Slashdot Mirror

← Back to Stories (view on slashdot.org)

First Botnet of Linux Web Servers Discovered

Posted by kdawson on from the shields-up dept.

The Register writes up a Russian security researcher who has uncovered a Linux webserver botnet that is coordinating with a more conventional home-based botnet of Windows machines to distribute malware. "Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware [on port 8080]. 'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,' Sinegubko wrote. 'To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s).'"

30 of 254 comments (clear)

  1. Ok, so I got the popcorn ready.... by Kjella · · Score: 4, Insightful

    Just waiting for the flamefest here of Linux vs Windows botnets.

    --
    Live today, because you never know what tomorrow brings
    1. Re:Ok, so I got the popcorn ready.... by symbolset · · Score: 5, Funny

      Just waiting for the flamefest here of Linux vs Windows botnets.

      OK, I'll start. Linux webservers are so lame they don't even include the facility for users to disable them remotely in case of malware distribution.

      --
      Help stamp out iliturcy.
    2. Re:Ok, so I got the popcorn ready.... by easyTree · · Score: 5, Funny

      Just waiting for the flamefest here of Linux vs Windows botnets.

      It's nice to see Lo0niX has advanced to the point where it can now successfully run botnet software. I'll bet there's no gui though. I'm not up on linux commands so don't laugh but I'll wager it's something like:
        * apt get b0tnet -s -x9 -secret -warez -pr0n -infectWindows=1 -p

      Rather than the point-and-click convenience you'd expect on windows.

      Maybe games are next? Quake-n for linux would be nice.

      How's that? :D

      --
      Requiem for the American Dream
    3. Re:Ok, so I got the popcorn ready.... by Timothy+Brownawell · · Score: 4, Informative

      This isn't technically a botnet: [...] These are simply rootkitted servers and they appear to have been done manually. The unique aspect of this is that it seems to be coordinated,

      Which is what makes it a botnet.

      so the MS astroturf team has decided to call it a "botnet".

      "define: botnet" ... I see nothing in there that precludes manually-compromised systems.

    4. Re:Ok, so I got the popcorn ready.... by LaskoVortex · · Score: 5, Funny

      Rather than the point-and-click convenience you'd expect on windows.

      It's not that easy on MS windows. After you click the link to the tennis player nudie pix, your machine locks up. Then you have to *hard reboot* (without the help of the blue screen to let you know your computer crashed). Only after you hard reboot, usually by pulling the power cord all the way out, can you run the botnet software.

      Windows really isn't as user friendly for botnets as everyone thinks it is. I hope 7 does better.

      --
      Just callin' it like I see it.
    5. Re:Ok, so I got the popcorn ready.... by Timothy+Brownawell · · Score: 5, Insightful

      I suspect you are astroturfing for MS here

      And I suspect that you are a troll.

      and so will want "botnet" to mean "any set of two or more compromised computers". But that definition means that the number of windows botnets would be astronomical, so be careful about your definitions.

      Did you even read what I linked to? A botnet is a collection of compromised computers that share a Command and Control channel.

      Instead I propose the following definition:

      Because the generally accepted definitions don't suit your purpose?

    6. Re:Ok, so I got the popcorn ready.... by NewbieProgrammerMan · · Score: 5, Insightful

      ...so the MS astroturf team has decided to call it a "botnet".

      I'm curious--how can I tell when an idea is being promoted by the "MS astroturf team" and not by regular not-so-clueful reporters that might mistakenly use the wrong term?

      --
      [b.belong('us') for b in bases if b.owner() == 'you']
    7. Re:Ok, so I got the popcorn ready.... by Kjella · · Score: 4, Funny

      Rather than the point-and-click convenience you'd expect on windows.

      Actually, they found Amazon had patented that so they had to go with the no-click experience. Got to respect corporate IP, you know.

      --
      Live today, because you never know what tomorrow brings
    8. Re:Ok, so I got the popcorn ready.... by Anpheus · · Score: 4, Funny

      As a user of Windows 7, I found it exceedingly helpful. I was pleased when Clippy popped up and said, "It looks like you're trying to infect your computer, do you want some help?" At which point Clippy showed me how to use Aero Shake(tm) to get rid of all the distracting popups that would divert me from trying to find the source of all malware. After I encountered a fork in the road, so to speak, Clippy demonstrated Aero Snap(tm) so I could compare the sites I was surfing side by side. At long last, I found truly good malware on a *stan website. Top level domain was for some country like Miyagistan. Thankfully, I bought Windows(tm) 7 Ultimate Edition(tm) and downloaded the appropriate language pack so the viruses I downloaded would be more at home.

