No more Linux security bragging: botnet discovery worry

Bad guys have created a botnet of Linux Web servers. In a way, that's even more frightening than regular botnets of compromised Windows PCs. In IT Blogwatch, bloggers ask if this is the end for Linux's claim to be more secure than Windows; or is it just a load of old hokum?

By Richi Jennings. September 14, 2009.

Your humble blogwatcher selected these bloggy morsels for your enjoyment. Not to mention another classic Photoshop disaster...

Dan Goodin warns of a "Linux botnet":

A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware. ... The infected machines ... serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080.


Malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver. ... With about 100 nodes, the network is relatively small, making it unclear exactly what the attackers' intentions are. All of the boxes examined so far have run the Apache webserver on various distributions of Linux.

StopBadware's Maxim Weinstein has more:

Over at the Unmask Parasites blog, periodic contributor Denis reports on a botweb (a term coined by our own Oliver Day) that he’s been investigating. ... The blog post contains a much more thorough analysis of the issue and is worth a read, especially if you work for a hosting provider or manage Linux-based web servers.

  Meanwhile, we’ve reached out to Denis to see if we can assist in notifying providers that are hosting compromised servers.

Denis Sinegubko is the horse with the mouth:

It began when I started to notice a new pattern in domains of hidden iframes. ... I realized that all those domains were registered with free dynamic DNS hosting providers: and These sites allow anyone to register any third-level domain for free and point it to any static or dynamic IP-address. ... most of the third-level domains point to different IP addresses. Currently active domains from my list point to 77 unique IPs all over the world. ... It’s time to check if have an unauthorized web server working on port 8080.


Each server works as a load balancer for other malicious servers used in this attack. When you try to load any iframe URL, you get redirected to a random server. ... What we see here is a long awaited botnet of zombie web servers! A group of interconnected infected web servers with common control center involved in malware distribution. ... Who knows what else can those infected web server do? They may be involved in SPAM distribution, in DDOS attacks, etc. They can do just everything normal zombie computers do, but more effectively thanks to better Internet connection.

A Linux botnet? Steven J. Vaughan-Nichols says, "Nah."

Ah, Windows fans everywhere, I hate to break this to you but compromised Linux servers have been used for ages to run Windows botnets. After all, if you had a couple of hundred of thousand Windows PCs at your beck and call would you use Windows to control them? Of course not!


All that has happened is that someone, as many others have in the past, has busted into improperly secured Linux servers. ... The difference between the 100-node Linux machine cluster that Sinegubko found and real Windows botnets, which in 2006 averaged 20,000 PCs, is that Windows, which is insecure by design, can be made over into a bot by simply going to the wrong Web site or opening a corrupted e-mail. The Linux servers, on the other hand, simply have lousy ... "Fire the system administrator now," security.

burnin1965 disagrees with SJVN, but says Linux botwebs are nothing new:

There is a continuous flood of SSH brute force attacks on any *nix machine connected to the internet. ... After watching the attacks for awhile I set up a box to see what they were doing and created a user name test with the password test. ... It wasn't long before the system was "compromised".


Using another system I connected to the IRC network. ... Sure enough there were two individuals chatting it up in the channel and sending commands to hundreds of compromised systems. While reviewing the various compromised systems I noted that they were all *nix machines of one type or another. This was a few years back so ... this is nothing new. What would have been new is if a botnet like this was discovered to be from a real hack and not some lame password login scan.

But easyTree figures this makes for an easy troll:

It's nice to see Lo0niX has advanced to the point where it can now successfully run botnet software. I'll bet there's no gui though. I'm not up on linux commands so don't laugh but I'll wager it's something like:

  * apt get b0tnet -s -x9 -secret -warez -pr0n -infectWindows=1 -p

  Rather than the point-and-click convenience you'd expect on windows..

So what's your take?

Get involved: leave a comment.

Don't miss out on IT Blogwatch:

And finally...

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email:

Copyright © 2009 IDG Communications, Inc.

Shop Tech Products at Amazon