Hundreds of infected Linux servers in Australia

By

Windigo spreads spam and malware.

A mass compromise of Linux servers, used to steal credentials and redirect traffic to malicious content, has spread to Australia, security researchers have found.

Hundreds of infected Linux servers in Australia

Security firm ESET analysed [PDF] what it termed 'Operation Windigo', a global malware campaign that used a backdoor in OpenSSH, an open source version of the remote access interface Secure Sockets Shell used to administer servers.

Over the past two years, ESET says more than 25,000 servers were affected; of these, over 10,000 remain infected today, with hundreds located in Australia.

“We have seen more than 400 server infections related to Operation Windigo in Australia. This means that Australians have been exposed to an increased level of annoyance such as spam, advertisement and malware," ESET's security intelligence program manager Pierre-Marc Bureau told iTnews.

"Like everybody else, Australians are exchanging data with servers all over the globe when browsing websites and receiving emails, and so are potentially opening themselves up to other infected servers as well."

Overview of Windigo; source: ESET

The Windigo infestation campaign forms a large, complex network that builds supporting infrastructure using nginx reverse proxies, TinyDNS resolvers for domain name lookups, SSH tunnels for encrypted command and data communications and deployment of Windows-based malware in drive-by attacks on visitors to infected sites, ESET said.

While the operators behind Windigo were not named by ESET, the security vendor said  they have been active since 2011 at least.

The malware operators were able to compromise the Linux Foundation's kernel.org site, as well as the web hosting control panel company cPanel through the OpenSSH backdoor.

It's not just Linux servers that been compromised through the OpenSSH Ebury backdoor: ESET noted systems running Apple's OS X, OpenBSD, FreeBSD and Microsoft Windows through the Cygwin layer have all been abused by Windigo, albeit at a smaller scale.

Every day, over half a million visitors are being redirected to exploit kits after visiting websites running on infected servers, ESET said.

Windigo is also responsible for sending 35 million spam messages a day, according to ESET.

To prevent infection of systems, ESET suggested disabling root login through SSH along with passwords. SSH Agent Forwarding instead of copying over private keys to servers was also recommended, as was two-factor authentication.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:

Most Read Articles

India's alarm over Chinese spying rocks CCTV makers

India's alarm over Chinese spying rocks CCTV makers

Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies

Cyber companies hope to untangle weird hacker codenames

Cyber companies hope to untangle weird hacker codenames

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound

Log In

  |  Forgot your password?