Slashdot Mirror
Mystery Malware Affecting Linux/Apache Web Servers
lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"
As Ubuntu is indeed Linux, I'd venture to guess that it is affected.
This is why serious businesses choose a serious web server: Microsoft Internet Information Services running on Microsoft Windows Server.
"the current thinking is that the malware authors gained access to the servers using stolen root passwords"
so basically its most likely they used the traditional means of gaining access (not through holes, but merely through bad personal security practices regarding passwords and password management). And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD... ewwwwww
Last night I discovered a directory named 53 4B 59 4E 45 54 in my home folder.
I do believe tht if this story was with IIS it would be tagged ahah :)
"According to a press release issued earlier this month ..."
Yawn.
According to the story (did you read it), it appears to be a situation where the root password has been compromised, not the applications or operating system.
Problems with IIS were as a result of vulns in the application and/or Windows operating system - totally different problem.
Would you blame a lock company if the user left his keys in the lock?
Ed
I think it's funny that Apache is affected by the same drama that affected IIS all those years ago.
Except IIS had security hole after security hole.
There's been no such security hole found in apache yet. So I'd wait before making comparisons to IIS.
AccountKiller
I can see thousand of people trying to make numeric directories :)
Yes, also if you can run your tummy while patting your head you aren't infected also.
I think.... this crazy idea is the virus!
IIS are serious server. This are serious thread.
In Xanadu did Kubla Khan
A stately pleasure dome decree
Does this rootkit work on a hardened Gentoo install with no LKM support on SPARC64? :P
Maybe; they're still compiling it.
Bozo the Clown serious?
Lack of planning on your part does not constitute an emergency on mine.
Yes, but you have to compile it.
I read it, here's what it said: "One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."
In other words, they have no idea how the servers were compromised. Because they can't find out how, they're guessing it was a root password that was stolen. In other words, its still just as likely a flaw in some software.
It's for Apache/Linux so it must be well crafted code written with the best intention....
Isn't that always the case with FOSS. If it was for Microsoft then it would be _real_ malware....
I did a mkdir 09F911029D74E35BD84156C5635688C0 and all I got was a DMCA rm -f 09FA* request.
How is that flamebait? I'm dead serious. If the quality of software doesn't improve dramatically, we're going to be in a world of hurt very soon. How do you suggest we achieve that improvement if not by making authors of faulty software liable for their negligence? We certainly can't keep upgrading software every time a bug is found, if bugs keep cropping up at the current rate.
To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)
I'd suggest enumerating factors such as OS, OS version, remote access methods (ssh, ftp, etc.), Apache versions, Apache modules, add-ons like CPanel, network/ASN, and so on -- anything could be a culprit at this point.
And that includes things that have nothing to do with Linux or Apache: for example, it's possible that the attackers acquired root passwords by infecting Windows systems used by administrators -- then just waited for them to initiate ssh sessions to their servers. It'd probably be best to leave all possibilities open and consider them equally likely until evidence starts accumulating in favor of/against them. (In re-reading that last statement, I suppose it sounds a bit trite. I'm just trying to discourage premature conclusions that anything is at fault until somebody can produce evidence to support saying so.)
The Register has been on this for a while and although the story is older it is better written and has more interesting details: http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/
my $.02 of course
I see this type of attack all the time, the fact that someone automated it and gave it a zombie machine is not surprising.
* Don't allow root to ssh into your machine.
* Disable ssh1.
* Limit sudoers.
* Have good passwords.
* ???
* PROFIT!!
Seems like a formula everyone should know.
I said no... but I missed and it came out yes.
"they're guessing it was a root password that was stolen"
A pretty good guess, otherwise we could expect to see millions of Apache web servers compromised (there are over 75 million Apache web servers in active service) and anticipate a much greater number of Windows clients infected.
The significance of this story is not that Windows clients are the target, the significance is that the infecting agent is originating from Apache/Linux servers.
