Attack against Linux Apache servers intensifying

By markwolfe
in Back Page News

 Share

Recommended Posts

Grand Master

markwolfe Veteran

Posted
  • Veteran
Posted

Source: NetworkWorld

A mass attack ongoing for the past month against Linux Apache Web servers has become increasingly successful because its break-in method makes use of an automated password and installation process, according to a security researcher monitoring its progress.

Don Jackson, senior security sesearcher at SecureWorks, says the attack, which was first thought to have compromised several hundred Web sites, has hit at least 10,000. He says the attack relies on making use of stolen passwords to Linux Apache servers by automating the installation process to force it to serve up attacks against vulnerabilities on Windows clients.

?The Web server ends up serving up vulnerabilities from 2006 related to Windows malware,? Jackson says. ?The whole attack is very mysterious. It?s based on a botnet but it doesn?t match the Russian and Chinese groups and may be Western Europe or North American.?

The attack, which makes use of the well-known Rbot and Sdbot malware, targets at least nine software vulnerabilities associated with QuickTime exploits, AOL SuperBuddy and Yahoo! Messenger to try and compromise Windows-based desktops. SecureWorks says most antivirus vendors can detect the malware.

The ingenuity is that the attacker has managed to install code that modifies Apache memory to monitor requests and inject the script tag, script contents or the Rbot executable, according to SecureWorks. Some Linux Apache network managers are finding it hard to clean their servers of the attack code, he notes.

For the infection to work, the dynamic-module loading feature in Linux Apache must be enabled, which is the default. To protect against the attack, Linux Apache network managers should disable ?dynamic module,? Jackson says, adding, ?However, this isn?t a fix for everyone? because some servers actively depend on this feature.

Jackson says he is aware there is ?proof-of-concept code? for a similar attack based on automated stolen-password and malware installation for Microsoft?s Internet Information Server, but he hasn?t seen it come into broad use the way the automated Linux Apache server attack is spreading.

Community Regular

BrainDedd

Posted
Posted
Mmm a friend's website was infected by this and their host can't remove it, is there some info on how to prevent this attacks??
To protect against the attack, Linux Apache network managers should disable ?dynamic module?
Grand Master

markwolfe Veteran

Posted
  • Author
  • Veteran
Posted

It also seems that these people are using a listing of compromised passwords:

He says the attack relies on making use of stolen passwords to Linux Apache servers
so as long as your passwords weren't poor (like "password" or such), weren't socially-engineered out of some admin with a propensity to talk, or aren't some dictionary-attack fodder, the server should be secure against this particular intrusion.
Grand Master

DaveLegg Developer

Posted
  • Developer
Posted
It also seems that these people are using a listing of compromised passwords:so as long as your passwords weren't poor (like "password" or such), weren't socially-engineered out of some admin with a propensity to talk, or aren't some dictionary-attack fodder, the server should be secure against this particular intrusion.

Is this the same attack I was reading about earlier here?

Grand Master

markwolfe Veteran

Posted
  • Author
  • Veteran
Posted
Is this the same attack I was reading about earlier here?

Looks like it. Good find! They have some good tips there to verify your system, if you suspect your server has been compromised. (Y)

Grand Master

Mike

Posted
Posted
Looks like it. Good find! They have some good tips there to verify your system, if you suspect your server has been compromised. (Y)

so all that is caused by default/poor passwords for root (and allowing ssh)?

if so, seems scary so many servers out there have poor passwords / no security around ssh access :/

Grand Master

The_Decryptor Veteran

Posted
  • Veteran
Posted
Mmm a friend's website was infected by this and their host can't remove it, is there some info on how to prevent this attacks??

Tell your friend to change their host.

And use better passwords (but that applies to everything, the memorable password generator in Keychain (and other such implementations) is great for making strong, but easy to remember passwords)

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Why it's almost impossible to produce a smartphone in the United States

      By Asgardi · Posted

      Ridiculous claim that the labor cost difference of $6000 annually would increase cost per phone by $200. The employees produce 3 phones per month or what?
    • Sparkle 2.20.1

      By Copernic · Posted

      Sparkle 2.20.1 by Razvan Serea Sparkle is a free, open-source Windows optimization tool designed to make your PC faster, cleaner, and more private. With Sparkle, you can easily debloat Windows by removing unnecessary apps and services, disable Microsoft tracking to enhance privacy, and apply performance tweaks to boost speed. Its cleaner removes junk and temporary files, while every change is safe and fully reversible. Sparkle also features a modern, user-friendly interface with automatic updates, making system maintenance simple. Explore over 39 tweaks, from disabling telemetry and hibernation to optimizing network and game settings, all aimed at customizing and enhancing your Windows experience. Sparkle supports Windows 10 and 11. Sparkle 2.20.1 changelog: You can now change the Animation Direction from Up, Left, or Off. Added configurable animation direction (Up, Left, Off) for improved accessibility Added TTL caching to the system info backend Refactored tweak application flow to await NvidiaProfileInspector Improved IPC listener cleanup to correctly remove specific listeners Fixed online status not updating after successful network requests Updated system info tests to support backend caching Removed electron-toolkit utils dependency in favor of internal is.dev helper Fixed unwanted files and folders being included in application bundles Download: Sparkle 2.20.1 | Portable | ~100.0 MB (Open Source) Links: Sparkle Website | Github | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • The best controller for XBOX and PC is down to the lowest price

      By Figure 8 Dash · Posted

      Never used the G7 Pro, but I've never had a good experience with that style of d-pad and fighting games.
    • Sihoo Doro C300 Pro V2 Ergonomic Office Chair review: The Ikea of chairs

      By Figure 8 Dash · Posted

      And I just bought a seat cushion for my mesh chair. The chair feels nice but the first time I sat in it with boxers, I realized I don't like the feel of mesh on my legs. 😂
    • This Dell 27 inch 4K 120Hz IPS monitor is really cheap after a very long time

      By jordanspringer · Posted

      "This Dell 27 inch 4K 120Hz IPS monitor is really cheap after a very long time" ... Lol.

  • Recent Achievements

    • One Month Later
      JKR earned a badge
      One Month Later
    • Dedicated
      Asgardi earned a badge
      Dedicated
    • Conversation Starter
      jessse3334 earned a badge
      Conversation Starter
    • Reacting Well
      JuvenileDelinquent earned a badge
      Reacting Well
    • One Month Later
      Excellence2025 earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      +Edouard
      247
    3. 3
      PsYcHoKiLLa
      154
    4. 4
      Steven P.
      84
    5. 5
      macoman
      64
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!