Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet

An anonymous reader writes Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals. The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities. Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet. The full advisory is available for download only with registration, but the (Akamai-owned) Prolexic page to do so is quite detailed.

Re:Hahahahahahaha

[SQLGuru]

Not a Linux apologist (Windows pays my bills), but in defense of Linux, these were programs running on Linux that had exploits. Of course, many of the exploits in Windows are through programs running on Windows and not the OS itself.......but Linux fanboys wouldn't be as quick to point that out.

Re:must me false

[benjymouse]

Yes, but there is a logical reason for this.

Linux and Windows approach security in totally different ways. When you load a Linux kernel, it's secure, it starts that way. When you load windows, it's NOT secure, you have to load other stuff to make it secure.

Sorry, but that is BS. When you load Linux it comes up with a security model through which there has already (by design) been punched a big hole: SUID. When you load Windows it comes up with a security model which has no need for such a massive hole. Countless otherwise benign bug has been turned into total system compromise bugs because of SUID.

Under Windows, all kernel objects types are securable with security descriptors. Linux was designed with only file system permissions. Processes did not have security descriptors, and such objects need to be mapped to files and filepermissions used to (inadequately) describe access permissions.

Windows services run in a separate session - interprocess communication is severely restricted. A process in another session cannot break through to e.g. the desktop, i.e. a daemon/background service cannot interact with the desktop. There is no such isolation in Linux unless you run SELinux. In Windows it is the default.

Most Windows services run under service hardening. Even custom sites you set up will by default run under service hardening. Under service hardening an ad-hoc identity is implicitly created for the service/website and this identity has no permissions whatsoever by default. It has to be granted any access permission it needs. You'd have to run SELinux or apparmor with a significant amount of configuration to achieve the same level of isolation under Linux. Under Windows it is default and straightforward.

Windows has mandatory DEP, much stronger ASLR, stack and heap encryption/checksumming and several other mitigation technologies not found in Linux. On by default.

Windows boxes? They come out of the install process wide open with a whole raft of dangerous services turned on. Not to mention they are starting from the security posture of Windows 3.1

What century do you live in? Since Windows Server 2008 (!) only the minimal set of services are turned on, and *no* network facing services until you configure them.