Ed
Depends. How good is my lawyer?
The last time I wrote code, it was Morse
Your safe. NOTHING will run on that system. ;-)
Flexible bare-metal recovery for Linux/UNIX
It's high time for better software, and the only way to get that is to apply market pressure. Software liability is the answer.
... And you wonder why your post was modded flaimbait?
1) If the market really wanted extensive 'software liability' then we'd already have it. Customers would demand it, suppliers would figure out how much it would cost to provide it, and prices would sort themselves out. Turns out the prices go WAY up, and customers (most of them) don't want to pay them.
2) What happens to Linux in a world with mandatory software liability? Who is liable? The company providing install and support? The volunteer contributor who wrote that line of code? The project maintainer who accepted the patch?
It's possible to install software on a Linux webserver that exploits vulnerabilities in Windows clients. This is news?
Here's a shocker: it's possible to exploit Windows boxes with services hosted on a Commodore64.
Windows has more malware packages than legitimate software packages. They've really solved that ease of installation problem.
Help stamp out iliturcy.
Ed,
Please let me know what the last critical security flaw for IIS was. I'd love to know.
Also, let me know how many critical security flaws there have been for Apache in the last year or so.
Thanks!
Yeah. People should be held liable when they know full well that Microsoft has a track record for bad security, but choose Microsoft products anyway.
http://outcampaign.org/
Would you please tell me which one of the hundreds if not thousands of developers should be sued when OSS has a bug in it? Also, there is no way we could process that many law suits...
Simple! Just don't upgrade. Problem solved! Don't worry, the rootkit seems to be spreading malware to windows users. They're used to it anyway -- it won't actually harm your linux box, so what's to worry?
No, not really a good guess. It could be only Apache on a certain distro, with a certain version. Apache runs on Unix as well, so you can rule all those Apache installs out (the article seems to point out Linux, IIRC).
I agree with your reasoning on the significance of the story.
I'll take my chances with *BSD.
It only takes one man to change the Wisdom of the Crowd to Tyranny of the Masses.
Microsoft? This story is on posted on linux.com and being hyped on a OSDN site, where do microsoft come in? They must have a pretty deep mole to get this one planted...
... though a solution has not been yet:
http://blog.trendmicro.com/e-commerce-sites-invaded/
If you happen to have one of these compromised systems, I am sure that Trend would like to talk to you about it...
"but his point is that unless you are running Windows OR have an Apache webserver this doesn't effect you."
Well I am sure the 3% of the population that don't fit into either category are relieved as hell.
I agree. The people who made this problem possible should be sued and held accountable.
Now then, which admin is first for choosing bad passwords?
"I use a Mac because I'm just better than you are."
There is something suspicious about this report. Some things can't happen the way people say they happen, and when that is the case we have to look at more likely scenarios.
I would bet the path of the TCP/IP packets route through compromised providers who have an injection strategy. Remember a few months ago how IPSs were injecting their own java script and ads into the pages of other sites?
http://ars.userfriendly.org/cartoons/?id=20070703
This is the most likely scenario I can think of.
FTFA:FTFA - "The random js toolkit was detected using Finjan's patented real-time code inspection technology while diagnosing users' web traffic during December 2007..."
This is all just a ploy to bring attention to Finjan for financial gain!
But why male models?
Shop as usual. And avoid panic buying.
All your BASE are belong to us.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
"It could be only Apache on a certain distro, with a certain version."
Yet another persuasive argument to avoid the technological mono-culture that is Microsoft Windows.
Ed
Software has to suck because the market can't afford software that doesn't suck. Kids out of high school and collage or fresh out of joe's web school. aren't qualified to write good software, yet this is what companies hire over more experienced people.
Even then, there is no ability to develop your skills because you spend 99% of your time learning new environments.
