ancientt writes:
"'Researchers have documented an ongoing criminal operation infecting more than 10,000 Unix and Linux servers with malware that sends spam and redirects end users to malicious Web pages' as reported at Arstechnica, in an attack campaign being called Windigo.
It has been going on since 2011 and successfully hit Linux Foundation kernel.org servers and developers of cPanel. 'During its 36-month run, Windigo has compromised more than 25,000 servers with robust malware that sends more than 35 million spam messages a day and exposes Windows-based Web visitors to drive-by malware attacks."
A detailed PDF writeup is available from We Live Security.'
This discussion has been archived.
No new comments can be posted.
10,000 Linux Servers Hit by Malware
|
Log In/Create an Account
| Top
| 1000 moderator points
| 43 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: -1) by Anonymous Coward on Tuesday March 18 2014, @10:02PM
whois welivesecurity.com
Domain Name: WELIVESECURITY.COM
Registrar: CSL COMPUTER SERVICE LANGENBACH GMBH D/B/A JOKER.COM
Whois Server: whois.joker.com
Referral URL: http://www.joker.com/ [joker.com]
Name Server: NS1.P06.DYNECT.NET
Name Server: NS2.P06.DYNECT.NET
Name Server: NS3.P06.DYNECT.NET
Name Server: NS4.P06.DYNECT.NET
Status: clientTransferProhibited
Updated Date: 04-aug-2013
Creation Date: 21-nov-2012
Expiration Date: 21-nov-2014
(Score: 1) by Ethanol-fueled on Tuesday March 18 2014, @10:19PM
The attack campaign was called "Windigo." Probably carried out by a disgruntled former SGI IRIX developer who got pushed out for the Linux craze.
(Score: 2, Funny) by Anonymous Coward on Tuesday March 18 2014, @10:31PM
Sounds more like a Microsoft black op to me. WINdigo, no?
(Score: 1) by Ethanol-fueled on Tuesday March 18 2014, @10:36PM
Drive-by hacking of a Windows install is like shooting fish in a barrel. The beauty of Microsoft's business model is that they can with a straight face claim plausible deniability given their historically shoddy attitude towards security; not to mention their cushy and profitable relationship with the United States' security services.
(Score: 2) by ls671 on Wednesday March 19 2014, @02:29AM
Shooting fish in a barrel:
https://www.youtube.com/watch?v=63Y5XjlO4vk [youtube.com]
Everything I write is lies, including this sentence.
(Score: 1) by Hawkwind on Wednesday March 19 2014, @04:10PM
Actually shooting fish in a barrel, Mythbusters style:
https://www.youtube.com/watch?v=Pd-MpXCMcIs [youtube.com]
(Score: 1) by carguy on Tuesday March 18 2014, @10:33PM
I see what you did there...
https://en.wikipedia.org/wiki/SGI_Indigo [wikipedia.org]
(Score: 0) by Anonymous Coward on Wednesday March 19 2014, @01:19AM
Anonymous Coward retracting. www.joker.com is a real domain registrar. Now you know why we are anonymous.
Things to check:
OpenSSH backdoor
ssh -G (should produce: ssh: illegal option -- G)
Other tests: /lib/libkeyutils* (The library file should be less than 10kb in size.)
rpm -qi openssh-server (should have a signature entry.)
ls -l
Other signs of compromise:
Existence of a /home/ ./ directory hiding binaries and configration files of TinyDNS ...
(Score: 4, Interesting) by Appalbarry on Wednesday March 19 2014, @02:05AM
Joker.com is notorious for hosting and/or registering any kind of slimeball spammers. Various people have found their e-mail disappearing off the map when joker registered domains were blacklisted for evil activity.
(Score: 3, Interesting) by ls671 on Wednesday March 19 2014, @02:19AM
That's funny. Who would want to have somebody with a name like joker.com as their registrar?
I am still with networksolutions, When I registered my first .com domains I had no choice. Back then, they had a monopoly on all .com domains.
