Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Web servers running Linux infected by sophisticated malware

  1. #1
    Join Date
    Feb 2011
    Beans
    493
    Distro
    Ubuntu

    Web servers running Linux infected by sophisticated malware

    Hi, I just stumbled upon this disturbing article, and I wanted to know what you guys make of this...




    Attack hitting Apache sites goes mainstream, hacks nginx, Lighttpd, too
    Linux/Cdorked backdoor exposes 100,000 Web visitors to potent Blackhole exploits.

    [...]

    "A couple years ago malware against the Linux operating system was really in the age of its proof of concept," he said. "Whenever we would discover something everybody would say: 'It's not really in wild. It's just somebody trying to prove a point.' Now the fact that we see so many instances of infected Web servers out there really shows we're past the era of the proof of concept. Now serious operators are making serious money by victimizing these web servers."



    read more:

    http://arstechnica.com/security/2013...-lighttpd-too/

  2. #2
    Join Date
    May 2012
    Beans
    277

    Re: Web servers running Linux infected by sophisticated malware

    a patch will come out soon, thus the advantage of open source.

  3. #3
    Join Date
    Feb 2011
    Beans
    493
    Distro
    Ubuntu

    Re: Web servers running Linux infected by sophisticated malware

    Quote Originally Posted by MadmanRB View Post
    a patch will come out soon, thus the advantage of open source.
    Apparently the problem is that researchers don't know how the servers are being infected in the first place.

    Researchers still don't know how servers are being infected with Cdorked. Because compromised machines are running a variety of administration controls, cPanel and competing software aren't obvious suspects. Cdorked doesn't have the ability to spread by itself and doesn't exploit a vulnerability in any other specific piece of software, either. - ibid.

  4. #4
    Join Date
    Nov 2009
    Beans
    Hidden!
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Web servers running Linux infected by sophisticated malware

    is the system that is infected or the servers? at one point the article talks about how the servers get infected with different code. and then suddenly how the OS got infected.

    so Java can (potentially) be exploited in Linux as well. does that mean linux itself is always vulnerable?

    furthermore no system is 100% bulletproof. it's just how hard it is to crack it.
    Easy to understand Ubuntu manual with lots of pics: http://ubuntu-manual.org/
    Do i need antivirus/firewall in linux?
    User friendly disk backup: Redobackup

  5. #5
    Join Date
    Aug 2008
    Beans
    1,835
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Web servers running Linux infected by sophisticated malware

    Quote Originally Posted by mastablasta View Post
    is the system that is infected or the servers? at one point the article talks about how the servers get infected with different code. and then suddenly how the OS got infected.

    so Java can (potentially) be exploited in Linux as well. does that mean linux itself is always vulnerable?

    furthermore no system is 100% bulletproof. it's just how hard it is to crack it.
    They say that the apache2 binary has been replaced by a bogus version. That would require root access. It is possible that the servers have been compromised by an ssh brute force password attack or even phishing, or more worrying a possible zero day exploit that hasn't been figured out by the good guys yet. I know of a forum admin, who was fooled into giving away his admin usercode and password through a directed phishing attack. I suppose it is possible that the admins of these servers have been tricked by some sort of phishing scheme. From what I have read, the security analysts haven't yet actually determined how the initial compromise has occurred.

  6. #6
    Join Date
    Nov 2009
    Beans
    Hidden!
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Web servers running Linux infected by sophisticated malware

    phishing was the first thing that popped into my mind. but then it would be kind of strange they would get it from admin of server. i doubt these sites with so many hits are some privately run servers. then again sometimes you want to be helpfull... and i saw some extremely strange practice by a host. they needed me to give account password to help me. luckily their help was to melp me move away from them (so i gave them the password). and i know plenty pages on that host have very high ratings.

    hope it's not a zero day and if it is that it get's patched.
    Easy to understand Ubuntu manual with lots of pics: http://ubuntu-manual.org/
    Do i need antivirus/firewall in linux?
    User friendly disk backup: Redobackup

  7. #7
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    8,619
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: Web servers running Linux infected by sophisticated malware

    Like earlier articles about this exploit, the article mentions it being found on some 400 web servers. That is out of a universe of over 300 million domains served by Apache.

    The fact that the exploit requires replacing the Apache binary with a corrupt version means the attacker needed to have root privileges on the machine already.

    I'm not very worried.
    If you ask for help, please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  8. #8
    Join Date
    Jun 2007
    Location
    China
    Beans
    988
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Web servers running Linux infected by sophisticated malware

    If this exploit requires root access through something like a phishing or ssh brute force attack then this implies the security is pretty good, if these systems were compromised in some type of trivial remote attack then I'd be concerned.

  9. #9
    Join Date
    Feb 2011
    Beans
    493
    Distro
    Ubuntu

    Re: Web servers running Linux infected by sophisticated malware

    A more technical description of Linux/Cdorked.A can be found here:

    http://www.welivesecurity.com/2013/0...also-affected/


    see also:
    http://www.welivesecurity.com/2013/0...clarification/
    Last edited by Dry Lips; May 10th, 2013 at 12:16 PM.

  10. #10
    Join Date
    Oct 2009
    Beans
    Hidden!
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Web servers running Linux infected by sophisticated malware

    Nice links, thanks. I saw an article about this on slashdot, but those were more in-depth.

    As far as I can tell the only way this can happen if either thru gaining root access via weak passwords or using another exploit to preform privilege escalation.
    Come to #ubuntuforums! We have cookies! | Basic Ubuntu Security Guide

    Tomorrow's an illusion and yesterday's a dream, today is a solution...

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •