Quoting analysis by web developer Denis Sinegubko, “the comprised systems all have one thing in common,” says the post. The lightweight web server nginx is, “running and serving content through port 8080″.
And, he warns on Unmask Parasites. Blog, “if this is not just a proof-of-concept attack that will cease to exist in a week, there is a real problem that server admins must address ASAP!”
The systems are, “inconspicuous and appear to operate quite normally,” says Heise, noting the “new tactic” was discovered afterlinks to malware posted in China were replaced by dynamic DNS names from DynDNS.com and No-IP.com.
“What we see here is a long awaited botnet of zombie web servers!” – says Sinegubko, continuing
A group of interconnected infected web servers with common control center involved in malware distribution. To make things more complex, this botnet of web servers is connected with the botnet of infected home computer (the malware they serve infects computers and turns them into zombies).
Who knows what else can those infected web server do? They may be involved in SPAM distribution, in DDOS attacks, etc. They can do just everything normal zombie computers do, but more effectively thanks to better Internet connection.
However, having a web server as a zombie has obvious downsides for hackers. Once the IP of the server is known, it`s only a matter of time to shut it down they are all on networks of reputable hosting providers that can switch off the server if its admin fail to remove the malicious service. On the other hand, server admins are usually much more experienced in terms of security than an average computer user, so the chances that a dedicated server gets hacked are significantly less than the chances that a home computer gets infected with some virus. At the same time, the number of dedicated servers, I believe, is also significantly less than the number of home computers connected to the Internet.
“So,” Sinegubko adds, “if hackers want this attack to be active for more than just a week, they need to either have a ‘portfolio’ of thousands of already hacked servers waiting for their turn, or they know about some exploitable vulnerability in Linux (all servers I checked were Linux-based) so that they can easily turn any number of servers into zombies. ”
The pic on the right is a clip from David Vorel’s amazing map of interconnected, bot-infected IP addresses with Scott Berinato’s interactive controls which allow users to zoom in and explore botnets’ inner workings.
Use free p2pnet newsfeeds for your site. It`s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.