First Botnet of Linux Web Servers Discovered

The Register writes up a Russian security researcher who has uncovered a Linux webserver botnet that is coordinating with a more conventional home-based botnet of Windows machines to distribute malware. "Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware [on port 8080]. 'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,' Sinegubko wrote. 'To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s).'"

Re:Stupid people use linux too

[bjourne]

Well, it seems that stupid people actually *build* linux too!

packagement mgmt and repos play a small role here

[drougie]

It's nice to be able to apt-get yourself the latest stable copy of apache2 and php5 and mysql and postfix humming with just a command or two, also nice to be able to apt-get upgrade them after you apt-got updated. Those who maintain, clean and contribute to the large public repositories that apt and yum and rpm and pkg_add, good people and they generally do a bang up job for 99% of the Linux and UNIX and UNIX-like folks. However, when you maintain servers which are not completely hidden behind a nat with these programs for years and once in a blue moon compile something you downloaded in a gzipped tar, you put yourself on admin autopilot and that can bite you in the ass.

Give you one example: I installed RoundCube, the most badass webmail client there will ever be, ever, with apt (the first time). Ran it for a while without incident. Had my system on weekly cron apt updates so I figured I was safe. Eventually I discover someone made it onto my system and put a malware installing js line in my web pages. Looking through the guy's bash history I discovered they got in through a RoundCube vulnerability. I checked out RoundCube's site, something I should have done first thing but did not, and it turns out their stable version was much newer than what apt realized and that this vulnerability would not have been on my system about five months ago had I downloaded straight from their site and stayed on the ball with their support resources which are things that are less necessary when you just let apt-get rip.

Bottom line, apt-get update/upgrading would not patch a glaring vulnerability in software I found with apt originally with the default Debian sources.list and I doubt it would have on most other distros' package management systems. It wasn't RoundCube's fault, the patched release was their Stable build for a long time but I was left wide open to anyone who went on a rootkit site and googled for roundcube hosts and I got nailed. Learned my lesson and I don't fault the repository maintainers for being behind the ball a bit on less popular software in their enormous archives but if you ask me software should not be available on the default repositories for Linux variants that the maintainers are not confident that they can keep up to date or don't have some kind of way to be quickly and effectively notified by the authors/vendors in the event of a critical upgrade being available and to put it live right quick. Put it on the people who want to install such software themselves -- if they can make it past that hump I'd say their odds of running the software safely will be substantially higher than Joe Yum. And spreading awareness of cvs/svn would be nice too.

Can't believe I just admitted I got compromised.