Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cracked Linux Boxes Used to Wield Windows Botnets

Posted by ryuzaki0 on from the good-alliteration-but-scary-concept dept.

m-stone writes "Online auction house eBay recently did a threat assessment to better understand the forces ranging against them. The company is keeping the fine details under wraps, but the biggest source of danger for the company is apparently botnets. You're never going to guess who was running them. '[Dave Cullinane, eBay's chief information and security officer] noticed an unusual trend when taking down phishing sites. 'The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,' he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers, who set up fake websites, hoping to lure victims into disclosing their passwords."

15 of 309 comments (clear)

  1. Confirmed by mccalli · · Score: 5, Informative

    I've noticed a large increase in attempts to crack my co-lo Linux servers recently, and it must be said that two got through (shared site, some customers running old content management apps and the kits hit). When we watched the behaviour of the cracked box, it was connecting back to...I think undernet.org or similar?...and sending controls via IRC. Plus doing a spot of spamming of its own bat.

    Our set-up is that we have a host OS install doing nothing but running VMware Server and then any real stuff gets done in a VM, so this was easy for us to recover from quickly via VM snapshotting. But still, it's a trend that's noticeably on the increase.

    Cheers,
    Ian

    1. Re:Confirmed by mdeslaur · · Score: 5, Funny

      Even phishers like Linux better than Windows!

    2. Re:Confirmed by Bert64 · · Score: 5, Interesting

      This is nothing new, crackers have always preferred unix machines for a number of reasons. A few years ago many crackers wouldn't even bother trying to own windows machines.
      You never see many people who compromise a windows machine and manually set up anything on it, windows machines are typically mass hacked and used as throwaway systems, for spamming or dossing (once a large flood of dos or spam comes from a system, it very quickly gets noticed and the system usually gets shut down). The hassle of using windows remotely (half assed command line interface etc), lack of default tools and typical low uptimes/stability discourage them being used interactively or for any kind of non-throwaway uses.

      Conversely, unix machines are typically more stable, and have a far more flexible interface that's more geared up to remote cli usage. Installing something like an IRC server to collect malware is often much easier, and there's usually package management which can be used to easily install any external libraries or additional tools that might be required. There are also typically standard server apps installed and ready to use (ftpd, apache, rcp, tftp etc) which can be used to host malware, for easy download to other compromised machines (most systems have ftp/rcp/tftp clients by default, even windows).

      Crackers will often turn a compromised unix machine into their "home", and keep a set of tools/exploits in a hidden directory, and use the machine for manual probing, testing of new tools and launching of other attacks, but they will rarely use windows systems for anything other than dossing/spamming or defacing a website if it hosts one.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    3. Re:Confirmed by mccalli · · Score: 5, Informative

      Fortunately, each user has their own account, so i can easily check which user owns any malicious processes or files that appear on the system.

      May want to be careful about that assumption. A lot of these things go out under the apache user and the mails via the www-data@somehost.invalid account.

      Look for tell-tale things like apache processes running when you're an apache2-only site (they're disguised processes that are really something else, obviously). Do an ls -al in all the home directories, look for directories whose name is just a space character, check /tmp isn't mounted executable...that kind of thing.

      Cheers,
      Ian

  2. true by Anonymous Coward · · Score: 5, Insightful
    I work in security and this is consistent with my experience.

    A fair amount of it, I'm sorry to say, is due to the perception that Linux boxes are much more secure than Windows and therefore don't need (a) up-to-date patches (b) proper security reviews of any app code (which these days usually means web apps) (c) defence in depth (block outbound connections from your web server, except for a hole poked in tcp|udp/53 to/from your DNS server if needed (d) proper security monitoring. Review your firewall logs! Run an external syslogNG box! use netflow, nagios, ntop etc -- can you account for all the packet flows from the machine? If you have time to spare, look into Snort.

  3. Thus proving Linux is not as secure as touted. by Anonymous Coward · · Score: 5, Funny

    Get the facts.

  4. Good News & Bad News by eldavojohn · · Score: 5, Insightful

    It's the double edged sword of software popularity.

    Linux is becoming so respected and desired as an operating system for servers that phishers & hackers are slowly turning their attention towards it being profitable.

    I think this will be the true test for Linux to prove that it can beat Windows in all departments.

    I actually see this as good news although I must confess that when I get home I'm going to check & double check the configurations on the ports on my router and all my Linux boxes. When toying with app servers & apache, I have noticed tons of port scanners probing my Linux boxes. I paid them no mind although now ... perhaps I should.

