homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
Forum Library, Charter, Moderators: bakedjake

Linux, Unix, and *nix like Operating Systems Forum

Up To 25,000 Unix/Linux Web Servers Infected By Ebury SSH Rootkit

 9:30 pm on Mar 19, 2014 (gmt 0)

As many as 25,000 web servers infected with Linux malware have been used in the past two years to hit website visitors with two variants of Windows malware.

Security researchers in Europe are urging sysadmins — if they haven't already been notified by their ISP — to check their web servers for the presence of several pieces of Linux malware, including a troublesome rootkit known as Ebury SSH for Linux and Unix.Up To 25,000 Unix/Linux Web Servers Infected By Ebury SSH Rootkit [zdnet.com]
"There are two kinds of victims here: Windows end-users visiting legitimate websites hosted on compromised servers, and Linux/Unix server operators whose servers were compromised through the large server-side credential stealing network,"



 7:51 am on Mar 20, 2014 (gmt 0)

I read up on this yesterday.

It spreads by stealing credentials by replacing ssh with a malware infected versions. It actually gets them when:

1) someone logs into a compromised machine over ssh. Stealing credentials to a server on which the bad buys already have root access seems pointless, unless they are exploiting people's tendency to use the same password everywhere.

2) they log into another server from the compromised one. If it is a root login (or, presumably one with sudo) it them installs bad stuff on the previously clean server.

The second appears to be the more common problem. Now tell me, what kind of idiot logs into a server as root (or an account with sudo privileges) from another server? If you need to login from one server to another it should be with as few privileges as possible just in case on server is compromised.


wa desert rat

 9:07 pm on Mar 20, 2014 (gmt 0)

I always deny root access via ssh because that is what all the hackers/crackers try first. Also disable version 1.


brotherhood of LAN

 9:28 pm on Mar 20, 2014 (gmt 0)

Yes, preventing general SSH access as root makes a lot of sense. It's easy to be blissfully unaware of the 10's of thousands of attempts a day to brute force a password.

fail2ban is a popular piece of software... personally I whitelist a couple of IPs for SSH access (that are other dedicated servers I use), and those ones are RSA key login only, no password. My regular net connection has a floating IP so it suits me this way.

Brute force attempts are like the common cold, there's a lot of it about. Education and awareness would seem to be the cure.


 7:19 am on Mar 21, 2014 (gmt 0)

Agreed, root access via ssh should always be off to make brute force attacks harder

I do not know if it helps with this particular attack. Incidentally, this can steal keys as well as passwords.

What else can we do? Fail2ban, port knocking, using a non-standard port....?

brotherhood of LAN

 3:02 pm on Mar 21, 2014 (gmt 0)

I think it's just covering the basic ground graeme

- Long password for anyone who can login with password
- Try making it key-login only
- Preferably whitelist some IPs for SSH access, block everything else to SSH port via SSH config or iptables. iptables maybe better for avoiding those rare SSH vulnerabilities.
- Non-standard SSH port increases obscurity and may help a wee bit, but any port above 1024 can have issues
- Install something like fail2ban if not using the whitelisted IP approach
- Remove any outwarding facing service you aren't using

I'd heard about port knocking but never really looked into it...

>do not know if it helps with this particular attack

Yeah I didn't see any specific vectors after reading "Operation Windigo", any idea? It seemed like either sshd or apache with the vulnerabilty. It seems to do a great job of unblocking all that it needs unblocked once it's in there.

wa desert rat

 4:35 pm on Mar 21, 2014 (gmt 0)

One of my clients accused me of being overly anxious about security (I won't open the Exchange server to port 25 from anything other than a mail forwarder). So I showed her the secure logs from the openvpn server that connects all their offices (and that I have to get into remotely via ssh). Page after page after page.

And that's on a box with the ssh port shifted.

Put any windows server in that position and it would be owned in an hour.



 9:42 pm on Mar 21, 2014 (gmt 0)

No, it wouldn't. Only if the adminstrator was really stupid. Find out more about Windows, especially the current versions, before making such groundless statements.

wa desert rat

 4:04 am on Mar 22, 2014 (gmt 0)

No, it wouldn't. Only if the adminstrator was really stupid. Find out more about Windows, especially the current versions, before making such groundless statements.

There is little difference between the server versions of Windows and the desktop versions. Or, for that matter, today's versions and NT. Windows servers are subject to exactly the same exploits and that's why the latest versions have a web browser (Internet Explorer) that are explicitly prohibited from actually browsing (the admin has to unlock that).

Would you allow an SBS server with file sharing and business information to have a static IP address and open port to everyone on port 25 with Exchange running?

Or IIS on port 80 open to the world?

Or ssh?

I certainly wouldn't. And I am far from the only system admin who wouldn't. And that explains why there are so few Windows servers running web sites and email in comparison to *nix. Sure we run Exchange... but we also have an SMTP server in front of it; usually *nix (or a service running SMTP on *nix which is the same thing). But not many of us have the courage to run IIS unless we have a back end somewhere that can take the heat.



 9:10 am on Mar 22, 2014 (gmt 0)

Do we have to have a Windows vs Linux security debate in every thread?

I have started a separate thread on the topic. can I suggest we debate it there and not derail other threads?


 10:58 am on Mar 22, 2014 (gmt 0)

As for most servers, there are some headers that server dishes out as a response, would changing/or removing all together helps as well?

say from:

X-Powered-By:BestBBS v5.10



or backwords...

@WDR, it's here: [webmasterworld.com...]


 12:52 pm on Mar 23, 2014 (gmt 0)

Unless I have missed something. it would not help in this case as the attack targeted openSSH together with really sloppy login practices. By the time it attacked the web server it already had root access and would not need to look at headers.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Hardware and OS Related Technologies / Linux, Unix, and *nix like Operating Systems
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved