×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Malware Attack Infected 25,000 Linux/UNIX Servers

Soulskill posted about 8 months ago | from the sudo-configure-your-stuff-properly dept.

Security 220

wiredmikey writes "Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

There are many misconceptions around Linux security, and attacks are not something only Windows users need to worry about. The main threats facing Linux systems aren't zero-day vulnerabilities or malware, but things such as Trojanized applications, PHP backdoors, and malicious login attempts over SSH. ESET recommends webmasters and system administrators check their systems to see if they are compromised, and has published a detailed report presenting the findings and instructions on how to remove the malicious code if it is present."

Sorry! There are no comments related to the filter you selected.

next they will say Mac's get viruses (4, Funny)

alen (225700) | about 8 months ago | (#46520763)

April fools is here early

From the Article (5, Informative)

Anonymous Coward | about 8 months ago | (#46520869)

From the Article

No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.
We conclude that password-authentication on servers should be a thing of the past

http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Nuff said.

Re:From the Article (-1, Offtopic)

sexconker (1179573) | about 8 months ago | (#46520895)

From the Article

No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.
We conclude that password-authentication on servers should be a thing of the past

http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Nuff said.

What other fucking form of authentication is there? Certs? Those are just strings - like a password. Encrypted certs? What are you encrypting them with?

It all comes down to a secret someone has too know. Call it a key, a cert, a token, whatever, it's a fucking password at the end of the day.

Re:From the Article (5, Informative)

bvanheu (1028050) | about 8 months ago | (#46520933)

What other fucking form of authentication is there? Certs? Those are just strings - like a password. Encrypted certs? What are you encrypting them with?

It all comes down to a secret someone has too know. Call it a key, a cert, a token, whatever, it's a fucking password at the end of the day.

If your auth'ing with a username / password on an infected server you're actually *sending* your credentials to the server. This is not he case wih a cert auth, especially when you use ssh-agent to hop to other servers.

Re:From the Article (1)

nobuddy (952985) | about 8 months ago | (#46521693)

DoD uses SmartCard certs + password for login. It is a little different to set up, but works perfectly fine. And getting in requires you to get the card AND the password. the card will lock itself permanently after 3 failed attempts, BTW.

Down side: multiple physical logins are impossible. however, remote access does the trick nicely.

Re:From the Article (1)

ls671 (1122017) | about 8 months ago | (#46521947)

Could you please come meet me first thing in the morning?

-your field supersivor

Re:From the Article (0)

ls671 (1122017) | about 8 months ago | (#46522023)

your credentials to the server. This is not he case wih a cert auth,

More precisely said: your private key is never sent to the server. That's why it is called "private".

Because even when using a client cert to auth, your credentials are indeed sent to the server. Otherwise, how could the server auth you?

Re:From the Article (0)

Narcocide (102829) | about 8 months ago | (#46521039)

Yea, lets see you brute-force a 2048 character password.

Re: From the Article (1)

Kichigai Mentat (588759) | about 8 months ago | (#46521607)

Less, actually. Most are 2048 bit, not byte.

Re: From the Article (1)

ls671 (1122017) | about 8 months ago | (#46522005)

I guess his point was that you usually need a passphrase to make a private key usable. Unless the private key is not password protected. At the end of the day, private key + password protected key is most often recommended.

You know *nothing* about security (5, Informative)

cbhacking (979169) | about 8 months ago | (#46521081)

Um, no, You're *FULL* of bullshit if you talk about certs that way. You obviously don't have a clue.

Key differences between public key auth ("certs") and password auth (no particular order):
1) You can re-use your public key with multiple sites and even if one of them is actively malicious, it doesn't help them break into the others. Not so with passwords.
2) Passwords, or at least verifiers for them, must be stored by all sites you use the password with. Public keys don't do an attacker any good at all even if they compromise a service on which you used the same credentials as their real target.
3) Public/Private keypairs are automatically generated by programs that filter the results for security. Passwords are often generated by people who don't know a thing about security (like some /. users I know...).
4) Passwords are short, intended to be remembered and typed. Asymmetric keys are long, meant to be transported as files (or certificate blobs). The former is vastly easier to brute force (an extremely strong password might take weeks on typical commodity hardware but most would only take minutes) than the latter (factoring some sub-1024-bit RSA public keys - weaker than any in serious use today - has been an open challenge for *years* and the best we've managed before required the resources of a university supercomputer working for weeks).
5) Public Key Infrastructure certificates include mechanisms like expiration and revocation. Passwords have no such protection and must be manually changed or reset in the event of a potential compromise.
6) Private keys can (and should be) protected with passwords, making them in effect a form of two-factor authentication (you HAVE the key, you KNOW its password). Passwords are a single factor.
7) A password gets much harder to use as its length increases, and the strength doesn't always increase as a factor of length because long passphrases are more likely to be generated with predictable rules to aid memorization. Public keys can be made thousands of times as strong without making them any less convenient for the user (aside from an increase in the one-time generation time, a slight increase in authentication time, and a bit more bandwidth used).
8) A password is, almost by definition, short enough to memorize or at least write down in a reasonable time. Very few humans could ever manage to memorize even a 1024-bit key pair; anything much stronger is right out. Calling it "a secret someone has too[sic] know" is simple idiocy.
9) Certificates can be used over unsecured connections (in fact, they're how we establish secure connections). Passwords sort-of can (SRP) but the typical usage of them requires a protected channel as an eavesdropper otherwise can steal your credentials, and SRP requires that the password be communicated to the server out-of-band (typically over a connection secured with public key crypto...)

