Malware

How to avoid being a phishing Webserver admin


In October I discussed the way people tend to misinterpret phishing botnet statistics. The key point was that people saw that many of the phishing Websites were on Linux servers, and somehow leaped to the conclusion this meant Linux desktops were parts of the botnets sending out phishing emails. The truth is that the phishing Websites are where you are directed by the emails, which then infect your MS Windows computer, recruiting it into the phishing email botnet.

Now, I'm going to tell you how you can increase your chances of staying out of the ranks of Webserver administrators whose Linux systems have been taken over by phishers.

The details can be found in the article at Linux.com, Mystery infestation strikes Linux/Apache Web sites. If you just want the nitty-gritty, though, I'll summarize for you:

Linux/Apache Webservers are being commandeered by phishers. Nobody's entirely sure of all the details yet, apparently, but it seems to involve replacements for specific binaries on the Linux/Apache Webservers. The infected webservers are "randomly" (so the article says) inserting JavaScript into Webpages sent to Web browsers, infecting the client computers.

It is believed that the systems are being infected by the malicious security cracker sniffing root passwords across unsecured network connections, particularly on systems used by shared hosting providers who maintain hundreds of Webhosting accounts on a single server -- thus allowing hundreds of phishing Websites to be created with only one root password.

To protect your Webserver from infection, make sure you protect your root password:

  1. Make sure you don't use it across unencrypted connections.
  2. Make sure you don't allow direct root login over the network so nobody can perform online brute force and dictionary attack password cracking attempts. A previous article of mine can help secure your server against brute-force password cracking attempts.
  3. Make sure your root password is strong -- preferably at least 12 characters including capital and lower-case letters, numbers, special characters, and spaces.
  4. Make sure your passwords use Blowfish instead of MD5 or DES.

To check whether your Webserver is infected, try creating a directory whose name starts with a numeral, with a command like:

mkdir 123

If it doesn't work, your system is probably infected. You can also filter output from tcpdump for signs of suspicious behavior -- and the Linux.com article gives a command line recipe for that.

Finally, if you find you're infected, you need to know how to react. It's pretty simple, really -- if you find out your system is infected, do the same thing you should always do when your system has been compromised:

  1. Hope your have good backups.
  2. Nuke the entire site from orbit. It's the only way to be sure.

Well . . . don't literally nuke the datacenter. Wipe the server, though, and reinstall everything from scratch.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

21 comments
sirconquer+TechRepublic
sirconquer+TechRepublic

I couldn't have posted the reply in the proper thread location as apparently: "You have reached your maximum message level." anyways... Well dude, I doubt that you're all that interested in my sources as you seem to be pretty sure in your "incorrect" and "uh...no" conclusions. Good day. P.S. Thanks for the mkdir 123 tip, I do appreciate it, honestly.

jk2001
jk2001

Also, don't run regular FTP, or if you are, plan on phasing it out. (I'm in this situation with my server.) If they're sniffing passwords, FTP might be one way they're building a password dictionary. Don't use your root or user account passwords as your ftp account passwords - and if possible don't allow ftp for user accounts. I'm guessing that most Linux hosts don't use telnet or rsh, and do use ssh, so getting a remote shell is secure. BUT, they are probably running unsecured FTP for their customers, and they might also be using FTP themselves... perhaps with the root password. OR, they are using sudo and their user passwords, but, they are also not being careful, and using their user passwords as FTP passwords. In any event, the attackers can try all the usernames and passwords to try and get in over SSH.

zdnet
zdnet

I use denyhosts http://denyhosts.sourceforge.net A simple Python tool which adds ips to /etc/hosts.deny after too many bad passwords. A second advantage of this type of tool is that you can warn other admins when their servers are compromised. Install it and watch the logfiles, you'll be surprised at how ofteh your machines are attacked.

don
don

Seems as if using AppArmor woul avoid all this mess. openSUSE and SLES servers ship with a basic Apache template.

Jack
Jack

What's your suggestion about large Unix servers (e.g. Sun, AIX) that only support 8 character passwords? This limit is documented in the "passwd" man pages for the respective servers. SunOS 5.9: "Only the first eight characters are significant" AIX 5.2: "The passwd command uses only the first eight characters of your password for local and NIS passwords."

DanLM
DanLM

[i]mkdir 123 [u]If it doesn?t work, your system is probably infected.[/u] You can also filter output from tcpdump for signs of suspicious behavior ? and the Linux.com article gives a command line recipe for that.[/i] This is just me not knowing, no other reason. Dan

apotheon
apotheon

I'm always interested in sources -- and always willing to admit error when I find evidence of it. I'm pretty sure of my position, but that doesn't mean my position can't change. I'm glad you got some value from the article with regard to testing for webserver infection.

doug
doug

Because of this thread, I installed denyhosts from one of SuSE's repositories, the one called utilities: It immediately pulled 30 ip addresses that had tried to log into my home server. This is a much have utility.

DanLM
DanLM

I wrote mine in perl... Dan

apotheon
apotheon

It's not difficult to avoid this mess. Something as simple as using SSH when doing remote management would probably avoid all this mess.

Jaqui
Jaqui

looking into moving the systems to newer versions of the software. SunOS [ properly called Solaris now ] newest version has been updated to use stronger passwords. newer versions also make it much easier for the department to maintain the software. You don't have to backport patches. ;)

apotheon
apotheon

In many cases, significant password length is configurable -- and the specifics of configuration can vary from system to system. For instance, in HP-UX 11, password length is set by PASS_MAX in , and on Debian GNU/Linux you can change that with the command `dpkg-reconfigure passwd`. A limit to eight significant characters sounds like the behavior you get with [i]crypt[/i] passwords, which is pretty common among Unix systems designed to an older standard. Look into options on your SunOS and AIX systems for "upgrading" your password hashing algorithm to a strong cryptographic algorithm like AES/Rijndael, Blowfish, or Twofish, or replacing crypt() with bigcrypt() at least (same thing, just with longer key lengths -- though the behavior of crypt itself is pretty sketchy for security purposes, regardless of the key length it allows). I'm not directly familiar with either SunOS or AIX, unfortunately. For more specifics, hopefully someone with direct experience with one or both will chime in with some more authoritative answers.

apotheon
apotheon

Normally, you can create directories with names that start with a numeral in standard Unix shells. Systems on which key binaries have been replaced in accordance with the specific class of infection to which I refer in the article apparently exhibit differing behavior. My guess is that one of the replaced binaries is mkdir, and that it is not a perfectly crafted replacement. Most programming languages do not allow certain types of entities (constants and variables, in particular) to be created with names that start with numeral characters. It is likely that the manner in which the replacement binary counterfeits the general functionality of the original relies on behavior that, in its source language, is thusly limited. It may even be the case that the replacement file in question isn't even a binary. It may be a source file executed by an interpreter. I can only really speculate as to the causes of this sort of anomalous behavior, however, as I have not personally discovered such an infection and experimented with it.

apotheon
apotheon

SunOS didn't become Solaris so much as get replaced by it. Bill Joy, who packaged up the first BSD Unix distribution (and invented vi), went on to co-found Sun Microsystems. He helped create the original SunOS, which was essentially the first proprietary BSD Unix. Marketed under the name SunOS 5.0, however, was a SysV Unix system that later came to be known as Solaris. As such, Solaris and classic SunOS are somewhat incompatible codebases with differing system defaults (between the BSD and SysV lines of Unix evolution). Of course, Jack reports using SunOS 5.9, so upgrade to Solaris is the right answer in this case (assuming upgrade is possible here) -- I just decided to be pedantic. Alas, I haven't used Solaris enough to be able to give any specific advice on password configuration. Hopefully Jack finds some of what I offered in other posts helpful.

Jaqui
Jaqui

from my very limited look at Sun's Solaris, version 10, they actually changed to password system to enable longer passwords.

apotheon
apotheon

I've asked around amongst some of my friends with different proprietary UNIX experience than me. The answer seems to be that you need to patch them to use shadow passwords -- which, apparently, they don't by default. Also . . . I mentioned using AES/Rijndael, Blowfish, or Twofish. I should also mention that even MD5 for passwords would be better than plain crypt for passwords, and would allow for passwords of a significant length greater than eight characters. It's just not as strong an algorithm as the others I've mentioned, so if you can go with something stronger than MD5 you should do so, but if MD5 is the best the system will support you should go with MD5.

