Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cracked Linux Boxes Used to Wield Windows Botnets

Posted by ryuzaki0 on from the good-alliteration-but-scary-concept dept.

m-stone writes "Online auction house eBay recently did a threat assessment to better understand the forces ranging against them. The company is keeping the fine details under wraps, but the biggest source of danger for the company is apparently botnets. You're never going to guess who was running them. '[Dave Cullinane, eBay's chief information and security officer] noticed an unusual trend when taking down phishing sites. 'The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,' he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers, who set up fake websites, hoping to lure victims into disclosing their passwords."

7 of 309 comments (clear)

  1. Re:Confirmed by jackharrer · · Score: 4, Interesting

    I've seen the same. Actually my server has been offline for last few days as it became compromised and I don't have time to sort it out.
    I got like thousands of bruteforce attacks on ftp plus some on phpBB.
    I also noticed few weeks ago that when they couldn't break in they just DDosed it.

    It looks like it's getting serious, especially if you're server is registered with some DNS name, not just IP.

    --

    "an experienced, industrious, ambitious, and often, quite often, picturesque liar" - Mark Twain
  2. Re:Confirmed by Bert64 · · Score: 5, Interesting

    This is nothing new, crackers have always preferred unix machines for a number of reasons. A few years ago many crackers wouldn't even bother trying to own windows machines.
    You never see many people who compromise a windows machine and manually set up anything on it, windows machines are typically mass hacked and used as throwaway systems, for spamming or dossing (once a large flood of dos or spam comes from a system, it very quickly gets noticed and the system usually gets shut down). The hassle of using windows remotely (half assed command line interface etc), lack of default tools and typical low uptimes/stability discourage them being used interactively or for any kind of non-throwaway uses.

    Conversely, unix machines are typically more stable, and have a far more flexible interface that's more geared up to remote cli usage. Installing something like an IRC server to collect malware is often much easier, and there's usually package management which can be used to easily install any external libraries or additional tools that might be required. There are also typically standard server apps installed and ready to use (ftpd, apache, rcp, tftp etc) which can be used to host malware, for easy download to other compromised machines (most systems have ftp/rcp/tftp clients by default, even windows).

    Crackers will often turn a compromised unix machine into their "home", and keep a set of tools/exploits in a hidden directory, and use the machine for manual probing, testing of new tools and launching of other attacks, but they will rarely use windows systems for anything other than dossing/spamming or defacing a website if it hosts one.

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  3. Re:Confirmed by Library+Spoff · · Score: 3, Interesting

    Although i don't run a Linux server my main use at home use of the internet is on Ubuntu.
    It's patched when Ubuntu tells me. The same as my XP install.

    My knowledge of Windows security is greater than that of Linux - I wouldn't really know where to start looking on my Ubuntu install. So is my XP or Ubuntu install more secure?

    In theory it's the Ubuntu install, but until I spend the time to learn more about it who knows.

    --
    Acid House saves Souls
  4. Strange comments by Russell+Coker · · Score: 3, Interesting

    Iftach Amit says "Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks". If you root-kit a machine then regardless of OS you can create whatever packets you want. Bypassing the IP protocol stack and sending raw data on the wire can't be particularly difficult if you are trying to conceal processes from the equivalent of "ps" and avoid other methods of detecting your code.

    While I agree that Linux is a reliable OS, I doubt that is a reason for attackers to target it for running phishing web servers either. A good reason for targeting an OS is that you know it well and can easily write code for it. Given that many insecure machines can be obtained running any OS you please it makes sense that attackers will target their attack on machines that they know well. Maybe the criminals in question just enjoy Linux programming!

    http://survey.netcraft.com/Reports/200708/

    Then there's the issue of where servers are located, if you want reliable servers on the net then often the location of the server (in terms of a server room with UPS etc) is more important than the OS. What's the server market share for Linux? The above URL shows Apache leading the field for web servers and most Apache installations run on Linux...

    It seems that if you want to own some web servers then aiming at Apache on Linux gives the largest number of potential targets - whether that gives the largest number of vulnerable targets is another matter.

    --
    See http://etbe.coker.com.au/ for my blog.
  5. Conflicting Info by HaydnH · · Score: 3, Interesting

    From tfa:

    Cullinane: "The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,"

    Alfred Huger: "We see a lot of Linux machines used in phishing, We see them as part of the command and control networks for botnets, but we rarely see them be the actual bots. Botnets are almost uniformly Windows-based."

    Seems like people are jumping on this as "linux bad!" where in fact the article is fairly neutral, Colinane has one opinion, Huger has another (and generally more accepted) opinion. Haydn.

    --
    Time is an illusion. Lunchtime doubly so. - Douglas Adams
  6. I've seen a few of these by wizman · · Score: 4, Interesting

    The company I work for performs emergency Linux support services. We get a lot of calls from peoples boxes who are attacked. I've seen at least two eBay/PayPal phishing sites recently. In both cases, it had nothing at all to do with Linux itself.

    Case #1: Customer running a web server had vulnerable PHP applications (I believe it was an outdated WordPress). Someone was able to use this vulnerability to wget a few php scripts and bury them under some subfolders.

    Case #2: Customer had a non-root account with a weak password. This account was in the "root" group, giving it write access to a number of system files. Cracker was able to brute force the password quite easily, make a directory called eBay under /var/www/html, and stick some php code in there.

    In both cases, the php scripts were logging username and password guesses into a text file. The text file was within the same web root, allowing the cracker to easily grab the latest passwords over http instead of needing to re-crack. Also, in both cases, there were at least a dozen usernames and passwords in the text files.

    The lesson: Keep your web apps up to date, use strong passwords, and don't add anyone to the root group.

  7. Re:Confirmed by Barlo_Mung_42 · · Score: 3, Interesting

    I'm confused. Are we sure that's funny?