Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Botnet of Linux Web Servers Discovered

Posted by kdawson on from the shields-up dept.

The Register writes up a Russian security researcher who has uncovered a Linux webserver botnet that is coordinating with a more conventional home-based botnet of Windows machines to distribute malware. "Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware [on port 8080]. 'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,' Sinegubko wrote. 'To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s).'"

6 of 254 comments (clear)

  1. Re:Reporters Fail by 99BottlesOfBeerInMyF · · Score: 3, Interesting

    Well, you are assuming that calling a machine a bot is dependent on the fact it was infected.

    Not really. Calling a machine a bot or zombie is generally an indication that they are the regular "peon" part of a botnet. I mean technically the control channel and update channel and the terminals machines the operator is using are part of the botnet. They just are not generally referred to as bots because they are part of the system doing the controlling instead of being the end systems used to launch attacks.

    My main point was, the summary and title here led readers who use the specific terms one way to think that is what was happening. The comments from researchers led people to think that. That is why this was news. It's not news to discover Linux systems hacked by hand are being used to control Windows bots, because that happens all the time and is, perhaps, the most common kind of botnet.

  2. Re:Missing in the summary by eln · · Score: 3, Interesting

    A Windows machine being run by someone who cares about security and updates it regularly won't end up in a botnet either, so I'm not sure what your point is.

  3. Re:Stupid people use linux too by bjourne · · Score: 4, Interesting

    Well, it seems that stupid people actually *build* linux too!

    --
    Football Odds
  4. packagement mgmt and repos play a small role here by drougie · · Score: 5, Interesting

    It's nice to be able to apt-get yourself the latest stable copy of apache2 and php5 and mysql and postfix humming with just a command or two, also nice to be able to apt-get upgrade them after you apt-got updated. Those who maintain, clean and contribute to the large public repositories that apt and yum and rpm and pkg_add, good people and they generally do a bang up job for 99% of the Linux and UNIX and UNIX-like folks. However, when you maintain servers which are not completely hidden behind a nat with these programs for years and once in a blue moon compile something you downloaded in a gzipped tar, you put yourself on admin autopilot and that can bite you in the ass.

    Give you one example: I installed RoundCube, the most badass webmail client there will ever be, ever, with apt (the first time). Ran it for a while without incident. Had my system on weekly cron apt updates so I figured I was safe. Eventually I discover someone made it onto my system and put a malware installing js line in my web pages. Looking through the guy's bash history I discovered they got in through a RoundCube vulnerability. I checked out RoundCube's site, something I should have done first thing but did not, and it turns out their stable version was much newer than what apt realized and that this vulnerability would not have been on my system about five months ago had I downloaded straight from their site and stayed on the ball with their support resources which are things that are less necessary when you just let apt-get rip.

    Bottom line, apt-get update/upgrading would not patch a glaring vulnerability in software I found with apt originally with the default Debian sources.list and I doubt it would have on most other distros' package management systems. It wasn't RoundCube's fault, the patched release was their Stable build for a long time but I was left wide open to anyone who went on a rootkit site and googled for roundcube hosts and I got nailed. Learned my lesson and I don't fault the repository maintainers for being behind the ball a bit on less popular software in their enormous archives but if you ask me software should not be available on the default repositories for Linux variants that the maintainers are not confident that they can keep up to date or don't have some kind of way to be quickly and effectively notified by the authors/vendors in the event of a critical upgrade being available and to put it live right quick. Put it on the people who want to install such software themselves -- if they can make it past that hump I'd say their odds of running the software safely will be substantially higher than Joe Yum. And spreading awareness of cvs/svn would be nice too.

    Can't believe I just admitted I got compromised.

    --
    Calling out bogus battery capacity claims.
  5. Re:packagement mgmt and repos play a small role he by drougie · · Score: 3, Interesting

    Firstly, it's my fault for running a webmail client I got from browsing through apt-cache, installed with apt-get and configured mostly with dpkg-reconfigure instead of grabbing the official current build and reading the readme and man pages and faq, and doing this on a somewhat important machine. Did the same thing with Gallery and PHPNuke several years ago. Even webmin in my reckless and stupid experimental days. That's painting a target on yourself to get malware on your sites and start running irc bots or worse. Have you looked at some of these rootkit sites? Disturbing how finding and proliferating vulnerabilities in Linux, not just MS, is a full-time hobby/living for so many people. Then you install something like snort from apt-get thinking Yeah I'm on top of my security now, but you have no idea that you're using a six month old release of software with a demo package of ancient rules when it needs heavy configuration that dpkg doesn't handle and fresh rules with a subscription and a key in the right place to be effective.

    That said, yeah, Debian's reputation for waiting a ... conservative amount of time to make new releases of various software available on their repositories, whether it's gimp or gaim or kde or nmap, maybe I assumed that that behavior of deliberately (?) waiting a little while longer than the rest of the world to catch up to the developers' latest releases for the sake of not releasing anything that may contribute to snafus, that Debian's actually doing what's best for me. Maybe my roundcube adventure was anomalous. Regardless, I love Debian, I certainly love apt (so much I just tried Debian KFreeBSD to hang onto apt). By naming the package management systems of the other distros/OSs I was trying to suggest another point that Linux is becoming too easy. Lower learning curve, more people who may make my mistake and surrender their machines to China, Russia and 4chan by installing the wrong package.

    It would be great if apt had svn/cvs behavior embedded into it to somehow investigate whether or not everything on your system is up to date by logging not just onto Debian's repositories but to servers maintained by developers. Can't expect apt to then install the next version but just to let me know what it found so I could deal with it myself. Maybe such a thing already exists -- guess I should apt-cache search it. :P

    --
    Calling out bogus battery capacity claims.
  6. Re:Ok, so I got the popcorn ready.... by Matz0r · · Score: 3, Interesting

    Manually compromising servers and installing a tool that causes all those servers to rendezvous with or receive commands from a central control point to execute instructions would make them a botnet.

    The key question would be: do the compromised servers also run a program that periodically polls a control station for commands, or does the script kiddie manually command individual compromised servers?

    I actually encountered this a few years ago, a Red Hat box had been carelessly placed on the internet with a poor dba username password combo. The attacker had not gained root access. But he did manage to install zombie software on the computer in /var/tmp, which consisted of a small web-server serving malicious code and a custom ssl-irc client configured to connect to the botnet owners irc server.

    Curious, I took a copy of the software he had installed before I wiped the server. I then proceeded to connect to his irc server using the credentials found in the zombie software. I ended up in an irc channel with the actual owner of the botnet sitting there. Because I kept my servers original irc-name he started prodding me with dcc-commands to find out the status of his returning zombie. After a while I responded and told him he had been discovered, we had a brief chat before he banned me from the irc-server. Seemed like a script kiddie, he used "LOL" in every sentence and lots of numbers, the net seemed to be run manually with some 30 "clients" in it. I gave his client IP to his ISP in Romania together with the logs, doubt anything came out of it though.