LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-24-2008, 03:57 PM   #1
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Exclamation WARN: Mystery infestation strikes Linux/Apache Web sites


Quote:
According to a press release issued earlier this month by Finjan, a security research firm, compromised Web servers are infecting thousands of visitors daily with malware that turns their Windows machines into unwitting bots to do the bidding of an as yet unidentified criminal organization. Security firms ScanSafe and SecureWorks have since added their own takes on the situation, though with varying estimates on the number of sites affected. All reports thus far say the compromised servers are running Linux and Apache.
Complete Article
 
Old 01-25-2008, 09:48 AM   #2
PatrickNew
Senior Member
 
Registered: Jan 2006
Location: Charleston, SC, USA
Distribution: Debian, Gentoo, Ubuntu, RHEL
Posts: 1,148
Blog Entries: 1

Rep: Reputation: 48
I haven't confirmed it, but I've seen it reported that you can check to see if you have it by trying to create a directory starting with a numeral. If you have it, the rootkit won't let you.
 
Old 01-25-2008, 12:34 PM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by PatrickNew View Post
I haven't confirmed it, but I've seen it reported that you can check to see if you have it by trying to create a directory starting with a numeral. If you have it, the rootkit won't let you.
I believe that is specific to accounts that utilize CPanel. There's another way also, which involved sniffing HTTP packets via tcpdump (the article references both methods). As of yet, I haven't noticed a specific Snort rule that will detect this (although the sniff criteria is simple enough to create on your own, if you use Snort to monitor your network).

I've some issues with the article itself. In the last few years, I've seen a ton of the exploits the author elaborates on. This really isn't new news, as most of the attack attempts I've seen come from already compromised machines that attempt to initiate XSS attacks and script injection. Maybe its the first time that someone actually noticed from a global view of things, but when I read the article, I didn't see any new revelations that got me all 'hot and bothered'. Maybe that's just me, though.
 
Old 01-28-2008, 11:56 AM   #4
farslayer
Guru
 
Registered: Oct 2005
Location: Willoughby, Ohio
Distribution: linuxdebian
Posts: 7,232
Blog Entries: 5

Rep: Reputation: 189Reputation: 189
http://blog.cpanel.net/?p=31

I thought this was rather interesting..

Quote:
While this compromise is not believed to be specific to systems running cPanelŽ software, cPanel has worked with a number of hosting providers and server owners to investigate this compromise.

The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures.
The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have passwordbased authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers.
amazing how slowly information is coming out on this.... even SANS ISC hasn't had much info
 
Old 01-28-2008, 02:30 PM   #5
PatrickNew
Senior Member
 
Registered: Jan 2006
Location: Charleston, SC, USA
Distribution: Debian, Gentoo, Ubuntu, RHEL
Posts: 1,148
Blog Entries: 1

Rep: Reputation: 48
Quote:
the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers.
And who exactly is keeping such a database? If it were within a single organization, I might be able to understand, but this worm has hit multiple organizations. Is cPanel saying it believes the sysadmins for various organizations have allowed their root passwords to be indexed in a third party database? I have a hard time believing that any sane admin would do that.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Linux-based Web sites 'perform better' LXer Syndicated Linux News 0 06-21-2007 10:46 AM
Tools for developing C# web service and web sites in Linux woodbase Linux - Software 3 08-10-2006 02:28 PM
Interesting Linux News web sites? Trizon Linux - General 4 02-23-2006 08:47 PM
Free internet host for Linux Web sites? General General 3 11-28-2005 04:46 PM
Linux web sites or books Kdiver58 Linux - Newbie 5 01-22-2003 01:53 AM


All times are GMT -5. The time now is 09:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration