Slashdot Mirror
First Botnet of Linux Web Servers Discovered
The Register writes up a Russian security researcher who has uncovered a Linux webserver botnet that is coordinating with a more conventional home-based botnet of Windows machines to distribute malware. "Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware [on port 8080]. 'What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with [a] common control center involved in malware distribution,' Sinegubko wrote. 'To make things more complex, this botnet of web servers is connected with the botnet of infected home computer(s).'"
It's ready for the botnet!
We can blame our hate pet OS for all of the internet evil out there, but we need to remember one important thing: people are almost always the week link in security. If someone knows what they are doing, it is very hard to penetrate a linux server... or a windows server. There will always be those that can break through the best security, but there is a lot of low hanging fruit and not just on the windows tree.
Just waiting for the flamefest here of Linux vs Windows botnets.
OK, I'll start. Linux webservers are so lame they don't even include the facility for users to disable them remotely in case of malware distribution.
Help stamp out iliturcy.
It's nice to see Lo0niX has advanced to the point where it can now successfully run botnet software. I'll bet there's no gui though. I'm not up on linux commands so don't laugh but I'll wager it's something like:
* apt get b0tnet -s -x9 -secret -warez -pr0n -infectWindows=1 -p
Rather than the point-and-click convenience you'd expect on windows.
Maybe games are next? Quake-n for linux would be nice.
How's that? :D
Requiem for the American Dream
The only part of this article that is news is the part that is incorrect. Botnets of Windows machines often have compromised Linux servers working as a control channel or update channel. It is not at all unusual. What would be unusual would be for a worm or virus to actually compromise Linux machines in an automated fashion and make them bots. That does not seem to be what has happened here as the Linux systems seem to have been manually hacked in a normal, directed attack.
Basicaly, nothing new or newsworthy happened here, except someone mistakenly referred to the compromised Linux servers as bots.
Rather than the point-and-click convenience you'd expect on windows.
It's not that easy on MS windows. After you click the link to the tennis player nudie pix, your machine locks up. Then you have to *hard reboot* (without the help of the blue screen to let you know your computer crashed). Only after you hard reboot, usually by pulling the power cord all the way out, can you run the botnet software.
Windows really isn't as user friendly for botnets as everyone thinks it is. I hope 7 does better.
Just callin' it like I see it.
I suspect you are astroturfing for MS here
And I suspect that you are a troll.
and so will want "botnet" to mean "any set of two or more compromised computers". But that definition means that the number of windows botnets would be astronomical, so be careful about your definitions.
Did you even read what I linked to? A botnet is a collection of compromised computers that share a Command and Control channel.
Instead I propose the following definition:
Because the generally accepted definitions don't suit your purpose?
nginx, so that's what the worm is called? I'd better check my company's webservers so they aren't running this evil hacker malware.
Oh my... all of them had been infected. No worries though, I managed to clean them all up. A good day's work well done.
...so the MS astroturf team has decided to call it a "botnet".
I'm curious--how can I tell when an idea is being promoted by the "MS astroturf team" and not by regular not-so-clueful reporters that might mistakenly use the wrong term?
[b.belong('us') for b in bases if b.owner() == 'you']
Botnets do not have to be self propagating. The very first botnets were on IRC.
Where in fact, the machines weren't compromised. The owners of the machines actually ran the code (commonly Eggdrop) and voluntarily joined their bots to the botnet. They weren't even malicious.
The term "botnet" does not imply a network of compromised hosts, or even malware. It refers to a network of robotic agents that are in communication with each other.
Botnets were commonly used to form shared "party lines", to allow people to DCC CHAT their Eggdrop bots and communicate with people visiting from other channels, and other IRC networks.
At first, these were used only for communication, people joined the botnets to chat with each other, there was no way to control other bots.
At some point, some of the botnets got pretty large...
Some of the botnets had a feature where a trusted "bot owner" or "bot master" as they were called, could be made "botnet admins" by bots they were peering with... allowing these botnet admins to command other hosts to do certain things on IRC
Some botnets had member nodes run scripts that were able to do things like pingflood a user off IRC.
This would be commonly used if some bad boy had taken over a popular channel. Ping flooding a user off IRC is undesired by the victim, but one time, it may have been used to encounter other hacking techniques the "victim" of the flood had been using to sabotage IRC channels.
At some point, some IRC botnets started getting formed whose sole purpose was to flood.
Eventually the term escaped IRC... other types of botnets started forming like Peer to Peer ones, smart ones that automatically added nodes (instead of two botnet admins deciding to interconnect), and botnets whose sole purpose was to accept commands from a central point.
But the point is, the notion of a "Bot" and a "Botnet" has an origin that causes the term to not imply self replication.
It's nice to be able to apt-get yourself the latest stable copy of apache2 and php5 and mysql and postfix humming with just a command or two, also nice to be able to apt-get upgrade them after you apt-got updated. Those who maintain, clean and contribute to the large public repositories that apt and yum and rpm and pkg_add, good people and they generally do a bang up job for 99% of the Linux and UNIX and UNIX-like folks. However, when you maintain servers which are not completely hidden behind a nat with these programs for years and once in a blue moon compile something you downloaded in a gzipped tar, you put yourself on admin autopilot and that can bite you in the ass.
Give you one example: I installed RoundCube, the most badass webmail client there will ever be, ever, with apt (the first time). Ran it for a while without incident. Had my system on weekly cron apt updates so I figured I was safe. Eventually I discover someone made it onto my system and put a malware installing js line in my web pages. Looking through the guy's bash history I discovered they got in through a RoundCube vulnerability. I checked out RoundCube's site, something I should have done first thing but did not, and it turns out their stable version was much newer than what apt realized and that this vulnerability would not have been on my system about five months ago had I downloaded straight from their site and stayed on the ball with their support resources which are things that are less necessary when you just let apt-get rip.
Bottom line, apt-get update/upgrading would not patch a glaring vulnerability in software I found with apt originally with the default Debian sources.list and I doubt it would have on most other distros' package management systems. It wasn't RoundCube's fault, the patched release was their Stable build for a long time but I was left wide open to anyone who went on a rootkit site and googled for roundcube hosts and I got nailed. Learned my lesson and I don't fault the repository maintainers for being behind the ball a bit on less popular software in their enormous archives but if you ask me software should not be available on the default repositories for Linux variants that the maintainers are not confident that they can keep up to date or don't have some kind of way to be quickly and effectively notified by the authors/vendors in the event of a critical upgrade being available and to put it live right quick. Put it on the people who want to install such software themselves -- if they can make it past that hump I'd say their odds of running the software safely will be substantially higher than Joe Yum. And spreading awareness of cvs/svn would be nice too.
Can't believe I just admitted I got compromised.
Calling out bogus battery capacity claims.
You clearly need to look up the word robot ;-) In the mean time, since I know that a robot is an autonomic system I am aware that an network robot must necessarily be autonomous as well.
And BTW, this article does not claim that Linux was hacked. It claims that peoples websites were hacked, and those websites happen to be hosted on Linux. Nothing to see here, no botnet, and no hacked Linux kernel. Just poor system administration allowing FTP password sniffing, etc. The whole thing is sensationalist bullshit.
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun