Slashdot Mirror
First Botnet of Linux Web Servers Discovered
The Register writes up a Russian security researcher who has uncovered a Linux webserver botnet that is coordinating with a more conventional home-based botnet of Windows machines to distribute malware. "Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware [on port 8080]. 'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,' Sinegubko wrote. 'To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s).'"
The only part of this article that is news is the part that is incorrect. Botnets of Windows machines often have compromised Linux servers working as a control channel or update channel. It is not at all unusual. What would be unusual would be for a worm or virus to actually compromise Linux machines in an automated fashion and make them bots. That does not seem to be what has happened here as the Linux systems seem to have been manually hacked in a normal, directed attack.
Basicaly, nothing new or newsworthy happened here, except someone mistakenly referred to the compromised Linux servers as bots.
This isn't technically a botnet: [...] These are simply rootkitted servers and they appear to have been done manually. The unique aspect of this is that it seems to be coordinated,
Which is what makes it a botnet.
so the MS astroturf team has decided to call it a "botnet".
"define: botnet" ... I see nothing in there that precludes manually-compromised systems.
Botnets do not have to be self propagating. The very first botnets were on IRC.
Where in fact, the machines weren't compromised. The owners of the machines actually ran the code (commonly Eggdrop) and voluntarily joined their bots to the botnet. They weren't even malicious.
The term "botnet" does not imply a network of compromised hosts, or even malware. It refers to a network of robotic agents that are in communication with each other.
Botnets were commonly used to form shared "party lines", to allow people to DCC CHAT their Eggdrop bots and communicate with people visiting from other channels, and other IRC networks.
At first, these were used only for communication, people joined the botnets to chat with each other, there was no way to control other bots.
At some point, some of the botnets got pretty large...
Some of the botnets had a feature where a trusted "bot owner" or "bot master" as they were called, could be made "botnet admins" by bots they were peering with... allowing these botnet admins to command other hosts to do certain things on IRC
Some botnets had member nodes run scripts that were able to do things like pingflood a user off IRC.
This would be commonly used if some bad boy had taken over a popular channel. Ping flooding a user off IRC is undesired by the victim, but one time, it may have been used to encounter other hacking techniques the "victim" of the flood had been using to sabotage IRC channels.
At some point, some IRC botnets started getting formed whose sole purpose was to flood.
Eventually the term escaped IRC... other types of botnets started forming like Peer to Peer ones, smart ones that automatically added nodes (instead of two botnet admins deciding to interconnect), and botnets whose sole purpose was to accept commands from a central point.
But the point is, the notion of a "Bot" and a "Botnet" has an origin that causes the term to not imply self replication.
Back around 2001, I found a "botnet" comprising a perl script that ran on websites. Because it ran as a child of Apache, it showed up as "http" in ps. It would log into an IRC server, and wait for commands which appeared to be little more than arbitrary bash commands that were shelled out.
Bone-headedly simple. Ran well on any unix website host running perl scripts, installed via an insecure formmail.pl script. I penetrated the IRC network and watched for a few hours while the operator attacked a few hosts. There were some 50 hosts or so. Then I killed the script and updated all copies of formmail.pl hosted on the server...
Is this new news?
What's next? "Hammers can be used to smack things, even if they aren't nails." !?!?!
Truth is this: no operating system is 100% secure. But this "botnet" isn't necessarily even a compromise of the Operating System! Port 8080 is above 1024, so non-root controlled processes can open sockets there. This may be nothing more than something like the perl script I mentioned and having nothing to do with the Operating System in question. The server wasn't compromised, just a bad script was running that had to be deleted, then killed with an Apache restart.
Given the parameters I just mentioned, there isn't an Operating System around that would stop this from happening. It's just that the "Mom's basement" fanbois get all riled up because it's gospel that Linux is immune to $allBadThings.
I have no problem with your religion until you decide it's reason to deprive others of the truth.