[dba-Tech] Malware Attack Hijacks 25,000 Linux/UNIX Servers

Jim Lawrence accessd at shaw.ca
Sat Mar 22 23:47:35 CDT 2014 

Hi Arthur:

This is particularly serious as most of the major servers in the internet industry are Linux and they have so far remained above the fray. Any intrusions so far have been from installed third-party software. This one infection, Windigo (after Windows, I would suspect?), was initiated via a back-door created in OpenSSH (supposedly for administration duties?) The software once on a system scans the local credential files and then uses the information acquired to breach yet another system and so on... Then to guarantee secured infection it root-kits the OS.  

The only cure is to re-install the OS. To test whether your servers are infected you can run the following script:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

The way to stop such an attack is to make sure your servers/stations are properly secured with decent password complexity and/or two level password protection. 

According to one blog, and who knows the reality at the moment, this attack may be state sponsored, but that seems far-fetched as the malware's intention seems to be to create yet another spam zombie.

Jim   

----- Original Message -----
From: "Arthur Fuller" <fuller.artful at gmail.com>
To: "Discussion of Hardware and Software issues" <dba-tech at databaseadvisors.com>
Sent: Friday, March 21, 2014 7:09:23 AM
Subject: [dba-Tech] Malware Attack Hijacks 25,000 Linux/UNIX Servers

This from slashdot...

"Security researchers from ESET have uncovered a widespread attack campaign
that has infected more than 25,000 Linux and UNIX servers around the world.
The servers are being hijacked by a backdoor Trojan as part of a campaign
the researchers are calling 'Operation Windigo.' Once infected, victimized
systems are leveraged to steal credentials, redirected web traffic to
malicious sites and send as many as 35 million spam messages a day.
'Windigo has been gathering strength, largely unnoticed by the security
community, for more than two and a half years and currently has 10,000
servers under its control,' said Pierre-Marc Bureau, security intelligence
program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not
something only Windows users need to worry about. The main threats facing
Linux systems aren't zero-day vulnerabilities or malware, but things such
as Trojanized applications, PHP backdoors, and malicious login attempts
over SSH. ESET recommends webmasters and system administrators check their
systems to see if they are compromised, and has published a detailed report
presenting the findings and instructions on how to remove the malicious
code if it is present."

-- 
Arthur
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

More information about the dba-Tech mailing list