Botnet discovered on Linux servers
A network of hijacked Linux servers is apparently being used to distribute malicious software to Windows PCs. According to an analysis by web developer Denis Sinegubko, the comprised systems all have one thing in common: the light weight web server nginx is running and serving content through port 8080. Otherwise, these systems are inconspicuous and appear to operate quite normally. This new tactic was discovered when links to malware posted in China were replaced by dynamic DNS names from DynDNS.com and No-IP.com.
The infected servers then register at the dynamic DNS services using particular host names with their IP address. Sinegubko says that the dynamic DNS providers have already deleted more than 100 host names from their databases, but the botnet operators are apparently reacting quickly and registering systems under new names. Sinegubko says his list currently has 77 IP addresses.
It is not clear how the servers were compromised. Sinegubko speculates that some admins may have been sloppy enough to use the root account for (S)FTP operations and to store their root passwords in FTP program settings. The hijackers may have accessed these and sniffed out the root passwords to penetrate these systems.
- Dynamic DNS and Botnet of Zombie Web Servers, Denis Sinegubko's blog post.