Linux-Powered Botnet Generates Giant DDoS Attacks

H

HardOCP News

[H] News
Joined
Dec 31, 1969
Messages
0
Damn you Linux, I always knew you were up to no good. We need to hurry up and ban Linux before it can do any more harm!

Malware that has hijacked Linux systems for the past year has been recorded flooding targeted websites at speeds of over 150Gbps. The Linux botnet, known as XOR DDoS or XOR.DDoS, is orchestrating attacks on around 20 targets a day, according go Akamai, which in late August blocked two attacks against customers that measured 50 Gbps and 100 Gbps, respectively.
 
I liked this part from the article.

"According to Akamai, those sites are typically in the online gaming sector within Asia,"

So clearly PC gaming and Linux are the reason for this. I can't see anything wrong with this.
 
Thanks to irresponsible people not patching the applications running on their Linux machines. Or, thanks to the people who use embedded Linux on their products who never patch them for vulnerabilities.
 
Grimdaria said:
Thanks to irresponsible people not patching the applications running on their Linux machines. Or, thanks to the people who use embedded Linux on their products who never patch them for vulnerabilities.
Click to expand...

You guys should really read the article:

the MalwareMustDie! group, which found it attempts to brute force SSH login credentials for the root user of a Linux system. In other words, it doesn't take advantage of a specific vulnerability.
Click to expand...

So really, it is just guesswork that gets the shell script installed and activated, which, at that point, anything could happen on the system.
Save your "vulnerabilities in an OS" for Windows threads. ;)
 
Semantics said:
Guesswork that shouldn't be a real viable solution to a hardened OS.
Click to expand...

It has nothing to do with that.
One can setup a Linux OS to not be accessible through SSH/Telnet using root, or any other users with higher than normal permissions.

It has to do with a poor setup; that isn't the OS's fault.
Any OS is susceptible to user ignorance/stupidity/mistakes.
 
Red Falcon said:
It has nothing to do with that.
One can setup a Linux OS to not be accessible through SSH/Telnet using root, or any other users with higher than normal permissions.

It has to do with a poor setup; that isn't the OS's fault.
Any OS is susceptible to user ignorance/stupidity/mistakes.
Click to expand...

but the hardened option should be the default

linux fan here
 
jojo69 said:
but the hardened option should be the default

linux fan here
Click to expand...

In which Linux OS is this not the default option?
Every Slackware, RHEL, or Debian distro I've ever tried has come locked down by default.

OSes that are not locked down would generally fall under the Windows category...
 
Whatever the Chinese are using as a Linux distro is probably not RHEL, Slackware, or Debian. Either that or they're not setting up passwords for their accounts which you can do but that would expose your system to all kinds of problems.
 
Red Falcon said:
You guys should really read the article:



So really, it is just guesswork that gets the shell script installed and activated, which, at that point, anything could happen on the system.
Save your "vulnerabilities in an OS" for Windows threads. ;)
Click to expand...

What makes no sense to me is that it tries to brute force the root user account.

I haven't seen a linux install in YEARS that allows a direct logon to root. Usually you have to log on as a user account with sudo privileges and then sudo in to do root type tasks.

What kind of servers are set up this way anyway?

Also, IMHO it is about time that linux distributions install brute force login protection by default. It makes no sense that this isn't the case. Type the wrong password more than - say - 5 times and you are locked out for X minutes.

This would make brute force attacks VERY impractical.

It would be annoying if you mistyped your password a few times by trying to log in while drunk, or something, but that is a small price to pay.
 
Anyway, I just checked my systems, and they are clean.

Might have something to do with that root login is disabled on all of them, and I use non-standard ssh ports.
 
I wonder if this can infect BSD or Solaris based operating systems as well.

Those are more commonly set up to allow logins as root.
 
So what I'm getting out of this is whats happening is that badly configured systems are the target regardless of OS type.

I think we will see the trend shift towards Linux based vulnerabilities increase as the barrier to entry is lower. Linux is almost more likely to be misconfigured.

With the amount of crap fail2ban blocks on my linux hosts it doesn't really surprise me.
 
DeChache said:
So what I'm getting out of this is whats happening is that badly configured systems are the target regardless of OS type.

I think we will see the trend shift towards Linux based vulnerabilities increase as the barrier to entry is lower. Linux is almost more likely to be misconfigured.

With the amount of crap fail2ban blocks on my linux hosts it doesn't really surprise me.
Click to expand...

Yeah, I don't understand why something like fail2ban isn't installed by default.

That being said, by default Linux systems tend to be properly configured (except for not having something like fail2ban installed)

For a server to wind up being improperly set up, you need to have someone go in and undo those settings, possibly because they have no idea what they are doing.

I feel like Linux systems are a greater target because if you are able to compromise them by brute force, having console access in Linux lets you do just about anything.
 
Red Falcon said:
In which Linux OS is this not the default option?
Every Slackware, RHEL, or Debian distro I've ever tried has come locked down by default.

OSes that are not locked down would generally fall under the Windows category...
Click to expand...

just having "PermitRootLogin without-password" enabled isn't locked down. Locked down would be using keys, or banning ips that enter too many bad passwords. Most people don't do that.

But this is a good example of why things like this happens, people who think that because they don't use Windows they are secure, or don't have to think about security.
 
Ryokurin said:
just having "PermitRootLogin without-password" enabled isn't locked down. Locked down would be using keys, or banning ips that enter too many bad passwords. Most people don't do that.

But this is a good example of why things like this happens, people who think that because they don't use Windows they are secure, or don't have to think about security.
Click to expand...

For me it's the combination of non-standard SSH ports, disabled root logins all together (must user login and sudo) and fail2ban.

Nothing is secure / locked down if you get someone who is knowledgeable and determined determined enough (I mean, look at stuxnet)

You just have to get to the level of making yourself not worth the trouble.
 
You must log in or register to reply here.
Back
Top