They are far from perfect and are still a little more expensive than the godaddy, or joker.com around but it isn't worth the time for me now,
Anybody know which registrar are good is I ever want to move from networksolutions?
Everything I write is lies, including this sentence.
(Score: 1) by TK on Wednesday March 19 2014, @03:54PM
Look up "sopa godaddy boycott" on your search engine of choice. There were quite a few other companies being touted as alternatives when that was going on.
The fleas have smaller fleas, upon their backs to bite them, and those fleas have lesser fleas, and so ad infinitum
(Score: 1) by toygeek on Wednesday March 19 2014, @04:24PM
Namecheap.com has been treating me well the last couple of years :)
There is no Sig.
(Score: 2) by ls671 on Wednesday March 19 2014, @02:11AM
ls -l /lib/libkeyutils*
no such files in any of the machines I own.
Also tested with /usr/lib
Everything I write is lies, including this sentence.
(Score: 3, Informative) by ticho on Wednesday March 19 2014, @02:34AM
It's in /lib64 on 64-bit systems (at least on CentOS).
(Score: 0) by Anonymous Coward on Wednesday March 19 2014, @08:30AM
I found /lib/x86_64-linux-gnu/libkeyutils.so.1.4
on my ubuntu box. As near as I can tell, the most recent legitimate version of keyuitls is 1.5.9, so the 'fake' version supersedes that by being at a higher point in the path and by claiming a more recent version.
I see reports of it going back to mid-Feb, so I don't think it's a hoax.
(Score: 5, Informative) by frojack on Tuesday March 18 2014, @11:48PM
The report is interesting, but you want to skip to appendix 1 and run the simple detection tests.
Just do it.
Discussion should abhor vacuity, as space does a vacuum.
(Score: 4, Insightful) by ls671 on Wednesday March 19 2014, @12:34AM
"Just do it."
Hmm, for some reason that raises a red flag and makes be not want to do it.
What if appendix 1 was infected?
Everything I write is lies, including this sentence.
(Score: 2) by ls671 on Wednesday March 19 2014, @01:51AM
What the heck? All you need to do to supposedly test if you are infected is verifying if your ssh program supports the -G option?
Is it April fool yet?
Anyway, if this is true, this would have been caught easily by routine md5 sums check on important executables like ssh.
Who supports the -G option and what is it supposed to do?
Everything I write is lies, including this sentence.
(Score: 4, Insightful) by frojack on Wednesday March 19 2014, @02:33AM
Its not supposed to do anything. Because - G is not supported.
Its what it does when it spits an error that is indicative.
But that specic test alone is unreliable. There are additional things to test.
Discussion should abhor vacuity, as space does a vacuum.
(Score: 0) by Anonymous Coward on Wednesday March 19 2014, @10:08AM
And those things would be...?
(Score: 2) by frojack on Wednesday March 19 2014, @01:42PM
Mentioned in the pdf.
Discussion should abhor vacuity, as space does a vacuum.
(Score: 2) by tibman on Wednesday March 19 2014, @12:45AM
Looks like i'm clean : )
SN won't survive on lurkers alone. Write comments.
(Score: 3, Interesting) by gishzida on Wednesday March 19 2014, @12:21AM
The Ars Technica article was a lot more help than trying to read the sludge of the ESET report.
My old home web server it seems is infected. See my Journal [dev.soylentnews.org] for specifics...
Thanks SN for the heads up!
(Score: 2) by frojack on Wednesday March 19 2014, @01:19AM
There is information in the sludge about cleaning.
You might give it a try.
Discussion should abhor vacuity, as space does a vacuum.
(Score: 2) by ls671 on Wednesday March 19 2014, @01:26AM
" See my Journal for specifics..."
Details about the failed tests would have been interesting. It could have false positives.
Anyway, nowadays, it is preferable to have a fancy firewall that inspects packets + a web application firewall (WAF) if you want to do what you are doing. Also plan some time to configure and maintain your security layer properly. I always have run an IP firewall since ipfwadm but lately I installed mod_security WAF and it is amazing what is going on out there. Definitely worth in 2014.
Everything I write is lies, including this sentence.
(Score: 2, Informative) by gishzida on Wednesday March 19 2014, @02:26AM
This particular version of SuSE had the "AppArmor" firewall installed... The gateway router [an ASUS N900] does not allow ssh from the outside and ssh was disable as a login on the server.
I checked the system using all of the tests mentioned.
The ssh -G test gives the "Illegal" operation error and when I ran the full test got "infected" [why not just save time and say echo "infected"?]
There are no share memory spaces larger that about 700K and none with 666 permissions, some with 600
The other tests come up null [i.e. not infected]
curl, rpm -qi, ls -I, and an examination of /home reveal nothing out of the ordinary.
opened the package manager and removed ssh and the X related ssh package. Re-ran the ssh -g test and got "ssh not installed"...
I have not used ssh as a way of getting into this system [Why should I? I can walk to the console].
I'm not sure if the system was actually infected or if this isn't just another NSA surprise security package that has surfaced. Think about that before you say "can't be..." no black ops organization is above a little black market work... as I recall the CIA has been accused [wikipedia.org] of running some side businesses... then again maybe it's just my ol' hippie paranoia meter running out of kilter. But I will tell you I haven't done much in the way of patching this thing in maybe five years.
(Score: 2) by ls671 on Wednesday March 19 2014, @02:50AM
" Think about that before you say "can't be..." no black ops organization is above a little black market work..."
Relax man, it is common in human behavior to run like headless chickens when a crisis occurs. I have seen it in some organization where people would think they are under control.
Anyway, according from what I have read, yes I read TFA after my first post to you, if you type:
$ ssh -G
and it tells you "illegal option" or "unknown parameter" then you are NOT infected. No ssh client that I know of supports the -G option. It wouldn't be very clever for the hackers to do anyway.
see my other post:
http://dev.soylentnews.org/comments.pl?sid=731&cid=184 19 [dev.soylentnews.org]
Everything I write is lies, including this sentence.
(Score: 3, Informative) by ls671 on Wednesday March 19 2014, @03:20AM
another poster has made a clarification:
http://dev.soylentnews.org/comments.pl?sid=731&cid=184 19 [dev.soylentnews.org]
So, here is my full output of ssh -G, even on a fresh install:
~$ ssh -G
ssh: illegal option -- G
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-e escape_char] [-F configfile]
[-I pkcs11] [-i identity_file]
[-L [bind_address:]port:host:hostport]
[-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port]
[-R [bind_address:]port:host:hostport] [-S ctl_path]
[-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]
yet another poster with a good point:4 26 [dev.soylentnews.org]
http://dev.soylentnews.org/comments.pl?sid=731&cid=18
Everything I write is lies, including this sentence.
(Score: 0) by Anonymous Coward on Wednesday March 19 2014, @05:38AM
Might be a little more helpful if you said fresh install of what!
(Score: 1) by tempest on Wednesday March 19 2014, @08:58AM
Since ssh is cross platform, it says that on a fresh install of anything. I'm assuming he was using Linux, but it says that on FreeBSD too.
(Score: 1) by gishzida on Wednesday March 19 2014, @03:29AM
No crisis here in the Chicken Little Data Center... Just an old geezer getting stuck in the sludge... I really do need to do a new install on this server... it seems to have grown barnacles.... well, maybe at least one of us has... :)
Thanks for the reply and clarification.
(Score: 1) by SCY on Wednesday March 19 2014, @04:24AM
Somebody around here who actually got infected by this?
(Score: 2) by ls671 on Wednesday March 19 2014, @05:15AM
None really confirmed. I am still wondering if this is real...
If it is; hello! fake sshd? come on, md5 or sha sums on your binaries once in a while anybody?
It doesn't sound real. On the other hand, my logs of attacks against my infrastructure and the silliness of the attacks could make be beleive it is really happening.
Everything I write is lies, including this sentence.
(Score: 2) by ls671 on Wednesday March 19 2014, @05:27AM
By the way, anybody heard of a bot attacking sites with the "COOK" HTTP method?
Cooking is a well known term to take control of assets but I can't find anything about the COOK method being sent by some clients.
37.19.151.14 - - [19/Mar/2014:02:46:41 -0400] "COOK /index.html... /index.html
94.230.8.164 - - [19/Mar/2014:02:46:26 -0400] "COOK
Normal log would look like: /index.html
94.75.193.139 - - [19/Mar/2014:02:33:58 -0400] "GET
Thanks,
P.S. Of course, COOK requests get a 403
Everything I write is lies, including this sentence.
(Score: 2) by stderr on Wednesday March 19 2014, @10:17AM
Why is that "of course"?
Since your server (hopefully) didn't understand the request, 403 is the wrong status code to use.
The quote about is from section 10.4.4 [ietf.org] of the RFC. Section 5.1.1 [ietf.org] says:
alias sudo="echo make it yourself #" #
(Score: 2) by ls671 on Wednesday March 19 2014, @11:27PM
mod_security just generically returns 403 when it detects something wrong but this could be easily fine tuned.
I specifically fine tuned a few cases to return other codes but I am mostly OK with generically returning 403s. I am quite aware of the different HTTP status codes.
I think that the idea is to generically forbid access to the resource without giving any hints about what went wrong thus letting the attacker know less about your internal configuration.
FYI, rfc2119 (Key words for use in RFCs to Indicate Requirement Levels) defines SHOULD as:
3. SHOULD
This word, or the adjective "RECOMMENDED", mean that there
may exist valid reasons in particular circumstances to ignore a
particular item, but the full implications must be understood and
carefully weighed before choosing a different course.
Everything I write is lies, including this sentence.
(Score: 2) by ls671 on Wednesday March 19 2014, @05:32AM
"and the silliness of the attacks could make be beleive it is really happening"
The "silliness" in the sense that it looks like one clan or competing clans testing if you are already infected by the would be other clan. The actual intrusion seems to still be done through things like "click on this link".
Everything I write is lies, including this sentence.
(Score: 0) by Anonymous Coward on Wednesday March 19 2014, @03:32PM
Whenever I hear "Linux exploited", my initial reaction is always "incompetent admin".
My mind immediately goes to the episode where Jerry owns the most-touted lockset on the market...then along comes Kramer [google.com]. Surely I can't be alone here.
-- gewg_
(Score: 3, Informative) by lubricus on Wednesday March 19 2014, @06:45AM
Apparently, ssh behaves differently on an infected system, it can be checked with this:
$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
More detail and checks in the report.
... sorry about the typos
(Score: 2) by stderr on Wednesday March 19 2014, @10:25AM
That's a pretty naive test. I bet the next version of the malware will say "illegal option" to hide from that simple test.
Here's an updated version of the "test":
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System might be clean or it might not be. Run a _REAL_ test" || echo "System infected"
alias sudo="echo make it yourself #" #
(Score: 1) by cosurgi on Wednesday March 19 2014, @02:52PM
sudo aptitude install debsums
# then as non-root user:
debsums > result
cat result | grep -v -e "OK$"
This will catch all suspicious binaries.
#
#\ @ ? [adom.de] Colonize Mars [kozicki.pl]
#
(Score: 1) by toygeek on Wednesday March 19 2014, @04:31PM
slightly cleaner, no intermediate file needed:
debsums | grep -v -e "OK$"
There is no Sig.
(Score: 2) by ls671 on Wednesday March 19 2014, @11:45PM
Sure, then, when you are done, do a:
debsums | less
To view the details of what has been checked or: debsums | grep -e "OK$"
Only problem, you have just computed your sums multiple times.
It isn't a bad idea at all to cache the output of operations like computing checksums on a bunch of files.
Everything I write is lies, including this sentence.