Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Mayhem Malware Targets Linux and UNIX-Like Servers

Posted by Soulskill on from the keep-calm-and-patch-on dept.

Bismillah writes: Russian security researchers have spotted a new malware named Mayhem that has spread to 1,400 or so Linux and FreeBSD servers around the world, and continues to look for new machines to infect. And, it doesn't need root to operate. "The malware can have different functionality depending on the type of plug-in downloaded to it by the botmaster in control, and stashed away in a hidden file system on the compromised server. Some of the plug-ins provide brute force cracking of password functionality, while others crawl web pages to scrape information. According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013."

6 of 168 comments (clear)

  1. Re:Update yo software by Gothmolly · · Score: 4, Insightful

    And for those of you who DO auto-update blindly and destroy your app or your server when a bad version comes out, well, at least you can smugly assert that you were "secure".

    --
    I want to delete my account but Slashdot doesn't allow it.
  2. Re:Derp by TheRaven64 · · Score: 4, Informative

    It's difficult to rate-limit login attempts from a botnet. The attack pattern I see on my server is one IP making three login attempts, then another IP making three login attempts, and so on. I do rate limit (via temporary IP blocking) attempts from one IP, but it doesn't help much. Of course, they're all doing password-based login attempts and I disable password-based SSH logins for all Internet-connected machines...

    --
    I am TheRaven on Soylent News
  3. Re:Derp by Lumpy · · Score: 4, Insightful

    If you never travel outside your country, why not block all networks from outside? Back in my AT&T days I blocked all of south america, europe, and asia for our servers because nobody from those locations had any reason to even contact our advertising data collection systems. There is no reason to keep your servers wide open for the world.

    --
    Do not look at laser with remaining good eye.
  4. PHP suexec, mostly. Thanks Plesk by raymorris · · Score: 4, Informative

    Most of what we see in the wild is caused by improperly written PHP scripts which don't validate their input and then use crud like fopen_url. That provides the crackers the METHOD to put files on the server and execute them. SuExec gives web visitors PERMISSION to ad and modify files.

    Unfortunately, the folks at Plesk didn't read the first paragraph of the SuExec documentation before deploying it by default, so hundreds of thousands of DIY web servers are running with SuExec. (SuExec means allow visitors to modify files, but don't allow other clients hosted on the same shared server to do so).

    What the Plesk and DirectAdmin folks should have read, from the Apache SuExec page:

            -----
            Used properly, this feature can reduce considerably the security risks involved with allowing users to develop and run
            private CGI or SSI programs. However, if suEXEC is improperly configured, it can cause any number of problems and
          possibly create new holes in your computer's security. If you aren't familiar with managing setuid root programs and the
            security issues they present, we highly recommend that you not consider using suEXEC.
            -----

    That last sentence bears repeatings. "If you aren't familiar with managing setuid root programs and the security issues they present, we highly recommend that you not consider using suEXEC." Plesk, and DirectAdmin - your customers are not familiar with managing setuid programs and the security issue, so they should not even CONSIDER running suexec, much less have that foisted on them as the default.

  5. Attack Vector by Anonymous Coward · · Score: 5, Insightful

    "A lack of anti virus, and missing auto update features leave machines vulnerable"

    It astounds me the lengths the article writers go too while avoiding the attack vector:

    The admin must:
    1. allow a method to upload files
    2. allow php files to be up loaded
    3. Allow execution of these uploaded scripts
    4. Allow system / exec calls (disabled by default since forever ago)
    5. Allow the user to write their own crontab

    At that point, you might as well just install the infection through yum or apt.

    Seriously, there's a reason that the article numbers are less than 1% of the size of the average windows server infection..

  6. Re:Derp by Zero__Kelvin · · Score: 4, Informative

    This virus doesn't attack Linux at all. It attacks PHP web applications. They could run on Linux or any other OS. The brute forcing is what the botnet does once it has a foothold on the machine in question, and has nothing to do with the attack vector.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun