Cracked Linux Boxes Used to Wield Windows Botnets

m-stone writes "Online auction house eBay recently did a threat assessment to better understand the forces ranging against them. The company is keeping the fine details under wraps, but the biggest source of danger for the company is apparently botnets. You're never going to guess who was running them. '[Dave Cullinane, eBay's chief information and security officer] noticed an unusual trend when taking down phishing sites. 'The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,' he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers, who set up fake websites, hoping to lure victims into disclosing their passwords."

true

I work in security and this is consistent with my experience.

A fair amount of it, I'm sorry to say, is due to the perception that Linux boxes are much more secure than Windows and therefore don't need (a) up-to-date patches (b) proper security reviews of any app code (which these days usually means web apps) (c) defence in depth (block outbound connections from your web server, except for a hole poked in tcp|udp/53 to/from your DNS server if needed (d) proper security monitoring. Review your firewall logs! Run an external syslogNG box! use netflow, nagios, ntop etc -- can you account for all the packet flows from the machine? If you have time to spare, look into Snort.

Good News & Bad News

[eldavojohn]

It's the double edged sword of software popularity.

Linux is becoming so respected and desired as an operating system for servers that phishers & hackers are slowly turning their attention towards it being profitable.

I think this will be the true test for Linux to prove that it can beat Windows in all departments.

I actually see this as good news although I must confess that when I get home I'm going to check & double check the configurations on the ports on my router and all my Linux boxes. When toying with app servers & apache, I have noticed tons of port scanners probing my Linux boxes. I paid them no mind although now ... perhaps I should.

Happens to sites that hosts others too...

[Shivetya]

Nothing like getting a stupidly high bandwidth bill to find out your hosting server has been hacked. Its even better when you have to fight them to prove its their fault for being hacked and not yours for being cohosted by them!

and yes they are running Linux... they apparently didn't cover all their bases and were caught by more than one known exploit and some default settings.

Just because its Linux does not make it secure, you actually have to use it correctly.

The Money Quote

[The+New+Andy]

eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University.

I'm not denying that Linux boxes can be (and are) hacked, but the circumstances for this particular quote seem a little shady. It seems a little irresponsible (on the part of the submitter) to not mention the money trail. And it seems a little strange not to release the results... what are they afraid of?

double standard

[nomadic]

Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers

So when phishers target windows servers, it's because windows has horrible security, but when they target linux servers, it's because linux is just awesome?