markwolfe Veteran Posted January 22, 2008 Veteran Share Posted January 22, 2008 Source: NetworkWorld A mass attack ongoing for the past month against Linux Apache Web servers has become increasingly successful because its break-in method makes use of an automated password and installation process, according to a security researcher monitoring its progress.Don Jackson, senior security sesearcher at SecureWorks, says the attack, which was first thought to have compromised several hundred Web sites, has hit at least 10,000. He says the attack relies on making use of stolen passwords to Linux Apache servers by automating the installation process to force it to serve up attacks against vulnerabilities on Windows clients. ?The Web server ends up serving up vulnerabilities from 2006 related to Windows malware,? Jackson says. ?The whole attack is very mysterious. It?s based on a botnet but it doesn?t match the Russian and Chinese groups and may be Western Europe or North American.? The attack, which makes use of the well-known Rbot and Sdbot malware, targets at least nine software vulnerabilities associated with QuickTime exploits, AOL SuperBuddy and Yahoo! Messenger to try and compromise Windows-based desktops. SecureWorks says most antivirus vendors can detect the malware. The ingenuity is that the attacker has managed to install code that modifies Apache memory to monitor requests and inject the script tag, script contents or the Rbot executable, according to SecureWorks. Some Linux Apache network managers are finding it hard to clean their servers of the attack code, he notes. For the infection to work, the dynamic-module loading feature in Linux Apache must be enabled, which is the default. To protect against the attack, Linux Apache network managers should disable ?dynamic module,? Jackson says, adding, ?However, this isn?t a fix for everyone? because some servers actively depend on this feature. Jackson says he is aware there is ?proof-of-concept code? for a similar attack based on automated stolen-password and malware installation for Microsoft?s Internet Information Server, but he hasn?t seen it come into broad use the way the automated Linux Apache server attack is spreading. Link to comment Share on other sites More sharing options...
GatorV Posted January 22, 2008 Share Posted January 22, 2008 Mmm a friend's website was infected by this and their host can't remove it, is there some info on how to prevent this attacks?? Link to comment Share on other sites More sharing options...
BrainDedd Posted January 22, 2008 Share Posted January 22, 2008 Mmm a friend's website was infected by this and their host can't remove it, is there some info on how to prevent this attacks?? To protect against the attack, Linux Apache network managers should disable ?dynamic module? Link to comment Share on other sites More sharing options...
markwolfe Veteran Posted January 22, 2008 Author Veteran Share Posted January 22, 2008 It also seems that these people are using a listing of compromised passwords: He says the attack relies on making use of stolen passwords to Linux Apache serversso as long as your passwords weren't poor (like "password" or such), weren't socially-engineered out of some admin with a propensity to talk, or aren't some dictionary-attack fodder, the server should be secure against this particular intrusion. Link to comment Share on other sites More sharing options...
DaveLegg Developer Posted January 22, 2008 Developer Share Posted January 22, 2008 It also seems that these people are using a listing of compromised passwords:so as long as your passwords weren't poor (like "password" or such), weren't socially-engineered out of some admin with a propensity to talk, or aren't some dictionary-attack fodder, the server should be secure against this particular intrusion. Is this the same attack I was reading about earlier here? Link to comment Share on other sites More sharing options...
markwolfe Veteran Posted January 22, 2008 Author Veteran Share Posted January 22, 2008 Is this the same attack I was reading about earlier here? Looks like it. Good find! They have some good tips there to verify your system, if you suspect your server has been compromised. (Y) Link to comment Share on other sites More sharing options...
zeroday Posted January 22, 2008 Share Posted January 22, 2008 Is this the same attack I was reading about earlier here? Scary stuff :| Link to comment Share on other sites More sharing options...
Mike Posted January 22, 2008 Share Posted January 22, 2008 Looks like it. Good find! They have some good tips there to verify your system, if you suspect your server has been compromised. (Y) so all that is caused by default/poor passwords for root (and allowing ssh)? if so, seems scary so many servers out there have poor passwords / no security around ssh access :/ Link to comment Share on other sites More sharing options...
hagjohn Posted January 23, 2008 Share Posted January 23, 2008 I would say that most Apache servers are using DSO's. I do not use Apache in windows but don't they have DSO's as well? Link to comment Share on other sites More sharing options...
The_Decryptor Veteran Posted January 23, 2008 Veteran Share Posted January 23, 2008 Mmm a friend's website was infected by this and their host can't remove it, is there some info on how to prevent this attacks?? Tell your friend to change their host. And use better passwords (but that applies to everything, the memorable password generator in Keychain (and other such implementations) is great for making strong, but easy to remember passwords) Link to comment Share on other sites More sharing options...
Recommended Posts