Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mystery Malware Affecting Linux/Apache Web Servers

Posted by Zonk on from the duck-and-cover-like-tommy-the-turtle dept.

lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"

4 of 437 comments (clear)

  1. Re:Funny by Undead+Ed · · Score: 5, Insightful

    According to the story (did you read it), it appears to be a situation where the root password has been compromised, not the applications or operating system.

    Problems with IIS were as a result of vulns in the application and/or Windows operating system - totally different problem.

    Would you blame a lock company if the user left his keys in the lock?

    Ed

  2. Re:Funny by plague3106 · · Score: 5, Insightful

    I read it, here's what it said: "One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."

    In other words, they have no idea how the servers were compromised. Because they can't find out how, they're guessing it was a root password that was stolen. In other words, its still just as likely a flaw in some software.

  3. Re:Funny by Undead+Ed · · Score: 5, Insightful

    "they're guessing it was a root password that was stolen"

    A pretty good guess, otherwise we could expect to see millions of Apache web servers compromised (there are over 75 million Apache web servers in active service) and anticipate a much greater number of Windows clients infected.

    The significance of this story is not that Windows clients are the target, the significance is that the infecting agent is originating from Apache/Linux servers.

    Ed

  4. Re:Read it careful people... by jawtheshark · · Score: 5, Insightful

    I do not know how you interpret this, but a rooted server, Linux, FreeBSD, OpenBSD or even Windows is also a "harmed" computer. Yes, clients will get infected, but the servers are in deep trouble too.

    --
    Ahhh...the great dumpster continuum. Many a free computer will be found there. -- sowth (748135)