- How to make new stuff from your piles of obsolete tech
- Why your computer sucks
- 10 recession-proof IT skills
- Juniper execs share network vision
- 9-year-old plots his fifth Microsoft certification
A mass attack ongoing for the past month against Linux Apache Web servers has become increasingly successful because its break-in method makes use of an automated password and installation process, according to a security researcher monitoring its progress.
Don Jackson, senior security researcher at SecureWorks, says the attack, which was first thought to have compromised several hundred Web sites, has hit at least 10,000. He says the attack relies on making use of stolen passwords to Linux Apache servers by automating the installation process to force it to serve up attacks against vulnerabilities on Windows clients.
“The Web server ends up serving up vulnerabilities from 2006 related to Windows malware,” Jackson says. “The whole attack is very mysterious. It’s based on a botnet but it doesn’t match the Russian and Chinese groups and may be Western Europe or North American.”
The attack, which makes use of the well-known Rbot and Sdbot malware, targets at least nine software vulnerabilities associated with QuickTime exploits, AOL SuperBuddy and Yahoo! Messenger to try and compromise Windows-based desktops. SecureWorks says most antivirus vendors can detect the malware.
The ingenuity is that the attacker has managed to install code that modifies Apache memory to monitor requests and inject the script tag, script contents or the Rbot executable, according to SecureWorks. Some Linux Apache network managers are finding it hard to clean their servers of the attack code, he notes.
For the infection to work, the dynamic-module loading feature in Linux Apache must be enabled, which is the default. To protect against the attack, Linux Apache network managers should disable “dynamic module,” Jackson says, adding, “However, this isn’t a fix for everyone” because some servers actively depend on this feature.
Jackson says he is aware there is “proof-of-concept code” for a similar attack based on automated stolen-password and malware installation for Microsoft’s Internet Information Server, but he hasn’t seen it come into broad use the way the automated Linux Apache server attack is spreading.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (9)
RE: Attack against Linux Apache servers intensifyingBy Anonymous on January 22, 2008, 9:52 pmWhat a completely useless article with no actual details or links to sites with more information.
Reply | Read entire comment
RE: Attack against Linux Apache servers intensifyingBy Anonymous on January 23, 2008, 9:57 amIt surely is a piece of junk. The vulnerabilities are not Apache's but other plugins.
Reply | Read entire comment
attack against Linux Apache Servers intensifyingBy Anonymous on January 23, 2008, 4:22 pmHave to agree with poster who said this is a worthless article. Come to think of it, most of your articles are uninformative pablum. How about at least linking...
Reply | Read entire comment
I found a securityworksBy Anonymous on January 23, 2008, 4:23 pmI found a securityworks link: http://www.secureworks.com/research/threats/linuxservers/?threat=linuxservers (oddly, the 'SecurityWorks' link the article goes...
Reply | Read entire comment
What makes an article junk?By Anonymous on January 23, 2008, 4:31 pmEvidently questioning the perfection of Lunix, Apple, or Google makes any article junk. >>> but all the evidence points to the theft of log-on credentials
Reply | Read entire comment
So when do we stop usingBy Anonymous on January 23, 2008, 5:59 pmSo when do we stop using Linux and Apache? I thought their junk was so superior to Microsoft's junk. I hope this gets the LAMP crowd off their unjustified high...
Reply | Read entire comment
View all comments