Slashdot Mirror
2M New Websites a Year Compromised To Serve Malware
SkiifGeek writes "Sophos claims that they are detecting 6,000 new sites daily that have been compromised to serve malware to unsuspecting site visitors, with 80% of site owners not aware that they have been compromised — though this figure is probably on the low side. With increasingly vocal arguments being put forward by security experts criticizing the performance and capability of site validation tools (though many of these experts offer their own tools and services for similar capabilities), and rising levels of blended attacks, perhaps it is time you reviewed the security of your site and what might be hiding in infrequently used directories."
Everytime I read about a new form of server malware, I try to check a LAMP server that I run. So far I've come up clean but I've hardly done a full inspection. Anyone know of a good way to scan a set up? Sophos says that they are detecting thousands of new sites - how are they scanning them?
-dave
http://millionnumbers.com/ - own the number of your dreams
2 million websites a year? Are these all IIS websites on PCs that the PC owners don't know they are hosting? How can the number be this high?
But I thought all these sites were validated and certified and IP imdemnified, else what was the point of paying huge wads of dosh to all the lawyers, oh wait, now I get it .. :)
davecb5620@gmail.com
Perhaps the time has come to harden the "common stacks" so certain switches are off.
For example, once you set up your web site, "lock it" so if there are any changes to files or directories that shouldn't change, the site will break in a non-harmful way rather than be compromised.
If and when these files need updating, the "unlock" process should be done using a tool independent of the main web-server process, perhaps by using a different web-server process running on a different port or even a process on a different computer that validates the request then passes it on to the main web server.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Comment removed based on user account deletion
Comment removed based on user account deletion
I would just run a perl script that does a regex on the access logs for anything that does not match the files that should be delivered to clients. Put the perl script in a cron job and let it run. Also do an MD5 hash on those files regularly and check for any changes to static files. And use very strong root passwords, don't let root account login remotely, and use ssh keys with no interactive logins.
my 2 cents...
Okay, say someone's site is served by an ISP. The ISP gives the site owner a shell account and manages the LAMP infrastructure. The shell account is likely a virtualized instance, meant to limit the damage that each little site can do to the hosted infrastructure, not to limit the damage that the host does to little sites or their visitors. How can the site owner "check their own site" in such a case? Virtualization itself is a sort of rootkit conceptually, so how can the virtualized account check for malicious rootkits in its own instance or in the greater infrastructure?
[
hit it with a hammer
davecb5620@gmail.com
Until they release the fricking list of IP addresses or Domain names.
I would love to put that list in my squid blocking file to protect my users.
Do not look at laser with remaining good eye.
TFA says 6000 infected webpages. Could be a big difference, but TFA doesn't elaborate.
Do eeetttt!
If I run FF and keep it patched, am I safe? If I did get compromised, what would the symptoms be?
I tend to think that keeping my OS patched keeps me pretty safe, but there's always a delay after a new vulnerability is discovered before the patches come out (the zero day) and what concerns me is that if someone has a very large network of compromised web servers, they can roll out a zero day vulnerability to all of them and do a lot of damage.
As to symptoms, I think spyware used to be the big problem, and infected computers would have popups and such. But now I think that infected machines will be used primarily to send spam. Is that correct?
Comment removed based on user account deletion
Also, keep an eye on how big your maillog files are - if they suddenly grow by some exponent, you've been turned into a spam server (or a newsletter went out - five seconds of peeking at the live output should tell you which).
Also, you can keep an eye on the http access logs - with a bit of scripting and uniq, you can tell if one site is constantly connecting (e.g. most PHP hijacks usually full files in from another, far more compromised site). If you get a ton of HTTP connections from a site you don't expect (e.g. a shitload of calls come in from some site ending in *.cn, the IP addy resolves to somewhere halfway across the planet, things like that), then you may want to get your suspicions up.
I suspect Sophos is crawling the page and scanning what they get for common munge-ups and mis-directions. It wouldn't surprise me if they tend towards overstating the case somewhat, but I don't know what they're looking for exactly so it'd be hard to tell for sure.
Quo usque tandem abutere, Nimbus, patientia nostra?
OK I know I'm feeding the trolls but you know you can choose to NOT see certain authors' stories under Preferences->Homepage, right?
Here's to the crazy ones
But how many of those websites were compromised to serve Satan?
When do we get a FOSS runtime library for using this valuable public resource?
Imagine all the useful things we could do for the world if we all had access to this distributed computing power.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
with 80% of site owners not aware that they have been compromised
Wait. So 20% of site owners know their site has been comprimised and they haven't done anything about it and are still serving up malware? Sounds to me like someones making up statistics.
