In October I discussed the way people tend to misinterpret phishing botnet statistics. The key point was that people saw that many of the phishing Websites were on Linux servers, and somehow leaped to the conclusion this meant Linux desktops were parts of the botnets sending out phishing emails. The truth is that the phishing Websites are where you are directed by the emails, which then infect your MS Windows computer, recruiting it into the phishing email botnet.

Now, I’m going to tell you how you can increase your chances of staying out of the ranks of Webserver administrators whose Linux systems have been taken over by phishers.

The details can be found in the article at Linux.com, Mystery infestation strikes Linux/Apache Web sites. If you just want the nitty-gritty, though, I’ll summarize for you:

Linux/Apache Webservers are being commandeered by phishers. Nobody’s entirely sure of all the details yet, apparently, but it seems to involve replacements for specific binaries on the Linux/Apache Webservers. The infected webservers are “randomly” (so the article says) inserting JavaScript into Webpages sent to Web browsers, infecting the client computers.

It is believed that the systems are being infected by the malicious security cracker sniffing root passwords across unsecured network connections, particularly on systems used by shared hosting providers who maintain hundreds of Webhosting accounts on a single server — thus allowing hundreds of phishing Websites to be created with only one root password.

To protect your Webserver from infection, make sure you protect your root password:

  1. Make sure you don’t use it across unencrypted connections.
  2. Make sure you don’t allow direct root login over the network so nobody can perform online brute force and dictionary attack password cracking attempts. A previous article of mine can help secure your server against brute-force password cracking attempts.
  3. Make sure your root password is strong — preferably at least 12 characters including capital and lower-case letters, numbers, special characters, and spaces.
  4. Make sure your passwords use Blowfish instead of MD5 or DES.

To check whether your Webserver is infected, try creating a directory whose name starts with a numeral, with a command like:

mkdir 123

If it doesn’t work, your system is probably infected. You can also filter output from tcpdump for signs of suspicious behavior — and the Linux.com article gives a command line recipe for that.

Finally, if you find you’re infected, you need to know how to react. It’s pretty simple, really — if you find out your system is infected, do the same thing you should always do when your system has been compromised:

  1. Hope your have good backups.
  2. Nuke the entire site from orbit. It’s the only way to be sure.

Well . . . don’t literally nuke the datacenter. Wipe the server, though, and reinstall everything from scratch.