Pipe 2WK Operation Windigo - Linux ssh exploit and bot net

Operation Windigo - Linux ssh exploit and bot net

by
in security on (#2WK)
Way over there on ESET is an analysis of a long running OpenSSH exploit that has resulted in the operation for the last 3 years of an extensive linux Spam and Windows virus/malware/redirect farm...

Specific details about the exploit used here :
Cut to the chase - to check if your system is infected, run

ssh -G 2>&1 | grep -e illegal -e unknown >/dev/null && echo "System clean" || echo "System infected"

Uninfected systems return an error illegal option or unknown option for the -G flag, as well as the usage message
Infected systems only return the usage message.

History

2014-03-20 09:18
Operation Windigo - Linux ssh exploit and bot net
zafiro17@pipedot.org
Way over thHere on ESET i's an unpleasant stalrt to ysour mornisng: confirmation of a long -running OopenSSH exploit [PDF] that has resulted in the operation for the last 3 years of an extensive lbotnet pumping ouxt Sspam, viruses, malware, and Wof course lindowks virus/malware/to redirect farms. >Symantec provides some analysis here . "Operation Windigo" as it's called has been alifve since 2011, stealing SSH credentaials on Windows, Linux, abnd BSD systems, and it has hit a coutple of well-known companies, including cpanel and the exploLit nusedx <Founda href="">heretion.<br/a> :
Cut to the chase - to check if your system in the time it takes for your morning coffee to cool, with this command to see if you've been affected, run:
<bpr/e>ssh -G 2>&1 | grep -e illegal -e unknown >/dev/null && echo "System clean" || echo "System infected"<br/>pr/e>Uninfected systems return an "error illegal option" or "unknown option" for the -G flag, aplus well as the usage message, wher/>Ieas infected systems onwilyl return only the usage message.

If your system doesn't come up clean, you are probably one of an estimated 25,000 compromised servers currently sending out over 35 million pieces of spam.
Reply 1 comments

Warning: Cannot modify header information - headers already sent by (output started at /var/www/pipedot.org/lib/tools/tools.php:2702) in /var/www/pipedot.org/lib/tools/tools.php on line 1524

Warning: Cannot modify header information - headers already sent by (output started at /var/www/pipedot.org/lib/tools/tools.php:2702) in /var/www/pipedot.org/lib/tools/tools.php on line 1533

Warning: Cannot modify header information - headers already sent by (output started at /var/www/pipedot.org/lib/tools/tools.php:2702) in /var/www/pipedot.org/include/common.php on line 80

Warning: Cannot modify header information - headers already sent by (output started at /var/www/pipedot.org/lib/tools/tools.php:2702) in /var/www/pipedot.org/include/common.php on line 82
Fatal Error - sql [select reason, count(reason) as reason_count, value from comment_vote where comment_id = ? group by reason order by reason_count desc] arg [730] msg [SQLSTATE[42000]: Syntax error or access violation: 1055 Expression #3 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'pipedot.comment_vote.value' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by] - Pipedot
Fatal Error
sql [select reason, count(reason) as reason_count, value from comment_vote where comment_id = ? group by reason order by reason_count desc] arg [730] msg [SQLSTATE[42000]: Syntax error or access violation: 1055 Expression #3 of SELECT list is not in GROUP BY clause and contains nonaggregated column 'pipedot.comment_vote.value' which is not functionally dependent on columns in GROUP BY clause; this is incompatible with sql_mode=only_full_group_by]