Knowledge is power; knowledge shared is power lost.
Somebody should warn 3M that they are next. I'm sure they would want to prepare. Ok, sorry I'll get my coat.
I don't have a microwave. I do, however, have a clock that occasionally cooks shit.
Actual different machines with actual different firewalls are good for hosted solutions and IT departments that know what they are doing, but they are too complicated for non-geek do-it-yourself mom-and-pop-businessman/home-user solutions.
However, a stack that puts a virtual or other hardened subsystem to hide the non-read-only files and databases behind in an easy-to-use form should be doable.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Radmind: http://radmind.org/. Radmind's is designed for this purpose exactly. It's a tripwire with the ability to roll back changes, or capture them and store them for deployment to other systems.
Absent more detail, I am calling shenanigans on this statistic, Sophos, and the Register. I am soooo sick of the FUD.
Harumph!
In addition to the other tools mentionned by /.ers, there are 2 root-kit checking tools that are worth mentioning :
/srv/ftp, etc.)
- chkrootkit
- rkhunter
They are scripts that scan the system for known root kits, weird behaviours and hidden files in unusual places.
They can both be used to scan an offline system (booted from a live-cd and the system mounted under some directory),
and a live online system (they check the system for suspicious behaviour that may reveal a root-kit trying to hide it self - for example the "ps" command doesn't show the same processes as the "/proc" directory could mean a root-kitted "ps").
They are available in a lot of distributions (Debian Etch has them in the repository - probably the corresponding Ubuntu has them too) and the packages usually come with "cron" entries that can automatically scan the system and email a report to the administrator.
They are also downloadable and installable from their websites and feature configuration files that cover the most frequent distributions.
You should install them, run some initially check, (eventually edit the script to remove some false positive, i.e.: hidden files about which the script complains but which are normal part of the system), and add crontab entries to do daily checks and e-mail you positive results.
This will help you against having your server rootkited.
-----------------------
Another tool worth mentioning is ClamAV.
That's an open-source signature-based virus scanner, whose maker have been praised for their very fast response time in case of new emerging threats.
You could set it up to periodically check files in the directories that are served. (/srv/www,
The scanner is not very fast, but supports some specialized-hardware acceleration (it might be worth considering it if the server is rather important, and gets significant mail-traffic too). Some teams are also working on GPGPU hardware acceleration (mentioned in nVidia's book "CPUGems 3").
This will help you get some protection against website that you're hosting that may have been hacked into (with bugs in PHP pages, for exemple) and are now serving malwares.
-----------------------
Because the way malware evolve, you may have to upgrade the above softwares to later versions than those shipped with your OS.
Some distribution propose it in their security updates.
For Debian, keep in mind that this kind of "later version requirement" packages go in the "volatile" repository and not the "security" one, modify your sources accordingly.
("security" : we keep the exact same version for stability reasons and only patch critical errors.
"volatile" : for security reasons, some packages (mostly various scan engines) may require updating to a later versions.
"volatile-sloppy" : warning, the packages are really different. b0rkage of config files may ensure (mostly software like gaim/pidgin).
This is a page with a top 100 of various security tools which may also inspire you (for example they mention a webserver scanner called Nikto).
Also, always keep in mind that a compromised machine is not a machine that you can trust. Thus in addition to creating new entries in you crontab, you should also test your machine offline as part of the security checks.
For example, occasionnaly, when you have to take your server offline for planned updates (rebooting to newer kernel version or non hot-plugable hardware upgrades) you may want to scan your system while booting on a LiveCD in case the root-kit are efficient enough to go undetected once they are active.
(That is, if the conditions allow you to perform such a scan : the machine is physically accessible, you can plan in the
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Why can't a bunch of white hats get together in some country with lax or missing Internet laws and make a virus that SLOWLY propagates throughout the Internet looking for VERY OLD vulnerabilities, infect those machines, download the patches and turn on auto-update, maybe scan the local network and then outside for a week or so, then alert the owner with a polite pop-up and background change telling them they've been infected by at least one virus and should get some AV and some patches and maybe even list some sources.
Dick move? Yes. Illegal in the US? Yes. Nightmare for admin-type-folks? Yes.
But if it's attacking vulns that are YEARS old it would only affect forgotten or luddite-owned boxes.
If it's slow, like a packet a second or slower, it wont clog any networks.
And it will prevent a lot of the stupid viruses that slam the net every now and then.