Slashdot Mirror
Cracked Linux Boxes Used to Wield Windows Botnets
m-stone writes "Online auction house eBay recently did a threat assessment to better understand the forces ranging against them. The company is keeping the fine details under wraps, but the biggest source of danger for the company is apparently botnets. You're never going to guess who was running them. '[Dave Cullinane, eBay's chief information and security officer] noticed an unusual trend when taking down phishing sites. 'The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,' he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers, who set up fake websites, hoping to lure victims into disclosing their passwords."
I was going to post a comment earlier, but the bar with the big "Reply" button is missing. In fact, it seems to have disappeared from all the stories. How do you start a new thread on a story?
When our name is on the back of your car, we're behind you all the way!
I've seen the same. Actually my server has been offline for last few days as it became compromised and I don't have time to sort it out.
I got like thousands of bruteforce attacks on ftp plus some on phpBB.
I also noticed few weeks ago that when they couldn't break in they just DDosed it.
It looks like it's getting serious, especially if you're server is registered with some DNS name, not just IP.
"an experienced, industrious, ambitious, and often, quite often, picturesque liar" - Mark Twain
This is nothing new, crackers have always preferred unix machines for a number of reasons. A few years ago many crackers wouldn't even bother trying to own windows machines.
You never see many people who compromise a windows machine and manually set up anything on it, windows machines are typically mass hacked and used as throwaway systems, for spamming or dossing (once a large flood of dos or spam comes from a system, it very quickly gets noticed and the system usually gets shut down). The hassle of using windows remotely (half assed command line interface etc), lack of default tools and typical low uptimes/stability discourage them being used interactively or for any kind of non-throwaway uses.
Conversely, unix machines are typically more stable, and have a far more flexible interface that's more geared up to remote cli usage. Installing something like an IRC server to collect malware is often much easier, and there's usually package management which can be used to easily install any external libraries or additional tools that might be required. There are also typically standard server apps installed and ready to use (ftpd, apache, rcp, tftp etc) which can be used to host malware, for easy download to other compromised machines (most systems have ftp/rcp/tftp clients by default, even windows).
Crackers will often turn a compromised unix machine into their "home", and keep a set of tools/exploits in a hidden directory, and use the machine for manual probing, testing of new tools and launching of other attacks, but they will rarely use windows systems for anything other than dossing/spamming or defacing a website if it hosts one.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Although i don't run a Linux server my main use at home use of the internet is on Ubuntu.
It's patched when Ubuntu tells me. The same as my XP install.
My knowledge of Windows security is greater than that of Linux - I wouldn't really know where to start looking on my Ubuntu install. So is my XP or Ubuntu install more secure?
In theory it's the Ubuntu install, but until I spend the time to learn more about it who knows.
Acid House saves Souls
Iftach Amit says "Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks". If you root-kit a machine then regardless of OS you can create whatever packets you want. Bypassing the IP protocol stack and sending raw data on the wire can't be particularly difficult if you are trying to conceal processes from the equivalent of "ps" and avoid other methods of detecting your code.
While I agree that Linux is a reliable OS, I doubt that is a reason for attackers to target it for running phishing web servers either. A good reason for targeting an OS is that you know it well and can easily write code for it. Given that many insecure machines can be obtained running any OS you please it makes sense that attackers will target their attack on machines that they know well. Maybe the criminals in question just enjoy Linux programming!
http://survey.netcraft.com/Reports/200708/
Then there's the issue of where servers are located, if you want reliable servers on the net then often the location of the server (in terms of a server room with UPS etc) is more important than the OS. What's the server market share for Linux? The above URL shows Apache leading the field for web servers and most Apache installations run on Linux...
It seems that if you want to own some web servers then aiming at Apache on Linux gives the largest number of potential targets - whether that gives the largest number of vulnerable targets is another matter.
See http://etbe.coker.com.au/ for my blog.
From tfa:
Cullinane: "The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,"
Alfred Huger: "We see a lot of Linux machines used in phishing, We see them as part of the command and control networks for botnets, but we rarely see them be the actual bots. Botnets are almost uniformly Windows-based."
Seems like people are jumping on this as "linux bad!" where in fact the article is fairly neutral, Colinane has one opinion, Huger has another (and generally more accepted) opinion. Haydn.
Time is an illusion. Lunchtime doubly so. - Douglas Adams
The company I work for performs emergency Linux support services. We get a lot of calls from peoples boxes who are attacked. I've seen at least two eBay/PayPal phishing sites recently. In both cases, it had nothing at all to do with Linux itself.
/var/www/html, and stick some php code in there.
Case #1: Customer running a web server had vulnerable PHP applications (I believe it was an outdated WordPress). Someone was able to use this vulnerability to wget a few php scripts and bury them under some subfolders.
Case #2: Customer had a non-root account with a weak password. This account was in the "root" group, giving it write access to a number of system files. Cracker was able to brute force the password quite easily, make a directory called eBay under
In both cases, the php scripts were logging username and password guesses into a text file. The text file was within the same web root, allowing the cracker to easily grab the latest passwords over http instead of needing to re-crack. Also, in both cases, there were at least a dozen usernames and passwords in the text files.
The lesson: Keep your web apps up to date, use strong passwords, and don't add anyone to the root group.