Don't get me wrong, passwords have advantages (mostly in matters of convenience at a cost to security, but a secure system that is so inconvenient to use that nobody ever does so isn't any better than no system at all). I'm not saying we should do away with them. It was just painful to read the complete nonsense in your post, and I felt I had to set the record straight lest some other ignorant fool mistakenly believe you to know what you're talking about.

Yo! Yo! Re:You know *nothing* about security (-1)

Anonymous Coward | about 8 months ago | (#46521333)

This "and SRP requires that the password be communicated to the server" is not baloney. The server has no use for the password. None at all. The server has the verifier, not the password. I offer this as a public service to clear out your misinformation. I won't bother dissecting your other crap. Notice I didn't drop to your level and write bullshit.

Re:You know *nothing* about security (1)

Srin Tuar (147269) | about 8 months ago | (#46521465)

>8) A password is, almost by definition, short enough to memorize or at least write down in a reasonable time. Very few humans could ever
>manage to memorize even a 1024-bit key pair; anything much stronger is right out. Calling it "a secret someone has too[sic] know" is
>simple idiocy.

I think you are overestimating this a bit; a 1024 bit RSA key is worth about 80 bits of password strength.

an 80 bit password is really not to hard to memorize.

Here is an example: "held boat upon toward fish party long trade"

This is made by generating random bits, then looking up words from a word list to correspond. Assuming the attacker knows the exact algorithm, its ~85 bits of entropy.

A human is much less good at choosing a random password, but memorizing one is pretty easy.

Re:You know *nothing* about security (1)

ls671 (1122017) | about 8 months ago | (#46522039)

Well I guess this is obligatory:

https://xkcd.com/936/ [xkcd.com]

Re:You know *nothing* about security (1)

twistedcubic (577194) | about 8 months ago | (#46521493)

A correction:

6) Private keys can (and should be) protected with passwords, making them in effect a form of two-factor authentication (you HAVE the key, you KNOW its password). Passwords are a single factor.

The authentication tokens in "two-factor" authentication should be independent, and both should be required for access. Encrypting a key does not increase the number of tokens required for authentication.

Re:You know *nothing* about security (3, Insightful)

Baloroth (2370816) | about 8 months ago | (#46521551)

4) Passwords are short, intended to be remembered and typed. Asymmetric keys are long, meant to be transported as files (or certificate blobs). The former is vastly easier to brute force (an extremely strong password might take weeks on typical commodity hardware but most would only take minutes)

This bit is false, an extremely strong password still cannot be brute forced (once you get over ~10 characters long, even an Amazon E3 instance [arstechnica.com] starts taking unrealistic times to brute force it). Most password cracking, even GPU powered, relies on passwords being either short or sufficiently non-random.

Good advice that should be repeated (2)

dbIII (701233) | about 8 months ago | (#46521633)

From above:
Private keys can (and should be) protected with passwords
Far too many of the people that think security only means "use keys not passwords" forget that it's a damn good idea to have a password on the key. Having the password on the key means that is someone steals a laptop or USB stick with the key on it they still can't get in.

Re:You know *nothing* about security (0)

Anonymous Coward | about 8 months ago | (#46521851)

Um, no, You're *FULL* of bullshit if you talk about certs that way. You obviously don't have a clue.

I don't think you realize how full of it and how oblivious the poster is you are replying to. It is bad enough to come across some of the face-palm worthy posts on Slashdot that combine confidence with ignorance, but then to realize it is the same person that did it on the last couple stories you read that day, or over dozens of times over the last couple weeks. At least this time you got modded up instead, as there seems to be a few posters that depend on getting modded up and staying up from inertia, even though they are consistently blatantly wrong on many subjects.

Re:From the Article (1)

Anonymous Coward | about 8 months ago | (#46521085)

From the Article

No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.
We conclude that password-authentication on servers should be a thing of the past

http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Nuff said.

What other fucking form of authentication is there? Certs? Those are just strings - like a password. Encrypted certs? What are you encrypting them with?

It all comes down to a secret someone has too know. Call it a key, a cert, a token, whatever, it's a fucking password at the end of the day.

do you have any idea how cert auth works? you have to sign the auth request with your private key, so the key itself never goes across the wire.

Re:From the Article (1)

sjames (1099) | about 8 months ago | (#46521337)

Not all are created equal. For example, an SSH key will be a lot harder to crack than a regular password.

Re:From the Article (0)

Anonymous Coward | about 8 months ago | (#46521775)

From the Article

No vulnerabilities were exploited on the Linux servers; only stolen credentials were leveraged.
We conclude that password-authentication on servers should be a thing of the past

http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf

Nuff said.

What other fucking form of authentication is there? Certs? Those are just strings - like a password. Encrypted certs? What are you encrypting them with?

It all comes down to a secret someone has too know. Call it a key, a cert, a token, whatever, it's a fucking password at the end of the day.

Wow, you are a fucking moron.

Re:From the Article (1)

gmuslera (3436) | about 8 months ago | (#46521375)

Maybe those credentials were posted on github [forbes.com] by devels and then scraped from there. Or from google, there is a bunch of id_rsa that pop up with trivial searchs.

Anyway, 25.000 linux/unix servers looks like a very low number, considering the 500.000.000 servers running apache or nginx [netcraft.com] , even with multiple domain hosted in a lot of them.

Re:From the Article (1)

gweihir (88907) | about 8 months ago | (#46521825)

Well, with only 25k infected, these may well just be really bad passwords.
I conclude that password authentication on servers is alive and well, as long as done right.

Re:next they will say Mac's get viruses (3, Informative)

meerling (1487879) | about 8 months ago | (#46520927)

They do, no joke, and they have for many years.
Back in the late 90s, Macs had over a 1000 viruses, linux, less than 10. (It's been a few years, I forget the exact numbers.)

Did those infections occur a lot? No, but it did happen sometimes.
After all, there's a huge benefit to NOT being the most common user OS. Those scum writing the malware usually want to hit as many victims as possible, and if there's an OS that has 70% or more of the desktops out there, it's pretty obvious what they will aim for.

If you want to continue to believe marketing and fanboys, that's up to you, but don't be surprised when you get infected by some kind of malware for not taking the proper precautions because you believe in computing myths and the protective power of obscurity is magically unbeatable.

By the way, I've done the tech support, and have seen the reality, this isn't just some random opinion. If you don't believe me, that's your problem.

Re:next they will say Mac's get viruses (0)

Anonymous Coward | about 8 months ago | (#46521013)

There is malware for TempleOS, really?

Re: next they will say Mac's get viruses (0)

Anonymous Coward | about 8 months ago | (#46521319)

Templeos is kind of a useless operating system, outside of an educational setting.

Re:next they will say Mac's get viruses (3, Informative)

MikeMo (521697) | about 8 months ago | (#46521253)

You do know that the OS back then is a completely different base than OSX? That OSX is FreeBSD based and OS9 (the one back in the late 90's) was based on the original Mac OS from 1984? That there's no relationship AT ALL between the OS's? And so there is no relationship between what viruses may have occurred on Macs in the 90's and Macs of today?

Re:next they will say Mac's get viruses (0)

Anonymous Coward | about 8 months ago | (#46521473)

That's because primarily Linux is used in servers and propagating viruses between servers is difficult, you dont have a user there (usually running as root/admin) to download files, open attachments, browse the web, etc. So when you want to attack Linux you dont do it with a virus, you do it with a tailored attack for that server which might be through a hole in its userland software and then exploiting a Linux privilege escalation bug (one of those existed in Linux for over a decade!) or perhaps a social engineering attack on the admin.

Re:next they will say Mac's get viruses (1)

Trax3001BBS (2368736) | about 8 months ago | (#46522103)

They do, no joke, and they have for many years.
Back in the late 90s, Macs had over a 1000 viruses, linux, less than 10. (It's been a few years, I forget the exact numbers.)

Oh yea, it was awful for them. It was you purchased a Mac, learned to program and wrote virus's; or sure seemed the path of a Mac user.

If I had to have a favorite virus it would of been the Mac Energizer Bunny, while the Bunny banged a drum, and rolled across the bottom of your screen, your hard drive was being formatted.

One friend mentioned that one at a time the letters on his display would just fall down and into a pile at the bottom of the display.

It wasn't the OS to run.

Re: next they will say Mac's get viruses (0)

Anonymous Coward | about 8 months ago | (#46521151)

I think security risk in Linux is real. But I can not believe that it already long time without anybody know it

FreeBSD 9.1 (1)

approachingZero (1365381) | about 8 months ago | (#46520769)

I get 'Ambiguous output redirect.' with:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

FreeBSD 9.1-RELEASE-p7 FreeBSD 9.1-RELEASE-p7

Is FreeBSD at risk?

Re:FreeBSD 9.1 (4, Informative)

Kardos (1348077) | about 8 months ago | (#46520795)

Here's the complete check from http://www.welivesecurity.com/... [welivesecurity.com]

The command ssh -G has a different behaviour on a system with Linux/Ebury. A clean server will print

ssh: illegal option -- G

to stderr but an infected server will only print the typical “usage” message. One can use the following command to determine if the server he is on is compromised:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"

Re:FreeBSD 9.1 (1)

cbhacking (979169) | about 8 months ago | (#46521097)

Hmm... mine prints "unknown option" (no use of the word "illegal") and then prints usage info.

Re:FreeBSD 9.1 (4, Informative)

bvanheu (1028050) | about 8 months ago | (#46521213)

OpenSSH 6+ will print "unknown option" instead of "illegal option", hence the "grep -e illegal -e unknown" ;)

Re:FreeBSD 9.1 (1)

udachny (2454394) | about 8 months ago | (#46521675)

/etc/pf.conf

.....
#SSH
pass in log inet proto tcp from any to $ext_if port ssh
pass out log inet proto tcp from any to $ext_if port ssh
pass log quick proto tcp from $SSH_ALLOW_IPs to $ext_if port ssh \
        flags S/SA keep state
pass log quick proto tcp from any to $ext_if port ssh \
        flags S/SA keep state \
        (max-src-conn 15, max-src-conn-rate 5/3, \
          overload <bruteforce> flush global)
.....

just saying...

