Slashdot Mirror
2M New Websites a Year Compromised To Serve Malware
SkiifGeek writes "Sophos claims that they are detecting 6,000 new sites daily that have been compromised to serve malware to unsuspecting site visitors, with 80% of site owners not aware that they have been compromised — though this figure is probably on the low side. With increasingly vocal arguments being put forward by security experts criticizing the performance and capability of site validation tools (though many of these experts offer their own tools and services for similar capabilities), and rising levels of blended attacks, perhaps it is time you reviewed the security of your site and what might be hiding in infrequently used directories."
Everytime I read about a new form of server malware, I try to check a LAMP server that I run. So far I've come up clean but I've hardly done a full inspection. Anyone know of a good way to scan a set up? Sophos says that they are detecting thousands of new sites - how are they scanning them?
-dave
http://millionnumbers.com/ - own the number of your dreams
But I thought all these sites were validated and certified and IP imdemnified, else what was the point of paying huge wads of dosh to all the lawyers, oh wait, now I get it .. :)
davecb5620@gmail.com
Perhaps the time has come to harden the "common stacks" so certain switches are off.
For example, once you set up your web site, "lock it" so if there are any changes to files or directories that shouldn't change, the site will break in a non-harmful way rather than be compromised.
If and when these files need updating, the "unlock" process should be done using a tool independent of the main web-server process, perhaps by using a different web-server process running on a different port or even a process on a different computer that validates the request then passes it on to the main web server.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Comment removed based on user account deletion
Comment removed based on user account deletion
I would just run a perl script that does a regex on the access logs for anything that does not match the files that should be delivered to clients. Put the perl script in a cron job and let it run. Also do an MD5 hash on those files regularly and check for any changes to static files. And use very strong root passwords, don't let root account login remotely, and use ssh keys with no interactive logins.
my 2 cents...
"He Who Dares Wins"
Okay, say someone's site is served by an ISP. The ISP gives the site owner a shell account and manages the LAMP infrastructure. The shell account is likely a virtualized instance, meant to limit the damage that each little site can do to the hosted infrastructure, not to limit the damage that the host does to little sites or their visitors. How can the site owner "check their own site" in such a case? Virtualization itself is a sort of rootkit conceptually, so how can the virtualized account check for malicious rootkits in its own instance or in the greater infrastructure?
[
hit it with a hammer
davecb5620@gmail.com
Until they release the fricking list of IP addresses or Domain names.
I would love to put that list in my squid blocking file to protect my users.
Do not look at laser with remaining good eye.
TFA says 6000 infected webpages. Could be a big difference, but TFA doesn't elaborate.
If I run FF and keep it patched, am I safe? If I did get compromised, what would the symptoms be?
I tend to think that keeping my OS patched keeps me pretty safe, but there's always a delay after a new vulnerability is discovered before the patches come out (the zero day) and what concerns me is that if someone has a very large network of compromised web servers, they can roll out a zero day vulnerability to all of them and do a lot of damage.
As to symptoms, I think spyware used to be the big problem, and infected computers would have popups and such. But now I think that infected machines will be used primarily to send spam. Is that correct?
Also, keep an eye on how big your maillog files are - if they suddenly grow by some exponent, you've been turned into a spam server (or a newsletter went out - five seconds of peeking at the live output should tell you which).
Also, you can keep an eye on the http access logs - with a bit of scripting and uniq, you can tell if one site is constantly connecting (e.g. most PHP hijacks usually full files in from another, far more compromised site). If you get a ton of HTTP connections from a site you don't expect (e.g. a shitload of calls come in from some site ending in *.cn, the IP addy resolves to somewhere halfway across the planet, things like that), then you may want to get your suspicions up.
I suspect Sophos is crawling the page and scanning what they get for common munge-ups and mis-directions. It wouldn't surprise me if they tend towards overstating the case somewhat, but I don't know what they're looking for exactly so it'd be hard to tell for sure.
Quo usque tandem abutere, Nimbus, patientia nostra?
OK I know I'm feeding the trolls but you know you can choose to NOT see certain authors' stories under Preferences->Homepage, right?
Here's to the crazy ones
When do we get a FOSS runtime library for using this valuable public resource?
Imagine all the useful things we could do for the world if we all had access to this distributed computing power.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
with 80% of site owners not aware that they have been compromised
Wait. So 20% of site owners know their site has been comprimised and they haven't done anything about it and are still serving up malware? Sounds to me like someones making up statistics.
Knowledge is power; knowledge shared is power lost.
Somebody should warn 3M that they are next. I'm sure they would want to prepare. Ok, sorry I'll get my coat.
I don't have a microwave. I do, however, have a clock that occasionally cooks shit.
Actual different machines with actual different firewalls are good for hosted solutions and IT departments that know what they are doing, but they are too complicated for non-geek do-it-yourself mom-and-pop-businessman/home-user solutions.
However, a stack that puts a virtual or other hardened subsystem to hide the non-read-only files and databases behind in an easy-to-use form should be doable.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Radmind: http://radmind.org/. Radmind's is designed for this purpose exactly. It's a tripwire with the ability to roll back changes, or capture them and store them for deployment to other systems.
