The register is reporting that a botnet of Linux systems has been discovered. Interestingly, the Linux boxes are left relatively unchanged but with a second web server activated and running on port 8080 that serves up malware. The rest of the attack is to insert links into legitimate web sites that have also had passwords stolen. The Linux boxes then serve up malware when an unsuspecting reader traverses the link on the otherwise legitimate site.
It is not known how the Linux boxes were subverted but the best guess is that it was through sniffing the root password used during remote sessions. The legitimate servers that have also been attacked to include links to the Linux bots apparently were attacked by sniffing ftp passwords. That is, this attack is possible simply due to the use of insecure communication and update protocols; there is no inherent vulnerability of the attacked systems that is being exploited.
Cheers,
Dave Miller
Subscribe to:
Post Comments (Atom)
About Me
- DaveAtFraud
- B.Sc. ('78) and M.Sc. ('80) in Math from Ohio State followed by 12 yrs at TRW and a variety of software development positions since then. Currently living in Colorado and enjoying "trial retirement". For fun I climb mountains in the summer and ski down them in the winter, fix gourmet food and have an excellent wine cellar.
What! Google Groups a master control channel for a new found trojan? I will have to check this out
ReplyDeleteGoogle's motto "Don't be evil." is now tarnished.
ReplyDeleteWoohoo