LinuxQuestions.org - WARN: Mystery infestation strikes Linux/Apache Web sites

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - WARN: Mystery infestation strikes Linux/Apache Web sites (https://www.linuxquestions.org/questions/linux-security-4/warn-mystery-infestation-strikes-linux-apache-web-sites-616089/)

WARN: Mystery infestation strikes Linux/Apache Web sites

Quote:

According to a press release issued earlier this month by Finjan, a security research firm, compromised Web servers are infecting thousands of visitors daily with malware that turns their Windows machines into unwitting bots to do the bidding of an as yet unidentified criminal organization. Security firms ScanSafe and SecureWorks have since added their own takes on the situation, though with varying estimates on the number of sites affected. All reports thus far say the compromised servers are running Linux and Apache.

Complete Article

I haven't confirmed it, but I've seen it reported that you can check to see if you have it by trying to create a directory starting with a numeral. If you have it, the rootkit won't let you.

Quote:

Originally Posted by PatrickNew (Post 3034956)

I haven't confirmed it, but I've seen it reported that you can check to see if you have it by trying to create a directory starting with a numeral. If you have it, the rootkit won't let you.

I believe that is specific to accounts that utilize CPanel. There's another way also, which involved sniffing HTTP packets via tcpdump (the article references both methods). As of yet, I haven't noticed a specific Snort rule that will detect this (although the sniff criteria is simple enough to create on your own, if you use Snort to monitor your network).

I've some issues with the article itself. In the last few years, I've seen a ton of the exploits the author elaborates on. This really isn't new news, as most of the attack attempts I've seen come from already compromised machines that attempt to initiate XSS attacks and script injection. Maybe its the first time that someone actually noticed from a global view of things, but when I read the article, I didn't see any new revelations that got me all 'hot and bothered'. Maybe that's just me, though.

http://blog.cpanel.net/?p=31

I thought this was rather interesting..

Quote:

While this compromise is not believed to be specific to systems running cPanel® software, cPanel has worked with a number of hosting providers and server owners to investigate this compromise.

The cPanel Security Team has recognized that the vast majority of affected systems are initially accessed using SSH with no indications of brute force or exploitation of the underlying service. Despite non-trivial passwords, intermediary users and nonstandard ports, the attacker is able to gain access to the affected servers with no password failures.
The cPanel security team also recognized that a majority of the affected servers come from a single undisclosed data-center. All affected systems have passwordbased authentication enabled. Based upon these findings, the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers.

amazing how slowly information is coming out on this.... even SANS ISC hasn't had much info

Quote:

the cPanel security team believes that the attacker has gained access to a database of root login credentials for a large group of Linux servers.

And who exactly is keeping such a database? If it were within a single organization, I might be able to understand, but this worm has hit multiple organizations. Is cPanel saying it believes the sysadmins for various organizations have allowed their root passwords to be indexed in a third party database? I have a hard time believing that any sane admin would do that.