Posted Feb 15, 2007 2:42 UTC (Thu) by smoogen
Parent article: Linux botnets
Having cleaned up a share of Linux systems.. the standard infection methods are:
1) ssh scanning. The botnet uses a dictionary attack against accounts to see what people have let open. In most cases, the crack-masters have gone through many broken systems and worked out what the most common account names are, and then used large numbers of broken into systems as a very large john-the-ripper cluster to figure out what passwords they could get. They then use those passwords as most likely because people choose passwords similarly. They then use large herds of bots to scan every open 22 port. Some botnets seem to also scan other 'common' ssh ports (2222 and 23). [I have seen bot 'clusters' scan a network and then whatever port you stuck SSH on other boxes would then start going after.]
2) PHP scanning. Looking at my logs I get about 40 scans a week for every PHP application that has had a vulnerability since 2000.
3) Webmin scanning. This is where popular webmin ports are scanned for and a similar set of tools as the ssh scanning are used. A lot of application vendors like to use this to help troubleshoot their applications from afar.. many of these vendors don't update the software or are aware that the webmin they installed was bad. They also like to choose password like the application vendor name spelt backwards.
4) Xvnc scanning. Same thing as above... the Oracle application Xvnc is rather old.
The big thing that comes up with several of these is that most botnet people are quite happy if they dont get root access. The ability to create a .<space> directory in the person home directory, /tmp or /var/tmp is fine with them. They can still execute their EnergyMech bot to get to some undernet IRC channel and get commands on what spam to send through the world. This doesn't mean that they wont' try to get root access on the system.. but for 99% of what they want to do.. they do not need to be root on a system.. just a normal user.
to post comments)