Add to del.icio.us     Digg this

September 15, 2009

A recently discovered botnet of hijacked Linux servers is being used to distribute malicious software to Windows computers across the globe.

According to an analysis by Internet application developer Denis Sinegubko, the compromised PCs all have one thing in common: the light weight Web server "nginx" is running on them and serving content through port 8080.

Get the best Linux or Windows Web hosting plan for your website.

Otherwise, these systems would appear to be totally inconspicuous and would seem to operate normally.

These events were discovered when links to malware posted in China were replaced by dynamic DNS names from DynDNS.com and No-IP.com.

The infected Linux servers then register at the dynamic DNS services using particular host names with their IP address. Note that Windows servers are even easier to infect than Linux, but at the time we wrote this, only a few Windows servers had been deemed as infected by the virus.

Sinegubko says that the dynamic DNS providers have already deleted more than 100 host names from their databases, but the botnet operators are apparently reacting quickly and registering systems under new names.

Sinegubko says his list currently has 77 IP addresses and growing quickly.

It isn't clear how the servers were compromised, and additional analyzis is being performed to know more.

Sinegubko speculates that some system administrators may have been sloppy enough to use the root account for FTP operations and to store their root passwords in FTP program settings!

The hijackers then would have accessed these root passwords and sniffed out the critical data to penetrate these compromised servers.

More work is being done and careful analyzis is also being performed by a few more Internet security firms in order to better protect systems and to prevent such mishaps from occurring again.

We will keep you posted on this, as well as other security news as they happen.

Add to del.icio.us     Digg this

Source: ISND.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.