Software is HUGELY complex these days and it takes a log of study, knowledge, and skill to be any good at it. Companies don't want to hear that. They want to increase productivity by "KLOC." (Un)fortunately, there is a lot of "art" and "creativity" in software development and without well defined product specs, rigid test plans, and quality assurance which adds delays and cost to a project you won't get better code.
Standard business upside potential vs downside risk. Upside potential: first to market, profit!!! Downside risk: blame some hacker.
What's this nonsense? Ubuntu is Ubuntu. ...and that's kinda related to Mac, right? Just... more browner.
Which is hardly an advantage on Linux because everybody can su to root. We have RMS to thank for that one. Apparently the GNU way is fairer to the users.
http://michaelsmith.id.au
happy geek has run out of happy :-(
455fe10422ca29c4933f95052b792ab2
Exactly. Also this gem from the article:
Other than using and safeguarding secure root passwords, not much can be done at this time to be proactive in preventing servers from being compromised,
Turn off root's log in and get rid of cPanel and similar programs as well. I understand the need for an easy to use remote admin tool (as much as I'd love people to actually learn the shell), but can't we do better than a web-based program for this stuff?
The Anti-Blog
His main point was insightful. There are two parts to the story - one, Linux servers running Apache have been compromised. Two, these servers are infecting Windows clients through vulnerabilities in those clients. This exploit does not affect non-Windows computers.
If the current thinking is indeed that the Linux servers were inappropriately accessed through stolen passwords, how is that a security flaw of Linux or Apache? Like he asked, how is using a legitimate password equal to cracking the server?
On the other hand, turning Windows clients into bots *IS* an example of that software's (and QuickTime's and Yahoo! Messenger's) insecurity and vulnerability!
The real "Libtards" are the Libertarians!
I think their class restricts them to Lawful Evil; should they change alignment, they et disbarred. So, none, at a guess.
Ignore this signature. By order.
GUIs provide metaphors for users, they have no place in administration.
</grumpyOldFart>
"Linux is for noobs"-The new MS fud strategy
Right, right, they're running your typical LAMP stack. You know, like most of the internet. Statistically speaking, if you have a site, you more than likely have a site served by Apache on Linux. In truth, I've heard of very few servers that receive significant traffic that DON'T run Apache and even fewer that don't run Linux. As the internet is based around open international standards, there's no reason a Linux-based server couldn't serve packets containing harmful windows executable code. Your first point is a non-issue.
As to your second point, it's only natural that windows machines be targeted. More critical security vulnerabilities as part of the base operating system that is almost certainly being run as root ("administrator" if you've never used *nix) means greater capability for general chaos. Alternatively, more useful machines for ye olde botnette. One problem with targeting Linux machines is the Unix permissions model that would create a situation where even if someone were to find a hole by which they could access the system, they would still need to find a method by which to elevate their user privileges to root so that they could accomplish more than manipulation of the user's home directory. This leads to the second problem- security flaws in a *nix system are almost certainly related to the software installed on them rather than the Linux kernel itself, making it a roulette game whether your particular method of attack is even present to be exploited.
In a system that has been systematically secured by experts from all callings for years on end, it becomes, with each patch level, more and more likely for the human equation's unreliability to be the single greatest point of failure. Being fallible, people resort to insecure data practices for their own convenience, out of laziness, from a lackadaisical attitude, or out of habit; thus creating a situation where the likelihood of a partial or full breach rapidly approaches one. This is a well known point of failure, and is even counted on, at some level, with a sane backup policy and data redundancy.
What's more, while rootkits and their dangers are very real, one cannot say that it is a vulnerability of a system that someone in possession of what is assumed to be a secure superuser password can install software on that system. Were you to steal the keys to a car, you certainly wouldn't find it strange be able modify the engine of said vehicle- after all, with keys you can unlock the door and with a minimum of effort pop the hood and go to work.
So yes, my dear Coward, grandparent was correct- this is somewhat more elegant than we're used to seeing, but it is most certainly presented in a way thst prompts one to think that there is something "wrong" with Apache or Linux.
