Unix server managers, read up

[Mister Natural]

Massive botnet discovered on Unix servers. Link gives instructions on how to check your servers.

http://news.softpedia.com/news/ESET-Uncovers-Server-Botnet-That-Infected-over-25-000-UNIX-Machines-432801.shtml

 

[TCM2]

"Léveillé highlights the fact that the Ebury backdoor deployed by the attackers doesn’t exploit Linux or OpenSSH vulnerabilities. Instead, it’s manually planted."

Yeah, manually planted without any vulnerability.

WTF is this bullshit?

 

[XOR != OR]

"Léveillé highlights the fact that the Ebury backdoor deployed by the attackers doesn’t exploit Linux or OpenSSH vulnerabilities. Instead, it’s manually planted."

Yeah, manually planted without any vulnerability.

WTF is this bullshit?

Credential stealing, looks like. Which, if the case, is shameful. Unix admins should know better.

 

[TCM2]

Yeah, "UNIX". The headline says UNIX. The text doesn't mention any flavour of UNIX and instead says Linux as a side remark.

 

[Dark Shade]

 

[Red Squirrel]

Had a bot like that get into one of my VMs once. I hard port forwarded it and forgot to install fail2ban. Within 10 minutes it was compromised, and by the time I found it, it had already found 3 other internet servers that it also compromised. Was kind of neat as it was basically just a bash script that kept a log, then it would push itself to the other server, probably via scp or something, I forget. Crazy what no brute force protection can do. You can have the most secure thing in the world but if you don't protect against brute force, it's not a matter of if but a matter of when, someone will get in.

 

[wizdum]

Credential stealing, looks like. Which, if the case, is shameful. Unix admins should know better.

We got bit by this, hard. cPanel Support was infected by it for about 6 months. We had them remote into one of our hosts to work on it, and they brought the rootkit with them. From there it infected both our nameservers (cpanel cluster), a flash media server (that a tech logged into through the cpanel server), and two No Machine NX servers that are used to remote into the network. Our servers were locked down enough to prevent everything but the spam, until I caught the spam and shut that down.

We also got a nice email from the Dept. of Homeland Security informing us of the active rootkit.

We're just a small school, but we get hammed constantly by brute force attacks. Must have gotten on some kind of list. I have other servers that have been up for 15 years on the same IP, and they don't see this intensity of brute force attacks.