Absent more detail, I am calling shenanigans on this statistic, Sophos, and the Register. I am soooo sick of the FUD.
Harumph!
In addition to the other tools mentionned by /.ers, there are 2 root-kit checking tools that are worth mentioning :
/srv/ftp, etc.)
- chkrootkit
- rkhunter
They are scripts that scan the system for known root kits, weird behaviours and hidden files in unusual places.
They can both be used to scan an offline system (booted from a live-cd and the system mounted under some directory),
and a live online system (they check the system for suspicious behaviour that may reveal a root-kit trying to hide it self - for example the "ps" command doesn't show the same processes as the "/proc" directory could mean a root-kitted "ps").
They are available in a lot of distributions (Debian Etch has them in the repository - probably the corresponding Ubuntu has them too) and the packages usually come with "cron" entries that can automatically scan the system and email a report to the administrator.
They are also downloadable and installable from their websites and feature configuration files that cover the most frequent distributions.
You should install them, run some initially check, (eventually edit the script to remove some false positive, i.e.: hidden files about which the script complains but which are normal part of the system), and add crontab entries to do daily checks and e-mail you positive results.
This will help you against having your server rootkited.
-----------------------
Another tool worth mentioning is ClamAV.
That's an open-source signature-based virus scanner, whose maker have been praised for their very fast response time in case of new emerging threats.
You could set it up to periodically check files in the directories that are served. (/srv/www,
The scanner is not very fast, but supports some specialized-hardware acceleration (it might be worth considering it if the server is rather important, and gets significant mail-traffic too). Some teams are also working on GPGPU hardware acceleration (mentioned in nVidia's book "CPUGems 3").
This will help you get some protection against website that you're hosting that may have been hacked into (with bugs in PHP pages, for exemple) and are now serving malwares.
-----------------------
Because the way malware evolve, you may have to upgrade the above softwares to later versions than those shipped with your OS.
Some distribution propose it in their security updates.
For Debian, keep in mind that this kind of "later version requirement" packages go in the "volatile" repository and not the "security" one, modify your sources accordingly.
("security" : we keep the exact same version for stability reasons and only patch critical errors.
"volatile" : for security reasons, some packages (mostly various scan engines) may require updating to a later versions.
"volatile-sloppy" : warning, the packages are really different. b0rkage of config files may ensure (mostly software like gaim/pidgin).
This is a page with a top 100 of various security tools which may also inspire you (for example they mention a webserver scanner called Nikto).
Also, always keep in mind that a compromised machine is not a machine that you can trust. Thus in addition to creating new entries in you crontab, you should also test your machine offline as part of the security checks.
For example, occasionnaly, when you have to take your server offline for planned updates (rebooting to newer kernel version or non hot-plugable hardware upgrades) you may want to scan your system while booting on a LiveCD in case the root-kit are efficient enough to go undetected once they are active.
(That is, if the conditions allow you to perform such a scan : the machine is physically accessible, you can plan in the
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
Oh, and it would probably kill most/all of the bot nets.
As for the idea, though... I think about that as well. Even if just to get onto computers that haven't been compromised by a really effective bot yet (as I mentioned above) would be a big step.
Alas, most of the people talented enough to write such a thing are probably either:
* well-employed enough that they don't want to risk the jailtime
* working on building botnets of their own
Per Netcraft Sophos.com is running: Linux Apache 27-Jan-2008 213.31.172.77 SOPHOS
Yes, some do - and it's not a knock on Linux, either.
I work at a small webhost. We're 100% Linux, and have somewhere in the low hundreds of thousands of sites on about forty servers. I come across a compromised site about every other day, and those are the ones that are making themselves obvious - malicious javascript, form abuse, SQL injections, etc. Being on Linux servers has nothing to do with how secure the sites are. The users pick their own passwords and manage their own content, and the sites that get compromised usually do a poor job of one or both.
Bad passwords are the number-one problem. I check regularly and always find accounts using "password". I'm at a loss, frankly. Someone *will* guess your password if you're just going to be blindingly obvious with it. We've had to resort to blocking FTP for half of Africa, most of Asia, and a few spots in eastern Europe.
Second-ranked problem is poor code maintenance. Many hacked accounts are running PHP-based applications that haven't been patched or updated in three years. Yes, your b2evolution install from 2005 is vulnerable now. Back up your data and upgrade. You'll feel much better afterward, I promise =). Most of the PHP vulnerabilities can be (and are) prevented with mod_security, but the occasional user still figures out that they can add a SecFilterEngine Off line in .htaccess and the next thing you know they're sending their 50,000 closest friends information on a great pharmacy in Canada that ships ci4-L1ss right to your door.
What Linux does for us is keep these problems isolated to the user accounts. We've had exactly one box rooted in the last five years, which ain't perfect but ain't bad either, considering the number of attempts we attract. So, yes, run Linux and Apache, and keep them patched and locked down. Watch your logs. Keep good backups and know how to roll them back onto a server. But don't think that's going to keep your website safe from Turkish script kiddies.