    --
    My work here is dung.
    1. Re:Good News & Bad News by morgan_greywolf · · Score: 5, Informative
      Yes. You should Here's what I do. (I guess you could say these are some security tips for those running Linux boxes at home and leaving them up on the Net):

      • Run a hardware NAT firewall/router. Any ol' Linksys, Dlink or Netgear thang will do. Just remember it's not the be all and end all to security problems.
      • Open as few ports as absolutely possible. I have nothing open on my router except port 22 and BitTorrent, and I don't leave BitTorrent running all the time
      • Check your logs at least once a day. Look for any suspicious signs -- missing log entries, ssh connects you weren't expecting, services running that you don't normally have running, NICs going into promiscuous mode unexpectedly, excessive mail being pumped through any MTAs, etc.
      • When running OpenSSH, I disallow password authentication. This prevents problems with users due to the use of stupid passwords. My sshd only accepts a valid RSA key exchange as acceptable authorization.
      • Regularly update and run rootkit checkers. These are not be all end all, but they help spot obvious rootkits
      • Make cron jobs that regularly scan your system for unusual permissions -- world writeable, binaries that are setuid, etc. and for suspicious files. There are programs and scripts that will do this for you. STFW or check with your distro.
      • Perform MD5 checking on your files and executables, espcially.
      • Regularly check your /etc/passwd and /etc/group files for new or unusual entries.
      • Don't run NIS -- it's inherently insecure. You should be using OpenLDAP if you need directory authorization on your network.
      --
      My blog
  5. Windows vs. Linux by derian_cf · · Score: 5, Informative

    I work for a fairly well known dedicated server provider. If I had to give a rough estimate, I'd say we're 40% Windows and 60% Linux environments. Not surprisingly, the number of boxes that get hacked (rooted entirely or not) is about equal between the two, however the purpose for which they're hacked is generally quite different. 80% of the hacked Linux boxes are used for UDP floods, things like that. Also IRC bots. Interestingly enough, in my 6 months working there, I don't believe I've ever seen a Windows box used for phishing. They're always used for FTP servers hosting movies/music/programs and/or IRC servers doing the same thing.

  6. Happens to sites that hosts others too... by Shivetya · · Score: 5, Insightful

    Nothing like getting a stupidly high bandwidth bill to find out your hosting server has been hacked. Its even better when you have to fight them to prove its their fault for being hacked and not yours for being cohosted by them!

    and yes they are running Linux... they apparently didn't cover all their bases and were caught by more than one known exploit and some default settings.

    Just because its Linux does not make it secure, you actually have to use it correctly.

    --
    * Winners compare their achievements to their goals, losers compare theirs to that of others.
  7. The Money Quote by The+New+Andy · · Score: 5, Insightful

    eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University.
    I'm not denying that Linux boxes can be (and are) hacked, but the circumstances for this particular quote seem a little shady. It seems a little irresponsible (on the part of the submitter) to not mention the money trail. And it seems a little strange not to release the results... what are they afraid of?
  8. Brute Force Attacks by superbrose · · Score: 5, Informative

    I'm sure pretty much everybody who is running a Linux server (or any server as a matter of fact), especially with services like SSH enabled, is currently subject to brute force attacks.

    When I looked at my auth log I noticed a huge amount of brute force attacks for all my servers, so I installed denyhosts, which seems to work fine.

    I guess the problem is also that in many distributions SSH servers are configured to allow root logins, and if nobody looks at the log files these go totally unnoticed.

    1. Re:Brute Force Attacks by Russell+Coker · · Score: 5, Informative

      Run your sshd on a port other than 22. Most attackers only scan the well-known ports. Running your sshd on a different port removes a lot of the noise from your logs and allows you to concentrate on the real issues.

      The "Host" sections in the /etc/ssh/ssh_config file allows you to specify which port to use for each host you connect to (so you don't need to type "-p 1234" every time you connect).

      --
      See http://etbe.coker.com.au/ for my blog.
    2. Re:Brute Force Attacks by jwo7777777 · · Score: 5, Funny

      Guns don't kill people, catchphrases kill people.

  9. double standard by nomadic · · Score: 5, Insightful

    Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers

    So when phishers target windows servers, it's because windows has horrible security, but when they target linux servers, it's because linux is just awesome?