      Running it was as easy as clicking on it and clicking "Continue." Ever since then I've been living in a peaceful coexist

    9. Re:Ok, so I got the popcorn ready.... by mysidia · · Score: 5, Informative

      Botnets do not have to be self propagating. The very first botnets were on IRC.

      Where in fact, the machines weren't compromised. The owners of the machines actually ran the code (commonly Eggdrop) and voluntarily joined their bots to the botnet. They weren't even malicious.

      The term "botnet" does not imply a network of compromised hosts, or even malware. It refers to a network of robotic agents that are in communication with each other.

      Botnets were commonly used to form shared "party lines", to allow people to DCC CHAT their Eggdrop bots and communicate with people visiting from other channels, and other IRC networks.

      At first, these were used only for communication, people joined the botnets to chat with each other, there was no way to control other bots.

      At some point, some of the botnets got pretty large...

      Some of the botnets had a feature where a trusted "bot owner" or "bot master" as they were called, could be made "botnet admins" by bots they were peering with... allowing these botnet admins to command other hosts to do certain things on IRC

      Some botnets had member nodes run scripts that were able to do things like pingflood a user off IRC.

      This would be commonly used if some bad boy had taken over a popular channel. Ping flooding a user off IRC is undesired by the victim, but one time, it may have been used to encounter other hacking techniques the "victim" of the flood had been using to sabotage IRC channels.

      At some point, some IRC botnets started getting formed whose sole purpose was to flood.

      Eventually the term escaped IRC... other types of botnets started forming like Peer to Peer ones, smart ones that automatically added nodes (instead of two botnet admins deciding to interconnect), and botnets whose sole purpose was to accept commands from a central point.

      But the point is, the notion of a "Bot" and a "Botnet" has an origin that causes the term to not imply self replication.

    10. Re:Ok, so I got the popcorn ready.... by Giometrix · · Score: 4, Funny

      servers don't roam the net -- the net roams them (google, etc.)

      Wait you forgot the "Soviet" part.

      --
      Download free e-books, lectures, and tutorials at bookgoldmine.com
    11. Re:Ok, so I got the popcorn ready.... by laughingcoyote · · Score: 4, Insightful

      Only an idiot would claim that servers being compromised because admins choose to send passwords over the internet in plain text proves anything about how secure the software running on those servers is.

      Ah.....OK, I expect LOTS of such claims.

      Realistically, that depends. Part of secure design is accounting for potential user errors. That's why it's a good practice to have the password, when typed, appear as "********" rather than "heythisismypasswordanyonewatching". A good designer would know many users aren't going to look around for someone casually shoulder surfing while typing a password, so they take a step to prevent it.

      Of course, no software developer can fully account for a malfunctioning behind keyboard processing unit. Idiots are even more persistent than crackers in finding new ways to circumvent security measures. However, it can to some degree mitigate its effects, through making things as secure as possible and warning the user if (s)he is about to do something that might compromise it.

      --
      To fight the war on terror, stop being afraid.
    12. Re:Ok, so I got the popcorn ready.... by Zero__Kelvin · · Score: 5, Insightful

      You clearly need to look up the word robot ;-) In the mean time, since I know that a robot is an autonomic system I am aware that an network robot must necessarily be autonomous as well.

      And BTW, this article does not claim that Linux was hacked. It claims that peoples websites were hacked, and those websites happen to be hosted on Linux. Nothing to see here, no botnet, and no hacked Linux kernel. Just poor system administration allowing FTP password sniffing, etc. The whole thing is sensationalist bullshit.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    13. Re:Ok, so I got the popcorn ready.... by thePowerOfGrayskull · · Score: 4, Insightful

      ...so the MS astroturf team has decided to call it a "botnet".

      I'm curious--how can I tell when an idea is being promoted by the "MS astroturf team" and not by regular not-so-clueful reporters that might mistakenly use the wrong term?

      Dude, this is slashdot. That means that anything with a potentially pro-microsoft spin obviously came straight from MS PR... Erm, M$ PR. Shit, I think they're about to catch onto me too, I hope nobody saw that...

  2. Linux by Anonymous Coward · · Score: 5, Funny

    It's ready for the botnet!

    1. Re:Linux by noidentity · · Score: 5, Funny

      Maybe the year of the Linux desktop is near, with the OS finally getting a botnet that doesn't require Wine to run. Take that, Apple!

