anything is at fault until somebody can produce evidence to support saying so.)

Re:What are the common factors? (4, Insightful)

whoever57 (658626) | more than 6 years ago | (#22172440)

To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)
Perhaps this is the end result of all those dictionary attacks against SSH servers that we have seen for the past 2-3 years. Inevitably, some of those attacks will have been successful. Perhaps the successful logins have not ben exploited until now.

ssh + bad password (5, Informative)

Panaflex (13191) | more than 6 years ago | (#22172170)

I see this type of attack all the time, the fact that someone automated it and gave it a zombie machine is not surprising.

* Don't allow root to ssh into your machine.
* Disable ssh1.
* Limit sudoers.
* Have good passwords.
* ???
* PROFIT!!

Seems like a formula everyone should know.

Re:ssh + bad password (1, Informative)

whoever57 (658626) | more than 6 years ago | (#22172306)

* Don't allow root to ssh into your machine.
Dangerous if you don't have easy physical access to your machine. It is possible to screw up a machine in such a way that a normal user cannot log in, but root can. It is better to:

* Disable password authentication in SSH -- require key-based authentication

Re:ssh + bad password (2, Informative)

Panaflex (13191) | more than 6 years ago | (#22172390)

That's a good idea - but be careful!

Attackers can trampoline onto other machines in the network if they share the same key. If you're going to do then be careful about which machines can freely contact each other, and use separate keys for each server.

Re:ssh + bad password (2, Insightful)

PinkPanther (42194) | more than 6 years ago | (#22172662)

If someone is going to render there machine usable only by root, then I strongly doubt they've taken the time or have the knowledge to implement security precautions listed above. If they know how, they likely should and likely won't render their machine useless.

In addition, if they really might render the machine useless, they likely shouldn't have it on the 'net.

Re:ssh + bad password (2, Interesting)

ScouseMouse (690083) | more than 6 years ago | (#22172336)

* Don't allow root to ssh into your machine.


I was most surprised when I found that Redhat (Our cooperate Linux of Choice) appears to allow this as the default. Certainly, The Debian box i use as a home server never used to allow that, however, checking i see that since I upgraded from Woody, it does allow remote SSH as root. Thats worrying.
Well have to fix that.

Re:ssh + bad password (2, Interesting)

mandelbr0t (1015855) | more than 6 years ago | (#22172502)

Allow me to insert one step before ???

* Follow-up on your SSH logs. If you see a phishing attack, do something about it!

That something could be:

- Report the IP to the owner of the netblock who can be found at ARIN [arin.net] . All netblock owners must have an IP-admin address or an abuse address. Unfortunately, my experience is that most of these go to /dev/null. There are those who actually have responsible NOC staff, and they will act on your complaint if you send them a copy of the relevant logs.

- Block further network access from that particular netblock at your firewall. I've found this to be a very effective method. Believe it or not, you don't end up blocking the entire Internet; the places that launch such attacks are not very common.

- Rate-limit SSH access. This works well, but I've locked myself out of my own server!

I've been infect.... never mind ;) (0)

Anonymous Coward | more than 6 years ago | (#22172382)

me@web:~$ cd ~www-data
me@web:/var/www$ mkdir 12directory
mkdir: cannot create directory `12directory': Permission denied
me@web:/var/www$

OHMIGOSH, I've been infected!

</dunce-mode>

Rewrote that for you (0)

Anonymous Coward | more than 6 years ago | (#22172402)

Reports are beginning to surface that some Web servers running IIS are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if a Windows logo appears on system startup. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked Sony if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Joe Blow of the Sony security team, "That rootkit is protected under the DMCA. Detection or cleansing the rootkit will be punished to the fullest extent permissible by law." We sent a similar query to Microsoft, the largest vendor of Windows, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."

Inaccurate (0, Redundant)

deadeye766 (1104515) | more than 6 years ago | (#22172470)

Seriously, everyone knows Linux is completely and utterly unhackable. This is obviously some kind of viral pro-MS FUD. =)

lighttpd (0, Redundant)

Apreche (239272) | more than 6 years ago | (#22172496)

Is the way to go.

A thousand ways (0, Redundant)

Evets (629327) | more than 6 years ago | (#22172564)

There are a thousand ways to root a machine, and there are a lot of ways to configure apache so that it's either very secure or very insecure - but really apache is just one attack vector. Being that all the machines that exhibited distribution of the windows malware, it may be a common configuration problem between those servers - but how many servers do they know about that were distributing the software? 10? 1000? 10,000? You would think if there were that many of them it there would be incremental backups that you could look through to see what was going on in the system.

Logically assuming that it is just a handful of servers based on the fact that nobody has pinpointed the problem, more likely it's that the server admins are either the problem, or it is an attack on a very specific configuration and software combination.

More details are available... (4, Informative)

Anonymous Coward | more than 6 years ago | (#22172634)

... though a solution has not been yet:

http://blog.trendmicro.com/e-commerce-sites-invaded/ [trendmicro.com]

If you happen to have one of these compromised systems, I am sure that Trend would like to talk to you about it...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>