Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mystery Malware Affecting Linux/Apache Web Servers

Posted by Zonk on from the duck-and-cover-like-tommy-the-turtle dept.

lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"

4 of 437 comments (clear)

  1. Re:Funny by Anonymous Coward · · Score: 0, Redundant

    Would you blame a lock company if the user left his keys in the lock?
    Why not?
    Such fallacious arguments are de rigeur for the gun control weenies.
    What is the point of any technology if we have to be responsible for it, or something st00p3d like that?
  2. Inaccurate by deadeye766 · · Score: 0, Redundant

    Seriously, everyone knows Linux is completely and utterly unhackable. This is obviously some kind of viral pro-MS FUD. =)

  3. lighttpd by Apreche · · Score: 0, Redundant

    Is the way to go.

    --
    The GeekNights podcast is going strong. Listen!
  4. A thousand ways by Evets · · Score: 0, Redundant

    There are a thousand ways to root a machine, and there are a lot of ways to configure apache so that it's either very secure or very insecure - but really apache is just one attack vector. Being that all the machines that exhibited distribution of the windows malware, it may be a common configuration problem between those servers - but how many servers do they know about that were distributing the software? 10? 1000? 10,000? You would think if there were that many of them it there would be incremental backups that you could look through to see what was going on in the system.

    Logically assuming that it is just a handful of servers based on the fact that nobody has pinpointed the problem, more likely it's that the server admins are either the problem, or it is an attack on a very specific configuration and software combination.