- 12 myths about how the Internet works
- Smartphone smackdown: Storm vs. iPhone
- IETF: Should we ignore the Kaminsky bug?
- Top 10 wicked cool algorithms
- How to recession-proof yourself
A mass attack ongoing for the past month against Linux Apache Web servers has become increasingly successful because its break-in method makes use of an automated password and installation process, according to a security researcher monitoring its progress.
Don Jackson, senior security researcher at SecureWorks, says the attack, which was first thought to have compromised several hundred Web sites, has hit at least 10,000. He says the attack relies on making use of stolen passwords to Linux Apache servers by automating the installation process to force it to serve up attacks against vulnerabilities on Windows clients.
“The Web server ends up serving up vulnerabilities from 2006 related to Windows malware,” Jackson says. “The whole attack is very mysterious. It’s based on a botnet but it doesn’t match the Russian and Chinese groups and may be Western Europe or North American.”
The attack, which makes use of the well-known Rbot and Sdbot malware, targets at least nine software vulnerabilities associated with QuickTime exploits, AOL SuperBuddy and Yahoo! Messenger to try and compromise Windows-based desktops. SecureWorks says most antivirus vendors can detect the malware.
The ingenuity is that the attacker has managed to install code that modifies Apache memory to monitor requests and inject the script tag, script contents or the Rbot executable, according to SecureWorks. Some Linux Apache network managers are finding it hard to clean their servers of the attack code, he notes.
For the infection to work, the dynamic-module loading feature in Linux Apache must be enabled, which is the default. To protect against the attack, Linux Apache network managers should disable “dynamic module,” Jackson says, adding, “However, this isn’t a fix for everyone” because some servers actively depend on this feature.
Jackson says he is aware there is “proof-of-concept code” for a similar attack based on automated stolen-password and malware installation for Microsoft’s Internet Information Server, but he hasn’t seen it come into broad use the way the automated Linux Apache server attack is spreading.
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (9)
The Internet is full of rumoursBy Anonymous on January 27, 2008, 6:31 amBut why does NetworkWorld choose to propagate fluff like this? No facts, no pointers, the guy who wrote seems clueless.
Reply | Read entire comment
...WARNING! DEADLY LINUX FLAW FOUND!By Anonymous on January 25, 2008, 1:40 amA crippling Linux flaw was found today by Hugh Jidiot, an independent security consultant. Jidiot discovered that 100% of today's Linux servers are powered by electricity,...
Reply | Read entire comment
I would stop to think,By Anonymous on January 24, 2008, 11:48 amI would stop to think, before I'd go bashing Linux and Apache. Just like always in media, big noise without basic facts. Everything depends on implementation. I...
Reply | Read entire comment
So when do we stop usingBy Anonymous on January 23, 2008, 5:59 pmSo when do we stop using Linux and Apache? I thought their junk was so superior to Microsoft's junk. I hope this gets the LAMP crowd off their unjustified high...
Reply | Read entire comment
What makes an article junk?By Anonymous on January 23, 2008, 4:31 pmEvidently questioning the perfection of Lunix, Apple, or Google makes any article junk. >>> but all the evidence points to the theft of log-on credentials
Reply | Read entire comment
View all comments