Re:FreeBSD 9.1 (0)

Anonymous Coward | about 8 months ago | (#46521195)

If you are too busy to click the link in the summary that has your answer I'm too busy to tell you.

Re:FreeBSD 9.1 (1)

approachingZero (1365381) | about 8 months ago | (#46521349)

Thanks for the reply, very appreciated.

misconceptions about any type of security (1)

turkeydance (1266624) | about 8 months ago | (#46520773)

there just isn't any. at all.

Worthless (0)

Anonymous Coward | about 8 months ago | (#46520783)

TFA is useless as far as understanding the problem in a straightforward manner for 1. detecting an intrusion and 2. removing the malware.

Oh ok (0)

Anonymous Coward | about 8 months ago | (#46520785)

It was my understanding that nobody's ever denied that Linux servers have serious security concerns they typically need to address (as much as anybody running a server architecture does) and it was rather the Linux desktop folks who used the "security" of Linux in contrast to Windows to provide a case for how it might be "easier" for the casual user (since less viruses and all that)?

We're doomed! (1)

Anonymous Coward | about 8 months ago | (#46520803)

Da Google am confused? Your search -ÂÂssh -G 2>&1 | grep -e illegal -e unknown >Â/dev/null && echo âoeSystem cleanâ || echo âoeSystem ...Â- did not match any documents. It am hacked???!!!

Who'da thunk (4, Insightful)

sgt scrub (869860) | about 8 months ago | (#46520811)

A weak root password and public facing root SSH access is bad?

Managing a Linux box with a publicly facing web based interface bad?

Installing untested web based applications released as freeware with no idea what the code does is bad?

Re:Who'da thunk (0)

Anonymous Coward | about 8 months ago | (#46521107)

If it's bad why were they able to do it?

Re:Who'da thunk (0)

Anonymous Coward | about 8 months ago | (#46521159)

The ultra-rare trifecta woosh!

Congrats!

Re:Who'da thunk (1)

kernelfoobar (569784) | about 8 months ago | (#46521385)

If you don't know how to use a tool, don't blame the tool.

Let's say you don't know how to use a chef's knife, would you complained that it's too dangerous and nobody should use them because you can cut your fingers off?

Re:Who'da thunk (1)

myowntrueself (607117) | about 8 months ago | (#46521363)

A weak root password and public facing root SSH access is bad?

Managing a Linux box with a publicly facing web based interface bad?

Installing untested web based applications released as freeware with no idea what the code does is bad?

The analysis in the PDF suggests that the majority of passwords used in this were not weak.

Re:Who'da thunk (-1)

Anonymous Coward | about 8 months ago | (#46521981)

Well, then, it was in a pdf. Never mind then. Sure sign of correctness: PDF. No way no how anything ever suspicious ever happen in one of those. No risk of infection there, just solid, clean markup.

Re:Who'da thunk (3, Interesting)

dbIII (701233) | about 8 months ago | (#46521697)

I found out close to ten years ago that a weak password on any account on an internet facing machine that had been modified by an idiot for his own convenience is a bad idea on a machine with ssh access (lots of "chmod 777", including in /etc, is a sign of an idiot loose on a linux system). A workaround is to make sure that ssh access is limited to only those users that actually use it.
It's something to watch out for with IPv6 and all of us getting internet facing machines again - a firewall on the router is not enough to protect us from traffic on ports we want to pass through (unless we want to stop all incoming ssh or redirect it to the router - good in some circumstances but what if someone wants to log directly into their box while travelling?)

The state of Linux (4, Informative)

cold fjord (826450) | about 8 months ago | (#46520837)

Linux is now big enough with all the Android deployments on top of the server infrastructure that there is going to be increasing amounts of effort aimed at exploits. Unfortunately there is a lot of pressure to hurry applications to market and make upgrades to the OS. That means more pressure and opportunities to create exploitable errors. Unless both the Linux community and the application developers up their game we're going to be in the era of owned Linux handhelds and boxes.

Re:The state of Linux (-1)

Anonymous Coward | about 8 months ago | (#46520865)

Fuck off, you NSA apologist.

Re:The state of Linux (-1)

Anonymous Coward | about 8 months ago | (#46520899)

He isn't an apologist, paid people are called shills.

Re:The state of Linux (-1)

Anonymous Coward | about 8 months ago | (#46520921)

You're a shill?

Re: The state of Linux (0)

Anonymous Coward | about 8 months ago | (#46520963)

No. Just no. the reason this is not going to happen is simple.

linux is changing at an unprecedented pace. All parts change frequently and thus badware which attacks those parts has much less time to run riot. Add to this the massive distro and version diversity of linux running the internet/services and you get an almost worthless amount of attack vectors relative to targeting MSs ecosystem.

in short, the rewards for writing linux badware, is stupidly small in comparison to windows badware.