  3. Stupid people use linux too by tetsukaze · · Score: 5, Insightful

    We can blame our hate pet OS for all of the internet evil out there, but we need to remember one important thing: people are almost always the week link in security. If someone knows what they are doing, it is very hard to penetrate a linux server... or a windows server. There will always be those that can break through the best security, but there is a lot of low hanging fruit and not just on the windows tree.

    1. Re:Stupid people use linux too by FlyingBishop · · Score: 5, Insightful

      Actually, I would say the people to blame are those hosting providers who keep using ftp with weak usernames and weak passwords as the preferred way to access your website.

      There was a time when the client software was insufficient to the task, that time is long gone. WinSCP is mature and easy to use. No, browsers don't offer sftp:// support natively, but the browser is not very secure anyway. Hosting providers need to get their heads out of the sand and upgrade to secure authentication.

    2. Re:Stupid people use linux too by bjourne · · Score: 4, Interesting

      Well, it seems that stupid people actually *build* linux too!

      --
      Football Odds
    3. Re:Stupid people use linux too by mcrbids · · Score: 4, Insightful

      1. Where was the firewall admin to prevent external systems from connecting to these webservers over port 8080?
      2. Why did the admins use insecure tools or insecure systems to allow their credentials to be sniffed?
      3. Where was the IDS/IPS to notice the sudden change in traffic?
      4. Where was the load balancer/reverse proxy to intecept this junk?
      5. Where was the routine review of logs to notice the dynamic DNS updates from computers with (presumably) static DNS entries somewhere?
      6. Where was the periodic pen/vulnerability test against these systems?

      ...

      7) Where was the funding to pay for 1 through 6?

      --
      I have no problem with your religion until you decide it's reason to deprive others of the truth.
  4. And here it comes by Anonymous Coward · · Score: 4, Funny

    Does this mean Linux finally has reached a point of user friendliness equal to Windows?

    1. Re:And here it comes by swilly · · Score: 4, Funny

      Unfortunately not. It appears that the servers were manually hacked, which is far less user friendly than the automated hacks that Windows makes so very easy.

      Linux still has a ways to go, I'm afraid.

  5. Reporters Fail by 99BottlesOfBeerInMyF · · Score: 5, Informative

    The only part of this article that is news is the part that is incorrect. Botnets of Windows machines often have compromised Linux servers working as a control channel or update channel. It is not at all unusual. What would be unusual would be for a worm or virus to actually compromise Linux machines in an automated fashion and make them bots. That does not seem to be what has happened here as the Linux systems seem to have been manually hacked in a normal, directed attack.

    Basicaly, nothing new or newsworthy happened here, except someone mistakenly referred to the compromised Linux servers as bots.

    1. Re:Reporters Fail by burnin1965 · · Score: 4, Insightful

      It is not at all unusual. What would be unusual would be for a worm or virus to actually compromise Linux machines in an automated fashion and make them bots.

      There is a continuous flood of SSH brute force attacks on any *nix machine connected to the internet. All one has to do is monitor their log files for verification.

      They are not even sophisticated attacks, they are attempting to login using lame passwords, i.e. after watching the attacks for awhile I set up a box to see what they were doing and created a user name test with the password test based on the fact I could see them using test as one of the users for the attack and suspecting it was a dumb password attack.

      It wasn't long before the system was "compromised" and likely recorded on the other end as a successful attack. Several hours later the account was again accessed and various applications downloaded and executed as the test user. One of these applications connected to the EFNET IRC network and joined a channel.

      Using another system I connected to the IRC network in way I thought would be inconspicuous and monitored what was happening. Sure enough there were two individuals chatting it up in the channel and sending commands to hundreds of compromised systems.

      While reviewing the various compromised systems I noted that they were all *nix machines of one type or another. This was a few years back so I believe you are correct in stating that this is nothing new. What would have been new is if a botnet like this was discovered to be from a real hack and not some lame password login scan.

      I don't have a problem with it being called a linux botnet, but until they can come up with an explanation for the means by which the systems were compromised, other than the likely lame password attacks, its not really news.

  6. stolen root credential by pikine · · Score: 4, Insightful

    The article speculated that, since the iframe code was injected to legitimate webpages using stolen FTP credentials, it may be that a few "root" credentials are obtained the same way. FTP credentials can be stolen by malware running on the client computer, for example a computer an admin uses to control the server, from well-known FTP client software.

    --
    I once had a signature.
  7. nginx? by Anonymous Coward · · Score: 5, Funny

    nginx, so that's what the worm is called? I'd better check my company's webservers so they aren't running this evil hacker malware.

