Unnoticed for years, malware turned Linux and BSD servers into spamming machines
freebsd at edvax.de
Sun May 3 22:31:32 UTC 2015
Nothing new, not even OS-specific. This is what happens when
stupidity gets access to Internet-facing computers.
On Sun, 3 May 2015 12:38:24 -0400, Jerry wrote:
> Has anyone else seen this:
> Unnoticed for years, malware turned Linux and BSD servers into spamming machines
Because it's common practice to install "pirated copies" of
software on BSD and Linux servers. :-)
ESET researchers say the malware is made up of two
different components. Exploiting vulnerabilities
in Joomla and Wordpress, the first component is a
generic backdoor that requests commands from its
Command and Control server. The second component
is a full-featured spammer daemon that is launched
via a command received by the backdoor. Mumblehard
is also distributed via 'pirated' copies of a Linux
and BSD program known as DirectMailer, software sold
on the Yellsoft website for $240.
"Our investigation showed strong links with a software
company called Yellsoft," explained Léveillé. "Among
other discoveries, we found that IP addresses hard-coded
in the malware are closely tied to those of Yellsoft,"
Further reading keywords: mumblehard, joomla, wordpress. That,
in combination with knowledge about the "noexec" mount option,
should be interesting. :-)
You can easily conclude that it requires a skilled admin to
operate an Internet-facing server system. The "out of the box
experience", combined with "I don't need to know how this
works", plus "I don't care" (today's common "Windows" mindset)
will lead to problems. Especially an open operating system like
Linux or BSD provides you with tools to do your work properly.
You can examine everything. If you refuse to do it - it's
entirely your problem (or that of your trustful customers).
Don't get me started about installing PHP bloatware... :-)
When "wget http://app.example.com/install.sh | sudo bash" and
running arbitrary binary software "stolen" somewhere from the
Internet is being performed by a "responsible" person, it's
probably the best time to fire that person. "The trojan is often
included in the installation packages of programs downloaded
from untrustworthy sources." No big deal. In this case, it
seems (if I understood the few information presented correctly)
that a cracked installer installs both the "DirectMailer" and
the backdoor (to be run in userspace). But it's also possible
that weak passwords, open FTP access or other "problems" could
lead to an infection.
And 3000 out of 300 million servers worldwide... well, I think
this is _no_ relation to spamming botnets build with "Windows".
Also see § 5.1 here:
Don't die while laughing. :-)
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...
More information about the freebsd-questions