Re: The state of Linux (2)

InvalidError (771317) | about 8 months ago | (#46521095)

The sort of blind trust you seem to have due to "Linux changing at an unprecedented rate" is probably the greatest security threat.

Interest in Linux malware is also increasing at unprecedented rates due to Android. For now, most efforts are focused on Android's JRE and trojanized hacked apps/games but it may only be a matter of time until they start seriously pursuing more difficult targets.

Re: The state of Linux (0)

Anonymous Coward | about 8 months ago | (#46521999)

All parts change frequently and thus badware which attacks those parts has much less time to run riot.

Absolute rubbish! See CVE-2012-0056 and CVE-2013-2094 for 2 quick critical examples, the latter existed in the kernel for over a decade. Not to mention that malware (on all platforms) is most often propagated by exploiting the user so unless you are breaking application compatibility "at an unprecedented pace" then this is just another way in which you have no idea what you are talking about so stop trying to lull people into a false sense of security with your ignorant bullshit. The only thing growing at an unprecedented pace is the amount of idiots like you who claim Linux is secure but have absolutely no knowledge of it whatsoever.

Re:The state of Linux (5, Funny)

Anonymous Coward | about 8 months ago | (#46521063)

I work as a consultant for several fortune 500 companies, and I think I can shed a little light on the climate of the open source community at the moment. I believe that part of the reason that open source based startups are failing left and right is not an issue of marketing as it's commonly believed but more of an issue of the underlying technology.

I know that that's a strong statement to make, but I have evidence to back it up! At one of the major corps(5000+ employees) that I consult for, we wanted to integrate Linux into our server pool. The allure of not having to pay any restrictive licensing fees was too great to ignore. I reccomended the installation of several boxes running the new 2.4.9 kernel, and my hopes were high that it would perform up to snuff with the Windows 2k boxes which were(and still are!) doing an AMAZING job at their respective tasks of serving HTTP requests, DNS, and fileserving.

I consider myself to be very technically inclined having programmed in VB for the last 8 years doing kernel level programming. I don't believe in C programming because contrary to popular belief, VB can go just as low level as C and the newest VB compiler generates code that's every bit as fast. I took it upon myself to configure the system from scratch and even used an optimised version of gcc 3.1 to increase the execution speed of the binaries. I integrated the 3 machines I had configured into the server pool, and I'd have to say the results were less than impressive... We all know that linux isn't even close to being ready for the desktop, but I had heard that it was supposed to perform decently as a "server" based operating system. The 3 machines all went into swap immediately, and it was obvious that they weren't going to be able to handle the load in this "enterprise" environment. After running for less than 24 hours, 2 of them had experienced kernel panics caused by Bind and Apache crashing! Granted, Apache is a volunteer based project written by weekend hackers in their spare time while Microsft's IIS has an actual professional full fledged development team devoted to it. Not to mention the fact that the Linux kernel itself lacks any support for any type of journaled filesystem, memory protection, SMP support, etc, but I thought that since Linux is based on such "old" technology that it would run with some level of stability. After several days of this type of behaviour, we decided to reinstall windows 2k on the boxes to make sure it wasn't a hardware problem that was causing things to go wrong. The machines instantly shaped up and were seamlessly reintegrated into the server pool with just one Win2K machine doing more work than all 3 of the Linux boxes.

Needless to say, I won't be reccomending Linux/FSF to anymore of my clients. I'm dissappointed that they won't be able to leverege the free cost of Linux to their advantage, but in this case I suppose the old adage stands true that, "you get what you pay for." I would have also liked to have access to the source code of the applications that we're running on our mission critical systems; however, from the looks of it, the Microsoft "shared source" program seems to offer all of the same freedoms as the GPL.

As things stand now, I can understand using Linux in academia to compile simple "Hello World" style programs and learn C programming, but I'm afraid that for anything more than a hobby OS, Windows 98/NT/2K are your only choices.

thank you.

Re:The state of Linux (3, Funny)

Trogre (513942) | about 8 months ago | (#46521121)

Thank you for that delightful trip back to the year 2000. Tell me, did you warn them?

Re:The state of Linux (0)

Anonymous Coward | about 8 months ago | (#46521135)

A fortune 500 company is not a start up so your first two sentences do not go together.

I write best sellers so I can tell you why your meme you wrote is failing. Reword your meme to sound a little more believable and maybe you'll catch more people.

Re: The state of Linux (0)

Anonymous Coward | about 8 months ago | (#46521179)

Epic trolling here :)

Re:The state of Linux (0)

Anonymous Coward | about 8 months ago | (#46521231)

oh come on!! at least update the text, it's not 2002 anymore ...

As things stand now, I can understand using this old text in academia to troll simple people, but I'm afraid that for anything more than a hobby forum, APK is your only choice

Re:The state of Linux (1)

imatter (2749965) | about 8 months ago | (#46521307)

You did this in 2013/14 or is this some kind of time machine post from 2002? ah, this is a joke, I get it.

Re:The state of Linux (1)

imatter (2749965) | about 8 months ago | (#46521351)

I get it now, this is a plant for those guys looking for time travel evidence based on web data or maybe you're an NSA shill, fucking with the guys that are looking for time travel evidence on the web.

