IT Jobs
Linux attack worse than feared
More than 10,000 Apache servers affected.
By Gregg Keizer, Computerworld (US online)
Published: 11:47 GMT, 21 January 08
Security researchers claim that a mass attack of websites is much worse than was feared. According to ScanSafe, the attack has affected at least 10,000 sites.
When the attack was first publicised, last Monday, Mary Landesman, a senior security researcher at ScanSafe said that she had uncovered hundreds of sites which had been hacked and were feeding exploits to visitors. However, Don Jackson, a senior researcher with Atlanta-based SecureWorks claimed that the real number was considerably larger.
According to ScanSafe's data, approximately 10,000 sites hosted on Linux servers running Apache, most likely with purloined log-in credentials. Those servers have been infected with a pair of files that generate constantly-changing malicious JavaScript. When visitors reach the hacked site, the script calls up an exploit cocktail that includes attack code targeting recent QuickTime vulnerabilities, the long-running Windows MDAC bug, and even a fixed flaw in Yahoo Messenger.
If the visitor's PC is unpatched against any of the nine exploits Jackson listed, it's infected with new variant of Rbot, the notorious backdoor Trojan he called "a very nasty piece of software." The end result: The PC is added to a botnet.
Jackson's can't prove how the sites were originally hacked, but all the evidence points to the theft of log-on credentials; one reason why he came to that conclusion is that hosts that have been cleaned of the infection - or in some cases even had Linux reinstalled - are quickly reinfected.
"There was no sign of brute forcing [of passwords] just prior to the infection," said Jackson, "but attackers hosting companies are hit all the time with password attacks. It's part of doing business."
Last week, ScanSafe's Landesman drew a link between the security breach at UK-based Fasthosts and the site hacks, saying then that the domains ScanSafe had found infected had, or had recently had, a relationship with Fasthosts.
Fasthosts denied such a cause-and-effect, and cited what it called "technical discrepancies" with Landesman's claims, but said it was investigating nonetheless.
Friday, Landesman said more data during the week had made her change her mind about the link to Fasthosts. "There are a great deal more of these [compromised] sites than earlier," she said. "There are a number of them that can be traced to Fasthosts, but not all of them do."
Like Jackson, Landesman remained convinced that the hacks were possible because of stolen log-on usernames and passwords. "From everything we have it does point to some kind of compromise of usernames and passwords," she said. "My theory remains that the eventual source of the compromise is going to be a fairly finite number [of hosting companies]."
Jackson stressed that while the site hacks were done sans a true vulnerability, the Apache feature used by the hackers - "dynamic module loading" - is little known by most site administrators, making it extra difficult for all infected sites to cleanse themselves.
More to the point, said Jackson, administrators must change every password on the infected server; failing to do so has led to quick reinfections on some hosts. "All passwords must be changed," he said, "not just FTP and Cpanel passwords." There's some evidence, he said, that other passwords besides those for FTP and Cpanel - a popular server control panel program - have been used to access the hacked sites.
Other clues led Jackson to speculate that the attackers are not the usual cyber criminals based in Russia or China, but are likely from North America or western Europe. The code for the hacking and file upload tools lack any comments written in Russian or Chinese, which is normally the case when an attack originates in Russia or China. Instead, the comments and code snippets are in English only. "Almost all the hacking business in western Europe is done in English," Jackson said, mentioning Germany specifically.
Users can protect themselves from attack by making sure all software on their systems is patched and that their security software signatures are up-to-date. Website administrators, on the other hand, should disable dynamic loading in their Apache module configurations.
.gif)
Add your commentComments
does this affect windows pc only? unix, linux, osx | Published: 07:14 GMT, 24 January 2008
does this affect windows pc only? unix, linux, osx affected?
Nathon | Published: 16:19 GMT, 23 January 2008
bump the reCAPTCHA. Shouldn't web site administrators also change their passwords or something? Where do these folks get 10,000 passwords?
suspect | Published: 09:11 GMT, 23 January 2008
Gregg Keizer employed by M$ to generate bad press from innocuous happenings
Claude | Published: 21:18 GMT, 22 January 2008
This is one of the worst articles ever written. The inappropriate use of technology names and techniques shows a lack of knowledge by the writer and editors.
Hector | Published: 15:50 GMT, 22 January 2008
Inside Job. Collusion. Mitnick.
What makes this a "Linux attack" | Published: 13:30 GMT, 22 January 2008
Sounds like the password database for these hosting companies was compromised and that they just happen to be using Linux extensively. The same thing could be occurring whether you use windows or solaris as the underlying OS. What exactly makes this a "Linux attack"?
Dave | Published: 03:46 GMT, 22 January 2008
Dynamic module loading is the ONLY way Apache loads some features, such as php support. The loading happens once, when the system starts up. It;s loading 'shared objects' to create the feature set that makes Apache such a rich web server. "Turning it off" means Apache won't work except for very very simple static html applications. For someone to claim that administrators are unfamiliar with the feature implies that they don't understand what the problem is.
Mason | Published: 22:36 GMT, 21 January 2008
I had never even heard of dynamic module loading, I am definitely going to turn that off before launching my apache based website!