    Oh my... all of them had been infected. No worries though, I managed to clean them all up. A good day's work well done.

  8. You could be right by DrJimbo · · Score: 4, Insightful
    Actually, you might be correct. FTFA:

    It's unclear exactly how the servers have become infected. Sinegubko speculates they belong to careless administrators who allowed their root passwords to be sniffed.

    ... With about 100 nodes, the network is relatively small, making it unclear exactly what the attackers' intentions are.

    If Sinegubko is right and the attack vector was sniffed passwords, then it is likely that those passwords got sniffed by an existing Windows Botnet.

    --
    We don't see the world as it is, we see it as we are.
    -- Anais Nin
  9. Re:Missing in the summary by rohan972 · · Score: 4, Funny

    "With about 100 nodes". The average windows botnet (at least the one that make into the news) have from hundreds of thousands to millons of nodes.

    That's irrelevant. A linux botnet would be so much more productive than a windows botnet that you don't need nearly as many nodes.<\straightface>

    --
    http://marriedmansexlife.com/
  10. packagement mgmt and repos play a small role here by drougie · · Score: 5, Interesting

    It's nice to be able to apt-get yourself the latest stable copy of apache2 and php5 and mysql and postfix humming with just a command or two, also nice to be able to apt-get upgrade them after you apt-got updated. Those who maintain, clean and contribute to the large public repositories that apt and yum and rpm and pkg_add, good people and they generally do a bang up job for 99% of the Linux and UNIX and UNIX-like folks. However, when you maintain servers which are not completely hidden behind a nat with these programs for years and once in a blue moon compile something you downloaded in a gzipped tar, you put yourself on admin autopilot and that can bite you in the ass.

    Give you one example: I installed RoundCube, the most badass webmail client there will ever be, ever, with apt (the first time). Ran it for a while without incident. Had my system on weekly cron apt updates so I figured I was safe. Eventually I discover someone made it onto my system and put a malware installing js line in my web pages. Looking through the guy's bash history I discovered they got in through a RoundCube vulnerability. I checked out RoundCube's site, something I should have done first thing but did not, and it turns out their stable version was much newer than what apt realized and that this vulnerability would not have been on my system about five months ago had I downloaded straight from their site and stayed on the ball with their support resources which are things that are less necessary when you just let apt-get rip.

    Bottom line, apt-get update/upgrading would not patch a glaring vulnerability in software I found with apt originally with the default Debian sources.list and I doubt it would have on most other distros' package management systems. It wasn't RoundCube's fault, the patched release was their Stable build for a long time but I was left wide open to anyone who went on a rootkit site and googled for roundcube hosts and I got nailed. Learned my lesson and I don't fault the repository maintainers for being behind the ball a bit on less popular software in their enormous archives but if you ask me software should not be available on the default repositories for Linux variants that the maintainers are not confident that they can keep up to date or don't have some kind of way to be quickly and effectively notified by the authors/vendors in the event of a critical upgrade being available and to put it live right quick. Put it on the people who want to install such software themselves -- if they can make it past that hump I'd say their odds of running the software safely will be substantially higher than Joe Yum. And spreading awareness of cvs/svn would be nice too.

    Can't believe I just admitted I got compromised.

    --
    Calling out bogus battery capacity claims.
  11. This has been happening for a LONG time... by mcrbids · · Score: 4, Informative

    Back around 2001, I found a "botnet" comprising a perl script that ran on websites. Because it ran as a child of Apache, it showed up as "http" in ps. It would log into an IRC server, and wait for commands which appeared to be little more than arbitrary bash commands that were shelled out.

    Bone-headedly simple. Ran well on any unix website host running perl scripts, installed via an insecure formmail.pl script. I penetrated the IRC network and watched for a few hours while the operator attacked a few hosts. There were some 50 hosts or so. Then I killed the script and updated all copies of formmail.pl hosted on the server...

    Is this new news?

    What's next? "Hammers can be used to smack things, even if they aren't nails." !?!?!

    Truth is this: no operating system is 100% secure. But this "botnet" isn't necessarily even a compromise of the Operating System! Port 8080 is above 1024, so non-root controlled processes can open sockets there. This may be nothing more than something like the perl script I mentioned and having nothing to do with the Operating System in question. The server wasn't compromised, just a bad script was running that had to be deleted, then killed with an Apache restart.

    Given the parameters I just mentioned, there isn't an Operating System around that would stop this from happening. It's just that the "Mom's basement" fanbois get all riled up because it's gospel that Linux is immune to $allBadThings.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.