Slashdot Mirror

← Back to Stories (view on slashdot.org)

Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet

Posted by timothy on from the strutting-around-like-they-own-the-place dept.

An anonymous reader writes Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals. The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities. Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet. The full advisory is available for download only with registration, but the (Akamai-owned) Prolexic page to do so is quite detailed.

2 of 230 comments (clear)

  1. Re:must me false by bobbied · · Score: 3, Interesting

    Yes, but there is a logical reason for this.

    Linux and Windows approach security in totally different ways. When you load a Linux kernel, it's secure, it starts that way. When you load windows, it's NOT secure, you have to load other stuff to make it secure.

    So, if you have a Linux box that get's hacked, the admin really is a lot more responsible for this. He/she left the hole open for the attacker to get in. Sure, there are times when we don't know the hole exists, but the admin loaded the software.

    Windows boxes? They come out of the install process wide open with a whole raft of dangerous services turned on. Not to mention they are starting from the security posture of Windows 3.1 and have been trying to put up defenses since. They have made a lot of progress, but it's still harder to shore up a bad design then it is to loosen up a secure design.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  2. Re: Hmmm by AaronLS · · Score: 3, Interesting

    Mostly valid points. None of them invalidate the parent's point. If there is a significant infection of malware, then it is newsworthy. What factors led to the infection don't make it unnewsworthy.

    "These[server systems] are easier to lock down, since there are no users downloading cool stuff and bringing in malware." Your comparing desktop usage to server usage. Regardless of Linux or Windows the same issues are there for each usage scenario.

    -Desktop: If there is a vulnerability in a Linux or Windows desktop, the usage pattern of users is going to be a pathway onto the machine for malware. These days you could probably take any average user since most are unfamiliar with desktops, stick them with a desktop of any OS flavor, and they will in both cases go to a browser and do things that put the system at risk. These days they implement similar levels of security. Many flavors of both prompt you to escalate an process to root/admin privilage, so each are vulnerable to users unwisely escalating software of questionable sources.

    -Server: If there is a vulnerability in a server, regardless of OS, "a remote exploit is required to bring down a server system". This doesn't invalidate the parent's point.

    Parent's point is that it is newsworthy because many naive individuals in the Linux community likes to purport that Linux is somehow invulnerable to such exploits. When I say "many naive" I don't mean to say all Linux users are naive, just that there are a fair share who don't understand that Linux and software running on Linux has the same potential to harbor undiscovered vulnerabilities as any other competing OS/software.

    This means they make blanket statements about how this or that security problem effecting Windows isn't a concern for Linux. They don't know about clarifying criteria that Linux is more secure under the circumstances that you maintain updates and properly administer WAN facing interfaces.

    The result is you have individuals running unmaintained Linux servers because they think they are more secure, but which require significantly more attention than similar Windows counterparts. So you have two factors working against the security of Linux, misinformation, and ease of maintenance.

    Even in situation where you have a capable staff who understand the importance of maintaining updates. If you have updates that are fragile and require lots of testing, require alot of babysitting to apply, or are in other ways difficult to automate in a reliable way, then you are going to occasionally create situations for admins where their manpower isn't enough to get to those updates immediately. That's not to imply that Windows updates don't sometimes break things and require testing, but I would say they are easier to automate overall and more reliable. Probably due to the fact there are far fewer flavors of Windows, so updates which do have issues are quickly hotfixed. When I've had updates on Linux fail, sometimes there is a good bit of manual work to back them out, fix whatever went wrong, and re apply them.

    I am not trying to say Windows is better than Linux, as I am not trying to do a compelte comparison of the two, but simply pointing out that this article highlights some of the factors that contribute to the formation of such an infection. Certainly Windows has some of these same issues as well and we've seen infections that targeted machines that weren't up to date. However, I think Windows has done a better job at least with the automatic updates to address this kind of problem. It certainly isn't always perfect, but its pretty good.