DanLM
DanLM

I read that last night and went... hu??? But, now that you explained that... It makes sence... And I did verify that I could create a numeric directory before I asked that question. Dan

apotheon
apotheon

"[i]Solaris was just a new marketing term for SunOS. What it meant was SunOS + OpenWindows + CDE + Java = Solaris.[/i]" No. SunOS, up to version 5, was a BSD Unix derivative. After version 5, when Sun started calling it Solaris, it was a System V Unix derivative. SysV and BSD are entirely separate codebases, thanks to AT&T's attempt to make any competing Unix system illegal in the late '80s. "[i]Please run 'uname -sr' on any Solaris machine and you will surely get 'SunOS 5.xx'.[/i]" SunOS is like the name "Windows" now -- there's "Windows" and there's "Windows NT", the latter of which is part of the former's family of OSes. "Windows NT" the OS is not just "Windows" the OS, though. The family relationship is a corporate one, not strictly a technological one. Solaris is the OS, with a relationship to SunOS via revenue streams rather than technological evolution. "[i]The BSD to SysV transition (the 'genetics' that you referred to) took place before they came up with Solaris branding.[/i]" Wrong. The Solaris name was applied with the release of the first SVR5 release of a SysV Unix from Sun, which in terms of the SunOS family qualified as SunOS 5.0. At that time, Sun Microsystems called the new release "Solaris 2" and named the micro-releases leading up to that point "Solaris 1". As soon as Sun's SysV Unix became a product, it was called Solaris. "[i]Again, Solaris is just a another one of Sun's marketing names[/i]" Every OS name is, to some extent, a "marketing name". What does that prove? "[i]As for Darwin and XNU, here is how that works:[/i]" You'd better cite your sources, because they differ from mine. There is, as far as I'm aware, a Darwin kernel that is part of the core Darwin OS, which is used as the foundation for MacOS X.

sirconquer+TechRepublic
sirconquer+TechRepublic

OK, so I did overstate just how low level the name SunOS stretches, but nonetheless, Solaris was just a new marketing term for SunOS. What it meant was SunOS + OpenWindows + CDE + Java = Solaris. Please run "uname -sr" on any Solaris machine and you will surely get "SunOS 5.xx". SunOS is still how the system (kernel + shells + utils) is know at Sun, Solaris is the final package for the market. Note that OpenSolaris is not Solaris, but it is SunOS kernel. The BSD to SysV transition (the "genetics" that you referred to) took place before they came up with Solaris branding. Again, Solaris is just a another one of Sun's marketing names (I won't be surprise if they re-brand it SolarSystemX one day... :-) ). As for Darwin and XNU, here is how that works: Mach microkernel | V XNU hybrid kernel (Mach + BSD) | V Darwin OS (XNU + open source shells and utilities) | V Mac OS X (Darwin OS + Apple's proprietary GUI and frameworks) As for Windows - I'll take the 5th :-) , and I shouldn't have mentioned it at all, as I have little knowledge in that area.

apotheon
apotheon

SunOS is the operating system brand family of which Solaris is a member. It's not the kernel. The kernel is the Solaris kernel. The OS brand itself is distinct from the OS family. Taken as an analogy to a real-life family of humans, one might call the Solaris OS an adopted child of the SunOS family, as it is not much related to the preceding generations of the SunOS family "genetically". While XNU is the name of the NeXT generations of that kernel family, Darwin is the name of the more recent MacOS X generations. The relationship between the names SunOS and Solaris is similar to that between the names XNU and Darwin, except that Darwin is an actual "genetic" descendant of XNU rather than a red-headed stepchild, and XNU is a more appropriate branding term for the MacOS X kernel than SunOS is for the Solaris OS these days. NT 5.1 is the name of the architecture, which includes but is not limited to (or synonymous with) the kernel. The kernel has no brand name other than "the Windows NT kernel". I'm just getting pedantic now, though.

sirconquer+TechRepublic
sirconquer+TechRepublic

Here is how it works: SunOS is (still) the name of the kernel that is now part of the larger package known as Solaris Operating Environment. Kinda like XNU is the name of kernel of the larger package known as Mac OS X, or even WindowsNT 5.1 being the kernel of Windows XP.

Editor's Picks