Oh and where did you get your Linux install was it one of the COMDEX Chicago discs of Suse. I think I still have one of those somewhere.

Obvious cluelessness is obvious (2, Insightful)

dbIII (701233) | about 8 months ago | (#46521749)

having programmed in VB for the last 8 years doing kernel level programming

Obvious red flag showing no clue about the topic - it's just buzzword bingo throwing impressive sounding verbage around with a lack of understanding.

If it was a fanboy they really need to lift their game if they want to avoid other fanboys laughing at them.
If it was some "media studies" person acting as a paid social media shill then whoever paid them got ripped off.

Re:Obvious cluelessness is obvious (1)

colinrichardday (768814) | about 8 months ago | (#46522047)

Obvious red flag showing no clue about the topic - it's just buzzword bingo throwing impressive sounding verbage around with a lack of understanding.

"VB" is impressive sounding verbiage?

Obvious joke obviously not so (0)

Anonymous Coward | about 8 months ago | (#46522083)

....woosh....

Re:The state of Linux (1)

cbhacking (979169) | about 8 months ago | (#46521161)

The truly typical Linux installations - that is, the ones found in TVs, set-top boxes, cable modems, routers, "smart" appliances, and so on - are configured extremely insecurely. There are typically remote management backdoors and such, but even if there aren't, the systems usually use horribly outdated software, have exposed (vulnerable) servers, and run everything as root. Serious exploit mitigations like SELinux are almost unheard-of.

Linux servers, assuming a competent admin, are generally very secure. Of course, these days, so are Windows servers (under the same assumptions). Trojans and vulnerable management tools are the preferred tools to attack either of those, and have been for years.

Phones and other consumer electronics that are "pseudo-computers" (meaning they are capable of general-purpose computing but are used as appliances) fall somewhere in between. Except in very rare cases, even a competent user isn't really a competent *admin*; how many people have audited their phones' drivers for security vulnerabilities? Mobile device OEMs near-universally suck at creating secure software, a problem that is seen all the time on Android (and on other mobile platforms). Often, there isn't an option that *doesn't* suck. On the other hand, the sandboxing of mobile apps makes it a lot harder to have a Trojan completely take them over.

Re:The state of Linux (1)

dbIII (701233) | about 8 months ago | (#46521761)

It's very disappointing since really secure little routers on ulinux led the way for these things.

Re:The state of Linux (4, Informative)

Anonymous Coward | about 8 months ago | (#46521259)

Except if you had read the report, you would realize that this is not about a security exploit, this is about stolen administrative credentials. No one is using new vulnerabilities in the Linux operating system. This is malware that works on *nix specifically, but what it ends up doing is not *nix specific - it simply steals passwords and uses them to manually propagate the infection.

In the end, the blame lies with server administrators running networks porous enough to be infected at deployment time, and who are not using two-factor auth to guard the keys to the castle. This isn't about the "Linux community" so much as it is about organizations and their admin practices.

Re:The state of Linux (0)

Anonymous Coward | about 8 months ago | (#46521891)

This is quite possibly the least informative post I've ever seen on /. The mods must be crazy!

Re:The state of Linux (0)

Anonymous Coward | about 8 months ago | (#46521983)

The Cold Fjord sockpuppet gets mod points from its government backers, mostly in banal postings like this. They're not controversial enough to attract attention in metamod.

This unpossible belief (-1)

Anonymous Coward | about 8 months ago | (#46520925)

?Firefox and this? Windows has infectuous spread like aids in gay world.

Misconceptions My Ass (1)

organgtool (966989) | about 8 months ago | (#46520939)

There is not a single OS that is not vulnerable to a trojan. If this was a virus, drive-by download, or infection of a repository, then that would be disconcerting, but there will always be people who fall for trojans and the OS they use has little to do with it.

Re:Misconceptions My Ass (0)

Anonymous Coward | about 8 months ago | (#46520999)

Well, from what I could tell from the article they don't really know how this is spread. Could be user error could be something else, just because they haven't found evidence of how it's spread doesn't mean that it doesn't spread automatically, it just means that if it spreads automatically the function for self replication is not stored at the same place as the library that harvests passwords. And with recent revelations from snowden about malware hiding in firmware it's hard to be sure of things these days.

Re:Misconceptions My Ass (0)

Anonymous Coward | about 8 months ago | (#46521089)

Actually, the OS does have stuff to do with it - if it has the option to only run signed code, then the user can flick that switch and not be vulnerable to counterfeit, trojaned software. Linux currently has no such provision (package signatures are not the same, they don't check at run-time).

The big problem with Linux security. (3, Insightful)

MouseTheLuckyDog (2752443) | about 8 months ago | (#46521019)

The best locks in world, which Linux does come with, do not help if the door is left unlocked.
Microsoft OTOH has no doors.

The biggest threat to linux in the last five years has not been the architecture of linux, but the willingness of programmers, in particular weak programmers from the WIndows world coming over and applying the same philiosophies to linux development.

Re:The big problem with Linux security. (-1)

Anonymous Coward | about 8 months ago | (#46521033)

I bet you blame Bush for Obama's failures too, eh?

Re:The big problem with Linux security. (1)

MouseTheLuckyDog (2752443) | about 8 months ago | (#46521139)

You don't pay attention much do you?

Re:The big problem with Linux security. (0)

Anonymous Coward | about 8 months ago | (#46521221)

Well said. I have seen this on the job with alarming frequency lately. It's a big gaping hole among every single one of them. We just don't have the time or budget to teach them the basics of security using a professional *nix OS, and deal with filling in their huge programming knowledge gaps. When we did try it was a horrible failure, all we got was blank stares.

HR was the guilty party and they've been put on strict notice to filter resumes by certain keywords. Luckily we were quickly able to cull the worst offenders that slipped through, but there's still four to go. Wish us luck.

Re:The big problem with Linux security. (0)

Anonymous Coward | about 8 months ago | (#46521671)

True. No Windows guru in existence. Only Unix.

Correction: (1)

Narcocide (102829) | about 8 months ago | (#46521027)

Malware infected 25,000 unpatched Wordpress installs.

Shoulda hired me instead, suckers!

Beta (0)

Anonymous Coward | about 8 months ago | (#46521261)

Click here to return to the classic version of Slashdot, but then I get the beta again every time I click on an article: how stupid is that?

Summary -- root can do anything! (5, Interesting)

whoever57 (658626) | about 8 months ago | (#46521271)

The report only mentions in passing how the servers are compromised, which is that the operators of the botnet use credentials that have already been stolen to "infect" new machines. I personally think it likely that brute force attacks against ssh passwords are also used.

The summary states:

The servers are being hijacked by a backdoor Trojan

but I think this is an inaccurate summary since the Trojan is being installed on machines where the attackers already have root credentials.

Perhaps some unknown vulnerability is also being used to gain root access, but the report does not claim this.

Re:Summary -- root can do anything! (0)

Anonymous Coward | about 8 months ago | (#46521669)

Summary: don't use password auth. Use keys instead.

I have admin'ed such a server... (4, Insightful)

pla (258480) | about 8 months ago | (#46521291)

I have (grudgingly) admin'ed such a server, and will readily admit it as a form of public shaming (though not of myself, as you'll soon learn).

As TFS points out, the attackers didn't use a zero-day exploit. They didn't use an unpatched old exploit. They didn't even use the fact that huge "trusted" swaths of the filesystem, including standard executable paths (such as /usr/local/bin) had both the directory and everything contained within world-writable (no, I didn't have the option of fixing that - it would have broken "features" of the reason this box existed, as I'll soon explain).

This system ran a fairly popular POS software suite, and absolutely depended on all its serious security flaws. The vendor had even installed what amount to pre-compromised binaries for "convenience" in diagnosing end-user problems (connect to the right port, bam, you can monitor any user's session). But even that egregious level of incompetence didn't cause the breach.

No, the breach came from the fact that the vendor had their own company name as the root password (and had it hard-coded in literally dozens of (world-readable) scripts, so I couldn't just change it). And did I mention, the vendor required this box have a publicly facing IP or they'd refuse to honor their SLA?

Needless to say, my first action on learning all this, I blocked it at the firewall and told the vendor that we'd let them in when, and only when, we needed assistance. That, amazingly, enough kept the box safe for about a year (and floored me that we hadn't gone down long before I got stuck with that albatross)...

Until an upgrade. Took a total of half an hour. Didn't matter, because we had someone in as root in a tenth that time.


But, distant past. Couldn't happen again, and no other vendor would ever have such an extreme level of cluelessness, right?

So, currently, I work with (but thank Zeus, don't have to administer) a CRM system by an entirely different vendor, running on an outdated Linux distro. Pretty much everything I just said applies to this box. But hey the firewall keeps it safe, except the once-a-year the vendor demands access to audit our license compliance...


So yeah, Linux systems get hacked - For reasons that wouldn't protect the otherwise-most-secure system on the planet. You want to make it stop? Tell your vendors to go fuck themselves when they rationalize having a weak root password, and piss-poor system-wide security, and ban patching known vulnerabilities because it "might" break something the vendor used. Really that simple.

Re:I have admin'ed such a server... (0)

Anonymous Coward | about 8 months ago | (#46521427)

Hmmm...maybe when you opened up your firewall to the vendor you could have restricted it to just the vendor's IP instead of the whole world?

Re:I have admin'ed such a server... (1)

Anonymous Coward | about 8 months ago | (#46521453)

Was that Point Of Sale, or the other POS?

Re:I have admin'ed such a server... (0)

Anonymous Coward | about 8 months ago | (#46521713)

I have to protect a similarly retarded system. VPNs are your friend. No one gets an open port to our network from outside directly, whether or not it is SSH, mail or whatever.

Re:I have admin'ed such a server... (1)

dbIII (701233) | about 8 months ago | (#46521819)

No, the breach came from the fact that the vendor had their own company name as the root password

I saw that one a few years back but that had Win2k under their POS system and it was dialup connectivity (literally phoning home), which at least reduced the attack surface a bit. Management was incredibly disfunctional, knew about the problem, and were sick of IT consultants telling them it was a bad idea. It was a wakeup call for me that for anything you can say about management problems in government there's a worse example out in private enterprise. They were probably taken over by a larger company (or went broke) but it's possible that the security problems not only remained but managed to jump platforms.

