First Botnet of Linux Web Servers Discovered 254
The Register writes up a Russian security researcher who has uncovered a Linux webserver botnet that is coordinating with a more conventional home-based botnet of Windows machines to distribute malware. "Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware [on port 8080]. 'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,' Sinegubko wrote. 'To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s).'"
Ok, so I got the popcorn ready.... (Score:5, Insightful)
Just waiting for the flamefest here of Linux vs Windows botnets.
Stupid people use linux too (Score:5, Insightful)
What's new here? (Score:2, Insightful)
What's so special about this one that we haven't seen in the last 5 years? Linux or BSD systems have been durned into rogue IRC servers (for C&C purposes) for zombies all the time.
Whether sweeps for vulnerable AWStats installations, badly configured PHP installations or archaic PHPBB installs, webservers are hammered with automated exploits all day. Maybe "DataCha0s 2.0" rings a bell for some.
Re:Stupid people use linux too (Score:5, Insightful)
Actually, I would say the people to blame are those hosting providers who keep using ftp with weak usernames and weak passwords as the preferred way to access your website.
There was a time when the client software was insufficient to the task, that time is long gone. WinSCP is mature and easy to use. No, browsers don't offer sftp:// support natively, but the browser is not very secure anyway. Hosting providers need to get their heads out of the sand and upgrade to secure authentication.
stolen root credential (Score:5, Insightful)
Re:Ok, so I got the popcorn ready.... (Score:5, Insightful)
I suspect you are astroturfing for MS here
And I suspect that you are a troll.
and so will want "botnet" to mean "any set of two or more compromised computers". But that definition means that the number of windows botnets would be astronomical, so be careful about your definitions.
Did you even read what I linked to? A botnet is a collection of compromised computers that share a Command and Control channel.
Instead I propose the following definition:
Because the generally accepted definitions don't suit your purpose?
Re:Ok, so I got the popcorn ready.... (Score:5, Insightful)
...so the MS astroturf team has decided to call it a "botnet".
I'm curious--how can I tell when an idea is being promoted by the "MS astroturf team" and not by regular not-so-clueful reporters that might mistakenly use the wrong term?
Re:Reporters Fail (Score:3, Insightful)
'Botnet' has never meant 'auto-infected' and if they assumed that, they were careless. The summary makes no attempt to fool them into thinking anything other than the facts.
Besides which, at this point, we don't -know- how it spreads. We just know that it exists... Which to me, is news.
Re:Missing in the summary (Score:4, Insightful)
At the moment that may be true, but that has certainly not been the case many times before.
You could be right (Score:5, Insightful)
It's unclear exactly how the servers have become infected. Sinegubko speculates they belong to careless administrators who allowed their root passwords to be sniffed.
If Sinegubko is right and the attack vector was sniffed passwords, then it is likely that those passwords got sniffed by an existing Windows Botnet.
Re:Ok, so I got the popcorn ready.... (Score:4, Insightful)
If anyone was astroturfing for MS they would never say the word 'botnet' unless they are insane.
This is definately not the first time a unix system has been comprimised by an administrator being slack about their passwords. Why it's an issue is because each system is being used to control multiple infected windows machines, something I doubt an astroturfer would want to draw attention to (excepting the previously mentioned insane ones).
It's far more likely that this sort of activity has been going on for years and it's just the first time any mainstream media has caught up on the fact.
The solution is so simple, just protect your root passwords for fucks sake, yet we know there are countless incompetent admins without any clue out there and this shit should be expected, in that it is impossible to aviod voluntary security breaches.
Stop bickering and solve the problem (Score:4, Insightful)
Rather than getting consumed in an OS holy-war, perhaps we should focus on how exactly these systems were compromised and how to detect whether your server has been compromised. Linux servers being compromised is not a new thing. If you run old-enough libraries and software on them or configure things improperly, they'll eventually be compromised.
Does anyone know if a particular vulnerability was used to gain access to systems?
