[sf-lug] ebay security analysis: phishers targeting linux (fwd)

Rick Moen rick at linuxmafia.com
Mon Oct 8 08:36:15 PDT 2007

I wrote (about the _Computerworld NZ_ quotations from eBay CSO Dave Cullinane):

> I don't expect the IT press to understand anything about security (sad
> but true), but this grab-bag article inadvertantly commits more than the
> usual amount of hooey.  First of all, it's not necessary for the abused
> Linux box to get "infected":  It suffices for "command and control
> networks for botnets" that the Bad Guy find a way to run a local process
> of his choosing via whatever means, which process need not even be
> privileged, which might occur because, e.g., any single grunt
> (legitimate) user happened to SSH/scp/POP3/ftp into the box from a
> compromised host elsewhere.  See:
> http://linuxmafia.com/faq/Security/breakin-without-remote-vulnerability.html
> Second, for those Bad Guy purposes, covering the activity with a rootkit
> would be too much work and nearly pointless:  It would require cracking
> root, and the botnet C&C service process would be lightweight and can be
> made extremely unobtrusive.  Why bother with a rootkit (or with
> searching out a privilege-escalation path at all), in those
> circumstances?  It'd be overkill, and too much trouble to implement for
> the small amount of gain.

Some of the same observations have now also been made by Chad Perrin in
his article "Linux phishing botnet statistics can be deceptive"
(http://blogs.techrepublic.com.com/security/?p=296).  Worth reading, and
please note his observations about non-root compromise of innumerable
Linux/BSD/Solaris/etc. sites on account of badly written PHP apps.

Article concludes:

  If it's true that Linux boxes make up the majority of phishing
  botnet nodes, on the other hand, there's a simple lesson to be drawn
  from this: If you run a shared hosting provider, check your systems.

  Cullinane made the point that people running systems used as phishing
  botnet nodes don't know their systems have been compromised.
  That's very nearly a tautology, of course, because the moment a
  sysadmin knows his or her system has been compromised, he or she
  typically cleans up the infection. Thus, no compromised systems whose
  sysadmins know they're compromised.

  In the case of home users of Windows, it's to be expected that most
  compromised systems' owners don't know they've been
  compromised. In the case of shared hosting providers, however, one would
  hope the sysadmins are paying a little more attention to their networks
  than that. Such a widespread epidemic of shared hosting systems being
  turned into phishing botnet nodes can only mean that incredible numbers
  of shared hosting provider sysadmins aren't doing their jobs.

  Pardon my cynicism but, frankly, I can't say I'm surprised.

More information about the sf-lug mailing list