Skip to comments.New Mayhem malware targets Linux, UNIX servers
Posted on 07/18/2014 9:25:58 AM PDT by Utilizer
Infections found in Australia and New Zealand.
A new malware that runs on UNIX-like servers even with restricted privileges has already infected machines in Australia and is actively hunting for more targets, a new research paper has shown.
Three researchers from Russian web provider Yandex - Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov - said in the technical analysis of the malware, published on security and anti-virus specialist publication Virus Bulletin, that Mayhem functions like a traditional Windows bot.
According to the researchers, Mayhem appears to be the continuation of the Fort Disco brute-force password cracking attack campaign that began in May 2013.
At the time, Fort Disco had created a botnet with six contral and command sites and over 25,000 infected Windows computers, according to Arbor Networks security analysts.
(Excerpt) Read more at itnews.com.au ...
This could turn out to be a major problem for many, as the article goes on to note that many servers in the USA and Russia are infected.
Grief counselors will be on duty to help those Linux users who have lost the moral high ground.
Only joking...it will be dealt with quickly but it is a reminder to be vigilant.
Almost as much fun as making fun of the Pope.
Meh... skimmed the article, PHP exploit, user-land. Tripwire fodder.
Be a real shame to see some critical site get compromised. Seriously, I mean like FR. It's bad enough that the fedgov and others consider this a "hate site". We don't need something like this to add to our worries if our servers get compromised.
Okay, thanks. Just thought I would pass the warning.
A true macophile knows that OS X is built on top of a BSD-Unix variant, and that any vulnerabilities to Unix would potentially apply to OS X as well. :)
True. You would think they would know that. I should point out though that this primarily targets servers running unix or its variants but it can indeed jump to other computers under the right conditions. The map on the article page shows how much it has spread already.
Be mindful that many of us use PHPmyadmin to administer mySQL or postgre on our RHEL/Ubuntu servers. I’ve already updated all of my web server security protocols.
I do. ;)
The main reason I clicked the link in the first place was to see if I should be worried about a vulnerability on one of my Macs.
Good for you. Hope all your machines are safe, as I am currently running checks on all the machines I am responsible for and expect to be busy for quite some time now.
True, but that should be locked down? For remote access to sensitive services I use a ssh tunnel to the internal private network, things like MySQL are open only to that network, which allows me to e.g. securely replicate an offsite backup, or if I chose, to run phpMyadmin on my local machine (but there are better tools when you have wire access.) Well, this assumes you control the hardware, or at least ssh access. Not often the case.
I use VLAN tagging and split networking to sequester my administrative sites from those facing the outside world. My NAS heads, PHPmyadmin pages, and any SUDO accesses can only be achieved through a secure SSH connection using certificates, and they’re only accessible within the network.
That being said, PHP is PHP. If it’s infected, it’s infected the entire app, not just a portion of the site.
Interesting. As I don’t use PHP, doesn’t affect me, but its an interesting exploit nonetheless. This doesn’t seem to be something that can get to data or processes that are not owned by the spawning process. However, the ability to execute a shell process it troublesome, as it could allow someone to effectively use it to perform a local exploit which might allow for higher privilege execution. It’s something to watch out for.