RTFM
So as long as it defends your precious *nix community, and lays potential blame at the door of MS, it is perfectly acceptable practice to make accusatory conclusions with no evidence or proof. This kind of MS bashing just makes the *nix community look like desperate hypocrites, and only furthers my resolve to continue supporting the MS platform for another 15 years of satisfied usage.
Why can't you just accept the fact that everyone knows that every platform is vulnerable to some extent, and probably 90% of users don't give a shit.
"And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD"
Are you really that illiterate? Just an FYI - Microsoft doesn't make Apache OR Linux. If compromised severs are being used, it is certainly not the type that "only affects windows clients". Duh. Only here would such blatant anti-MS bullshit get modded "Insightful". I took a way more "insightful" shit this morning. So, Mac planet is not alone discrediting every single security alert as "FUD"
It seems there are other people who sees a story validated by 4 different, independent security companies as FUD. Apache is planets number 1 webserver and Linux is number 1 Webserver OS. What else would a blackhat supported by mafia would target? It is not like "I am proving Linux is unsecure", it is "I have purchased a previously unknown compromised account list and I am using it to infect millions of MS Windows users running popular but unpatched software, we will make millions from that zombie army".
I don't get why people gets defensive.
Comment removed based on user account deletion
This is old news. Its caused by a rootkit: http://www.cpanel.net/security/notes/random_js_toolkit.html
Caesar si viveret, ad remum dareris.
I identified this rootkit in a system about 5 months ago and slightly documented some behaviours of it (I think only behaviour I've missed was numerical directory thingy). Related blog post 25.08.2007 - http://ferruh.mavituna.com/makale/exploit-paketleri/ ).
.js after body tag in all interfaces. There was one article that mentioned most of the compromised servers based UK, it was same for me. And considering it's been about 5 months, I assume UK websites were prime target in the start.
There is one more thing to add, it modify all valid HTTP responses, add
What that means is that probably every server in the data center had the same root password and somebody leaked it or sold it. We had a server that was managed by command dental system, and every system they sold had one of 5 root passwords which quickly became common knowledge in the industry.
Apocalypse Cancelled, Sorry, No Ticket Refunds
on several systems, in a small amount of time?
In general, these systems probably don't even give users shell access, and even then, password cracking is probably out of the picture. And brute forcing a password over ssh? thats probably troublesome too, it would be hard to get over about 50 attempts/second.
On the other hand, there are a whole bunch of local vulnerabilities that can be exploited, after a system is compermised. In some cases, a weak php include vulnerability could potentially allow the apache user to execute suid root applications through such vulnerabilities as: https://rhn.redhat.com/cve/CVE-2007-5964.html on a default configuration of rhel5/fedora5-7.
Every system has it's vulnerabilities.
I fear the Y2038 bug
Linux desktop users most certainly can be infected with this rootkit. We've seen 4 machines with it so far- 1 server and 3 desktops. The Apache webserver may be being used to infect windows clients with malware, but it is not the point of entry for the rootkit installation.
On the other hand, turning Windows clients into bots *IS* an example of that software's (and QuickTime's and Yahoo! Messenger's) insecurity and vulnerability! Using a legitimate password is not equal to cracking the server. But it must be made to look so because the PR firms the M$ movement uses must cast aspersions on Apache and Linux so as to draw attention away from the actual insecure and vulnerable system. Most PHBs never read past the headlines, so this is major spin for the M$ party.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
While SSH allows for direct neural link that allows the computer to do exactly what you think, thus bypassing the metaphors and concepts entirely? Man, I thought SSH didn't do that by default, at least not on my Linux systems; it just provided a secure connection to whatever user interface the system provided. So, where can I download DO-WHAT-I-MEAN-OSIX 2.0? =)
Command lines are a metaphor. Yes, incidentally well suited for system administration, but a metaphor nevertheless. =)