Does anyone know how to detect whether your system is compromised in this manner (is doing "ps -aux nginx" simple enough to detect it)?
Spare everyone the OS holy-war and fanboism and let's figure out what the problem is, how to detect it, and what to do to fix it.
Re:Ok, so I got the popcorn ready.... (Score:3, Insightful)
Only an idiot would claim that servers being compromised because admins choose to send passwords over the internet in plain text proves anything about how secure the software running on those servers is.
Ah.....OK, I expect LOTS of such claims.
Re:Ok, so I got the popcorn ready.... (Score:3, Insightful)
That's a ridiculous definition. The vast majority of botnets aren't self-propagating. A program that is self-propagating would be a worm. If it happened to maintain communication with other compromised machines, then it would also become a botnet. But self-propagation has never been a requirement in the definition of "botnet".
Of course, the easiest way to make yourself a botnet is to upload an infected file to the Kazaa network, or some similar file-sharing network. Once it's on there I suppose it becomes "self-propagating", in a way. But that's a different matter entirely.
Re:Ok, so I got the popcorn ready.... (Score:2, Insightful)
So I'm not the only one who selects their definitions, am I? You. Are. An. Astroturfer.
Sorry, but by that logic, wouldn't you--explicitly--be one as well? "You X, just like I do, so you're Y." ...
And also a troll. Because frankly, if you want to actually make a point (and at this point you really aren't) the whole ad hominem thing is something to stay away from. Who employs him, even in theory, has so astoundingly little to do with whether or not his statements are accurate that nobody's going to listen once the argument gets to that point--including the person you're talking to.
Re:Ok, so I got the popcorn ready.... (Score:3, Insightful)
Only an idiot would claim that servers being compromised because admins choose to send passwords over the internet in plain text proves anything about how secure the software running on those servers is.
Unless it's a Windows web server. In that case, Administrator incompetence always proves how insecure Windows/IIS are.
Re:Reporters Fail (Score:5, Insightful)
There is a continuous flood of SSH brute force attacks on any *nix machine connected to the internet. All one has to do is monitor their log files for verification.
They are not even sophisticated attacks, they are attempting to login using lame passwords, i.e. after watching the attacks for awhile I set up a box to see what they were doing and created a user name test with the password test based on the fact I could see them using test as one of the users for the attack and suspecting it was a dumb password attack.
It wasn't long before the system was "compromised" and likely recorded on the other end as a successful attack. Several hours later the account was again accessed and various applications downloaded and executed as the test user. One of these applications connected to the EFNET IRC network and joined a channel.
Using another system I connected to the IRC network in way I thought would be inconspicuous and monitored what was happening. Sure enough there were two individuals chatting it up in the channel and sending commands to hundreds of compromised systems.
While reviewing the various compromised systems I noted that they were all *nix machines of one type or another. This was a few years back so I believe you are correct in stating that this is nothing new. What would have been new is if a botnet like this was discovered to be from a real hack and not some lame password login scan.
I don't have a problem with it being called a linux botnet, but until they can come up with an explanation for the means by which the systems were compromised, other than the likely lame password attacks, its not really news.
Re:packagement mgmt and repos play a small role he (Score:3, Insightful)
Much better than the fanbois who have tried everything under the sun to defend their pet project against the evil meanies who don't have a problem admitting that every system has weaknesses.
Re:Ok, so I got the popcorn ready.... (Score:5, Insightful)
Only an idiot would claim that servers being compromised because admins choose to send passwords over the internet in plain text proves anything about how secure the software running on those servers is.
Ah.....OK, I expect LOTS of such claims.
Realistically, that depends. Part of secure design is accounting for potential user errors. That's why it's a good practice to have the password, when typed, appear as "********" rather than "heythisismypasswordanyonewatching". A good designer would know many users aren't going to look around for someone casually shoulder surfing while typing a password, so they take a step to prevent it.
Of course, no software developer can fully account for a malfunctioning behind keyboard processing unit. Idiots are even more persistent than crackers in finding new ways to circumvent security measures. However, it can to some degree mitigate its effects, through making things as secure as possible and warning the user if (s)he is about to do something that might compromise it.
Feeling secure disables the brain (Score:3, Insightful)
Re:Ok, so I got the popcorn ready.... (Score:5, Insightful)
And BTW, this article does not claim that Linux was hacked. It claims that peoples websites were hacked, and those websites happen to be hosted on Linux. Nothing to see here, no botnet, and no hacked Linux kernel. Just poor system administration allowing FTP password sniffing, etc. The whole thing is sensationalist bullshit.
Re:Stop bickering and solve the problem (Score:2, Insightful)
Yes, they exploited the most common vulnerability, the idiotic system administrator ;-)
Re:Ok, so I got the popcorn ready.... (Score:1, Insightful)
If the systems automatically work together, regardless of how they were individually compromised, then they are part of a botnet. That is what botnet means, a network of bots. These machines are individually bots, and they are networked together. They are a botnet.
I think it is you who needs to look up the word robot.
Re:Stupid people use linux too (Score:5, Insightful)
1. Where was the firewall admin to prevent external systems from connecting to these webservers over port 8080?
2. Why did the admins use insecure tools or insecure systems to allow their credentials to be sniffed?
3. Where was the IDS/IPS to notice the sudden change in traffic?
4. Where was the load balancer/reverse proxy to intecept this junk?
5. Where was the routine review of logs to notice the dynamic DNS updates from computers with (presumably) static DNS entries somewhere?
6. Where was the periodic pen/vulnerability test against these systems?
...
7) Where was the funding to pay for 1 through 6?
Re:Ok, so I got the popcorn ready.... (Score:4, Insightful)
It's the control which is automated, not the propagation. The idea is that if I root a hundred systems, and instead of OO, I put on a rootkit that forces them to participate in a network where I can issue a single command to my zombie army that forces them to DDoS you, I've got a botnet. If I have to ssh into each of them individually and manually instruct them to participate, I have a bunch of rooted systems.
Re:Ok, so I got the popcorn ready.... (Score:3, Insightful)
Lol leave it to a Linux fanboy to re-define botnet from "a network of robots" to "anything else so long as it can't include Linux".
Ngix or whatever it's called is clearly a bot, any program that recieves input and performs a task fits that definition, and these servers are clearly networked together to operate a secondary botnet.
What exactly would you call it, besides a botnet? It's not a worm, those are self-propigating, often used to carry other forms of malware. It's not a virus, those are intended to cause harm to or steal data from the host. It's not a trojan, though it could be, trojans provide unfettered access to the host machine, but are not designed to link up with other compromised machine. It doesn't fit the semi-malicioius categories of spyware and adware, so what is it?
I'll tell you, it's a botnet.
Sorry, Linux fanboys are so smug about Linux security it's hard not to throw it back at them when they are wrong. Still, it's 1 Linux botnet vs thousands of Windows botnets, so it's not exactly something to get cocky about.
Re:Ok, so I got the popcorn ready.... (Score:5, Insightful)
...so the MS astroturf team has decided to call it a "botnet".
I'm curious--how can I tell when an idea is being promoted by the "MS astroturf team" and not by regular not-so-clueful reporters that might mistakenly use the wrong term?
Dude, this is slashdot. That means that anything with a potentially pro-microsoft spin obviously came straight from MS PR... Erm, M$ PR. Shit, I think they're about to catch onto me too, I hope nobody saw that...
Re:Feeling secure disables the brain (Score:3, Insightful)
Yes, Linux is more secure by design than windows, but this attitude makes ppl dumb and lazy.
Linux is most definitely no more secure by design than Windows NT. It is actually far worse in many areas from a design perspective.
Linux is usually more secure as Implemented and deployed than Windows. But this has far more to do with the expertise of the sysadmins than the design of Linux. Microsoft.com seems to stay online despite running on beta versions of the MSFT suite.
Re:packagement mgmt and repos play a small role he (Score:3, Insightful)