Prev: Firefox update borked?
Next: seahorse, gnome-keyring, etc. - how to use it?
From: Additya on 17 Dec 2009 04:38
Linux gurus have always vouched on the safety and security of Linux -
especially Linux running as servers. However, now after a developer
named Denis Sinegubko has published his findings, they may just have
to ponder over their words.

According to Denis, the Linux servers can be infected to be used in a
botnet used to distribute malware
For more... http://www.ezdia.com/Can_Linux_servers_Infected_%253F/Content.do?id=691
From: Dave Farrance on 17 Dec 2009 05:21
Additya <addy.ind(a)gmail.com> wrote:

>Linux gurus have always vouched on the safety and security of Linux -
>especially Linux running as servers. However, now after a developer
>named Denis Sinegubko has published his findings, they may just have
>to ponder over their words.
>
>According to Denis, the Linux servers can be infected to be used in a
>botnet used to distribute malware
> For more... http://www.ezdia.com/Can_Linux_servers_Infected_%253F/Content.do?id=691

Which points to
http://blog.unmaskparasites.com/2009/09/11/dynamic-dns-and-botnet-of-zombie-web-servers/

It seems that the servers probably aren't "infected" as by a virus, but
that they were probably individually hacked. The report says that some
legitimate commercial web sites have had a minimal web-server (nginx)
installed to serve malware on port 8080 (in addition to the main Apache
server on port 80), which suggests that hackers had access to the root
password. The writer goes on to say that the local computers of the server
administrators might have been infected with spyware that steals
credentials. So nobody knows what the actual vulnerability is.

--
Dave Farrance
From: Denis McMahon on 17 Dec 2009 05:45
Dave Farrance wrote:

> It seems that the servers probably aren't "infected" as by a virus, but
> that they were probably individually hacked. The report says that some
> legitimate commercial web sites have had a minimal web-server (nginx)
> installed to serve malware on port 8080 (in addition to the main Apache
> server on port 80), which suggests that hackers had access to the root
> password.

I think you only need root for ports below 1024.

This could be some sort of code injection exploit? Injecting code could
be enough to run a process as an unpriv user that (a) grabbed a copy of
a script from "somewhere else" and (b) run that script as an unpriv user
and grab a higher numbered port.

Could be something as simple as using a quote character in a form input
field.

This is a poorly set up dmz vulnerability. If everything gets forwarded
by your router to your dmz box, and your dmz box gets exploited, then it
can operate as a server under hostile control. If your router only
forwards the ports you want to accept connections on to your dmz server,
that might prevent the processes operating on your dmz.

Might not protect you from other exploits though.

Rgds

Denis McMahon
From: Martin Gregorie on 17 Dec 2009 10:30
On Thu, 17 Dec 2009 10:45:19 +0000, Denis McMahon wrote:

> This could be some sort of code injection exploit? Injecting code could
> be enough to run a process as an unpriv user that (a) grabbed a copy of
> a script from "somewhere else" and (b) run that script as an unpriv user
> and grab a higher numbered port.
>
It is. The exploit is said to be the injection of infected <iframe>
structures into web pages hosted using nginx. IOW it seems to be a
vulnerability in a minority web server I, for one, had never heard of.

A quick search shows that nginx is a lightweight, high performance web
server/reverse proxy and e-mail (IMAP/POP3) proxy. According to Netcraft
its the number 4 web server, with 6.4% of the installed population.


--
martin@ | Martin Gregorie
gregorie. | Essex, UK
org |
From: Gordon Henderson on 17 Dec 2009 10:57
In article <-dWdnSyrK42jj7fWnZ2dnUVZ8hhi4p2d(a)brightview.co.uk>,
anahata <anahata(a)treewind.co.uk> wrote:
>
>"Ponder their words" indeed...
>I have yet to meet any Linux user as complacent about security as he
>suggests.

Sadly, I have, and we're doing to see more as the year of Linux on the
desktop approaches... We've already had malware embedded in screen savers
for example - a very popular attack vector for Windows PCs...

There's also malware/attacks on the server side too - not so much the
actual server software of apache/mysql/php/perl, etc. but the applications
written in perl, php, etc. Many large packages have had (or still have)
vulnerabilities of some kind of other that allow remote people to upload
and execute arbitary code on the server - even if it's just running in
user mode rather than root mode, it can still do damage - send spam,
DDOS sites, etc.

Gordon
 |  Next  |  Last
Pages: 1 2
Prev: Firefox update borked?
Next: seahorse, gnome-keyring, etc. - how to use it?