Thousands of Linux servers hijacked by Operation Windigo
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Thousands of Linux servers hijacked by Operation Windigo
Quote:
While some experts have spotted elements of the Windigo cybercriminal campaign, the sheer size and complexity of the operation has remained largely unrealised by the security community.
“Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control,” said ESET security researcher Marc-Étienne Léveillé. “Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk. Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements.”
Interestingly, although Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, Mac users are typically served adverts for dating sites and iPhone owners are redirected to pornographic online content.
An Appeal To Sysadmins To Take Action Against Windigo
Over 60% of the world’s websites are running on Linux servers, and ESET researchers are calling on webmasters and system administrators to check their systems to see if they have been compromised.
“Webmasters and IT staff already have a lot of headaches and things on their mind, so we hate to add to their workload – but this is important. Everyone wants to be a good net citizen, and this is your chance to play your part and help protect other internet users,” says Léveillé. “The last thing anyone should want is to be part of the problem, adding to the spread of malware and spam. A few minutes can make the difference, and ensure you are part of the solution.”
How To Tell If Your Server Has Fallen Foul Of Windigo
ESET researchers, who named Windigo after a mythical creature from Algonquian Native American folklore because of its cannibalistic nature, are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:
That command the article gave to check to see if your system is compromised gives me "System clean", but I'm not sure it really works. ssh has no -G switch. At least, not my version of ssh, which is reported by ssh -V as OpenSSH_6.1p1, OpenSSL 1.0.1f 6 Jan 2014.
It is from what I gather.. if the -G option is reported as unknown, the ssh client is infected.. If it's reported as illegal then the client is clean..
LE: Scratch that, if ssh is reporting either an "illegal option" or "unknown option".. then the ssh client is clean.. If it doesn't complain at all (just prints the usage, then it's infected)
Last edited by Smokey_justme; 03-19-2014 at 11:00 AM.
In basic regular expressions the metacharacters ?, +, {, |, (, and )
lose their special meaning; instead use the backslashed versions \?,
\+, \{, \|, \(, and \).
I know the media tends to blow things out of proportion when it comes to Linux security, especially lately, but it is still best to take server compromise seriously.
The point is that this particular piece of malware substitutes a version of ssh which has an added option (-G) for the genuine one. So, it is true that if you find a -G option, there is something badly wrong. However:
if (presumably easy) a new version of this malware were to be authored that uses a different switch from -G, this method of detecting the evil twin version of ssh would fail
if using Linux, there are other ways of checking the ssh binary; you could do, eg, rpm -Va on an rpm based system. Note that 'rkhunter', if you run that, does this verification anyway (err, it only does some good, if you actually check the log file, which of course you do, don't you?).
Actually, metaschima's links provide interesting info about other verification methods... It seems to mangle with the rpm packages so that simple verifications won't raise suspicions...
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.