APlus is a hosting company that offers BSD and Fedora Core (note that I say Fedora Core, not Fedora... they only offer up to FC6 at the moment) in their hosting operation. They lease boxes with Plesk installed to people and businesses with hosting needs. Before I arrived on the scene where I work, we were already hosting with them and the box was running on Fedora Core 2.
One day it was noticed that the site was malfunctioning and so a call was placed with APlus. We were informed that there was some sort of compromise and initially, at least, it was stated that it had something to do with Plesk. (Later queries denied that Plesk was at fault) After a day or so, a V.P. in charge of this stuff sent out a broadcast email to all of their hosting clients explaining that, in no uncertain terms, that it was the CUSTOMERs' fault that this had occurred.
Well, let's ignore the crappy customer-service issue this brings about.
The fact that this company offers up Fedora as their preferred flavor for hosting is ridiculous! It's a development distribution primarily aimed at the desktop with somewhere between 1 and two year update availability. Since a lot of their machines were running Fedora Core releases at least as old as Fedora Core 2, I'd say a good portion of the blame rests on APlus for their CONTINUED selection of Fedora as their distribution of supported choice. It has a SHORT LIFE! It stops getting updated after a year or so. It's idiotic to run a server with such a short support life cycle. Forget about blaming customers for not keeping their boxes updated. It couldn't be done with the distros that were affected in the first place.
But yes, my box was affected by this attack as well... and they STILL will not identify the actual point of compromise though they still deny it was Plesk. I find it ironic that I was, at the time, already talking to them about moving my box to CentOS and porting the web site code (that their developers created) to it. Interestingly, all sales people I spoke with said "we don't do that." And when I pointed out that it was their company that created the code, they said "we don't do that."
So over that weekend, I managed to port the web site code and database over from the original host to a CentOS5 box. I don't know PHP. I know a *little* about programming and I know how to use Google... that was enough to get be by. (Apparently, "this" became a reserved word in current versions of PHP and the old code named objects "this$" a lot!)
Anyway... it had been a mess and the best resolution was to move away from APlus. It's unfortunate that I cannot get the truth from them about what exactly happened... we just get blamed without specifics as to what or how it happened.
"that the hackers hack one or a few Linux boxes and use them to control the hundred or more Windows boxes they've hacked."
;)
Wouldn't that be merely a function of how many Linux boxes vs Windows boxes are out there?
I know slashdotters don't like to hear that, they always argue that popularity has no bearing on how often one gets attacked and comrpomised, but using Occam's razor when pondering this new info, one would conclude that the only reason there are more Windows bots than Linux ones is that there are more Windows boxes than Linux ones.
Also, from reading the article, it seems that Cullinane, the guy quoted in the summary, is saying that Linux boxes themselves are the bots. I don't see him talking of hacked Linux boxes controlling Windows bots, like the summary's title suggests.
However, the article then quotes Symantec's Huger, saying that Linux boxes are used for phishing and controlling Windows bots, which does jive with the summary's title. But he doesn't say that the Linux boxes in question were hacked; it could be that he meant that the bad guys themselves own the Linux boxes; I can't tell from the article what he is saying.
Lastly, the article quotes Iftach Amit, director of security research with Finjan's malicious code research centre, as saying that compromised Linux boxes are highly valued by online attackers due to their capabilities.
Whatever...
-- "I never gave these stories much credence." - HAL 9000
In the old days attackers would often make a machine their home as you describe, do you have any evidence that the serious criminals (the ones that the article is about) do this now? I suspect that only hobbyist criminals do such things nowadays.
If you use a CLI session then you either have a TCP connection leading back to where you are (a bad idea if you don't want to be caught) or you bounce the connection between multiple machines (giving serious problems of lag). An IRC (or similar server based) control interface is simply a better way to manage a number of remote machines when you don't want people to know that you are connected to them.
I was a hobbyist cracker back in the early 90's (I guess you could have called me a "script kiddie"). I did set up a similar "home" in the UNIX systems I cracked. I didn't really take much precaution as far as not getting traced because I was a dumb kid, but at some point I realized the risk and quit completely.
These days, I would just take advantage of open WIFI networks everywhere if I were to do any cracking.
Zoot!
Seen the same thing here. Lots of attacks on our Linux servers. We've had individual user accounts compromised through captured .ssh keys (from a compromised off-site machine), unupdated php websites, and badly coded cgi scripts. Nothing that has gotten root, but still a pain to deal with. Shared hosting of university web sites is lots of fun, ain't it?
"According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected"
Must be a slow day at Computerworld. Like, how do they equate Linux with an increase in phishing. How did eBay discover all these rooted Linux boxes? Who gathered the data, how was it gathered? Why would phishers use rooted Linux boxes when that would draw attention to themselves, why not hire a box in a server farm or why not just hack eBay.
davecb5620@gmail.com
We need a Unix hall of shame for applications that are most likely to be exploited.
This can help everyone avoid those apps or perhaps even get them fixed (through the pressure of public humiliation).
A Pirate and a Puritan look the same on a balance sheet.
Has anyone ever tried forcing people to make longer passwords? I worked for a place that hired a firm to come in to actually test the security of the servers. They setup a box to brute force every user name in the system. Pissed me off that my boss handed them all the user ids in the first place. Anyway, After a week there were 7 accounts that were not hacked. I set the passwords on those accounts. All were over 30 characters in length. The firm's attack system only tried up to 15 characters. maybe making longer more 'complex' passwords can a good thing.
I'm confused. Are we sure that's funny?