Date: Mon, 4 May 2015 00:31:22 +0200 From: Polytropon <freebsd@edvax.de> To: FreeBSD FreeBSD <freebsd-questions@freebsd.org> Subject: Re: Unnoticed for years, malware turned Linux and BSD servers into spamming machines Message-ID: <20150504003122.c8eb54ee.freebsd@edvax.de> In-Reply-To: <20150503123824.3faeca9e@seibercom.net> References: <20150503123824.3faeca9e@seibercom.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Nothing new, not even OS-specific. This is what happens when stupidity gets access to Internet-facing computers. On Sun, 3 May 2015 12:38:24 -0400, Jerry wrote: > Has anyone else seen this: >=20 > Unnoticed for years, malware turned Linux and BSD servers into spamming m= achines >=20 > http://www.net-security.org/malware_news.php?id=3D3030 Because it's common practice to install "pirated copies" of software on BSD and Linux servers. :-) Still strange: ESET researchers say the malware is made up of two different components. Exploiting vulnerabilities in Joomla and Wordpress, the first component is a generic backdoor that requests commands from its Command and Control server. The second component is a full-featured spammer daemon that is launched via a command received by the backdoor. Mumblehard is also distributed via 'pirated' copies of a Linux and BSD program known as DirectMailer, software sold on the Yellsoft website for $240. "Our investigation showed strong links with a software company called Yellsoft," explained L=E9veill=E9. "Among other discoveries, we found that IP addresses hard-coded in the malware are closely tied to those of Yellsoft," explained L=E9veill=E9. Source: http://www.eset.com/int/about/press/articles/malware/article/linux-and-bsd-= web-servers-at-risk-of-sophisticated-mumblehard-infection-says-eset/ Further reading keywords: mumblehard, joomla, wordpress. That, in combination with knowledge about the "noexec" mount option, should be interesting. :-) You can easily conclude that it requires a skilled admin to operate an Internet-facing server system. The "out of the box experience", combined with "I don't need to know how this works", plus "I don't care" (today's common "Windows" mindset) will lead to problems. Especially an open operating system like Linux or BSD provides you with tools to do your work properly. You can examine everything. If you refuse to do it - it's entirely your problem (or that of your trustful customers). Don't get me started about installing PHP bloatware... :-) When "wget http://app.example.com/install.sh | sudo bash" and running arbitrary binary software "stolen" somewhere from the Internet is being performed by a "responsible" person, it's probably the best time to fire that person. "The trojan is often included in the installation packages of programs downloaded from untrustworthy sources." No big deal. In this case, it seems (if I understood the few information presented correctly) that a cracked installer installs both the "DirectMailer" and the backdoor (to be run in userspace). But it's also possible that weak passwords, open FTP access or other "problems" could lead to an infection. And 3000 out of 300 million servers worldwide... well, I think this is _no_ relation to spamming botnets build with "Windows". Also see =A7 5.1 here: http://www.welivesecurity.com/wp-content/uploads/2015/04/mumblehard.pdf Don't die while laughing. :-) --=20 Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20150504003122.c8eb54ee.freebsd>