O'rely? (0)

Anonymous Coward | about 8 months ago | (#46521301)

Ah come on, there are none Linux virus at all, EVER. Anybody that doesn't use Linux is a fool.

Re:O'rely? (1)

thaylin (555395) | about 8 months ago | (#46521619)

Of course you did not read and see that this was not a virus did you?

So is it 10,000 or 25,000? (2)

Areyoukiddingme (1289470) | about 8 months ago | (#46521343)

So is it 10,000 or 25,000? I can't be arsed to read the article, because as another poster succinctly observed "oh no, thousands of infected unpatched Wordpress installations", but it sounds like the ESET people trying to make a quick buck off of some FUD can't even get their FUD straight. As if tripwire hasn't been available for a couple of decades...

Re:So is it 10,000 or 25,000? (0)

Anonymous Coward | about 8 months ago | (#46521401)

Read, or don't read the article, your choice. But the level of sophistication will blow your mind.

These are not clueless script kiddies at work, these are the guys who will probably own your server farm.

The good news is, with the level of retro-cranial inversion you're displaying, you'll never notice.

Oh, and it's 25,000 world wide, with 10,000 in the US. Lazy bastard.

Re:So is it 10,000 or 25,000? (2, Informative)

grcumb (781340) | about 8 months ago | (#46521533)

Read, or don't read the article, your choice. But the level of sophistication will blow your mind.

No, no it really won't.

That article read like the opening page of a third-rate techno-thriller. Once you get past the alarmist dross, you see that people are busy pwning servers just as they always have. Only today - shock, horror - there are more servers around, and some of them are really badly maintained.

25,000 servers is a pretty useful resource for someone with malice in mind. And admittedly, it takes a certain amount of cleverness to amass that many. So yes, these guys aren't completely useless. But in the larger scheme of things, that number represents the lowest of the low-hanging fruit in the Linux ecosystem, and it's sufficient unto the day to know that if you (or your sysadmin) have half a clue, you'll likely not be bothered by this threat.

HTH, HAND

Re:So is it 10,000 or 25,000? (0)

Anonymous Coward | about 8 months ago | (#46521541)

no, you're confused, this is 1,000s of Drupal and Wordpress installs.

in other words, who gives a shit. none of this affects a server farm with even a minimal amount of sys admin prudence.

All that needs to be said (1)

cynicist (1112505) | about 8 months ago | (#46521345)

“The Ebury backdoor deployed by the Windigo cybercrime operation does not exploit a vulnerability in Linux or OpenSSH,” continued Léveillé. “Instead it is manually installed by a malicious attacker. The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment.”

UNPOSSIBLE! (-1)

Anonymous Coward | about 8 months ago | (#46521451)

if u can see teh code den somebody red teh codez and made shure its secure!!!!11 Lunix 4 lyfe bros!!!!11one

A lot can be done to secure a server (1)

Evan Rowley (3582809) | about 8 months ago | (#46521795)

Tips / Thoughts Always change the default password and default keys. A lot of exposed *nix processes should be sandboxed, jailed, or at the very least chrooted. The file system itself should support role-based and / or mandatory access control and have permissions set accordingly. Centralized control with periodic audits should be regular practice. There should always be a baseline and deviations should always be documented. For machine-to-machine communication, asymmetric key pairs should be part of the equation. This is already built into certificate-based mechanisms. There was also a recent addition enhancement to OpenSSL for stronger ECDSA keys. It should be some time before elliptic-curve cryptography isn't enough. Another option available for SSL and TLS is that both sides must have key/certificate pairs before communication is possible. More exotic is placing HTTPS certs on load balancers so that traffic is encrypted there instead of the actual web servers. Doing this allows inspection of inbound HTTPS. Intrusion detection systems normally can't see this due to the encryption. Load balancers also do a great deal to control exactly where traffic goes. Network traffic should always be monitored and profiled. For an interactive session, go with multi factor authentication. There are a lot of cool services out there. Duo Security is a great example. The YubiKey authenticates are cheap and because they've open-sourced a lot of their software, it's easy to integrate many applications with that type of authenticator. Even ssh. You can even run your own (protected) YubiKey server to control the authentication. Authy is another option which is easier to implement. SmartCards are also an option if you have deep pockets. Randomized and one-time-passwords are also great but are tricky to implement. Most organizations that use these end up with enterprise password repositories. As long as these are protected by layers of security, they are usually a good idea. There are various situations where you wouldn't want someone to have a password that could be used more than once. This is the stuff I've learned while working in the cyber security field for the past year. I've also learned that most organizations don't do any of this proactively. Phew. Typed all this using my thumbs on an insecure iPhone.

Re: A lot can be done to secure a server (1)

Evan Rowley (3582809) | about 8 months ago | (#46521809)

And slashdot ruined my formatting.

UNIX servers infect visiting computers .. (1)

DTentilhao (3484023) | about 8 months ago | (#46522089)

"Windigo .. malware components are designed to hijack servers, infect the computers that visit them, and steal information"

Why don't these compromised UNIX servers go on to hijack Linux client desktops.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?