Botnet of Linux Servers with Dynamic IP Discovered

Sep 14, 2009

A Russian Web developer has found a network of a couple of hundred Linux servers that could distribute malware to Windows systems.

Linux being the server system of choice hasn't exactly escaped malware hackers. According to a current blog entry> from Russian developer Denis Sinegubko, a network of (meanwhile just under a hundred) infected Apache servers manage Windows systems through the dynamic DNS providers dyndns.org and no-ip.com and can thereby provide the malicious code.

The compromised Linux servers include dedicated or virtualized Apache webservers. The malware apparently landed on the target clients not because of an Apache vulnerability but due to weak or intercepted passwords or a security hole in the management software used. The attackers therefore installed next to Apache the small Nginx webserver that distributed the malware to the Windows clients. Site admins wouldn't normally notice the break-in because the Apache service wouldn't be affected.

The exact purpose of and, above all, the gateway used for the attacks are still not fully known. Shortly after Sinegubko's blog, the dyndns.com site took more than 100 systems off the net, and no-ip.com blocked about 100 domains after he contacted them. Unfortunately a cat-and-mouse game can ensue because dynamic hostnames can easily be registered.

Related content

  • Microsoft Grabs No-IP.com Domains

    Redmond rushes in to root out alleged malware haven.

  • Million Linux Kernels Simulate Botnet

    The biggest botnet to date is being virtualized using a network of one million Linux kernels. The virtual machines form an experiment in studying the origins of the malware.

  • News

    Updates on technologies, trends, and tools.

  • Psyb0t Attacks Linux Routers (Update)

    A botnet named psyb0t has been nesting for a few months in consumer devices that run on Linux with MIPS CPUs, notably routers. Infested devices connect through a botnet over a private Internet Relay Chat (IRC) server to await commands.

  • Psyb0t Attacks Linux Routers

    A botnet named psyb0t has been nesting for a few months in consumer devices that run on Linux with MIPS CPUs, notably routers. Infested devices connect through a botnet over a private Internet Relay Chat (IRC) server to await commands.

Comments

  • Linux botnet

    It's a Linux botnet just like an Adobe exploit on Windows is a Windows botnet.
  • maybe not apache


    I think Apache is also running on windows, so linux to be use?
  • Linux-Botnet

    Yes, it's a Linux-Botnet, as the nginx-Version installed on it is the Linux-Version. So it has nothing to do with apache.
  • Linux

    Is this really a Linux botnet or an Apache botnet running on Linux? Meaning Linux is really not the issue but Apache which could be int he same position if installed on Unix or Windows?
comments powered by Disqus

Issue 169/2014

Buy this issue as a PDF

Digital Issue: Price $9.99
(incl. VAT)

News