Hi Guys,

I'm a new guy here, but my nickname ought to tell you something. Recently, I've become involved in the response to a series of attacks on sites for a small Linux distribution. These generally start off as sporadic forum spamming with soft porn and get worse. At least two sites with comparatively low traffic appear to have been taken down because of vulnerabilities in phpBB, on a server running a different version of Linux.

The attackers appear to be testing things on small, poorly defended sites before they move on to more difficult targets. The time it takes to respond to forum spamming tells them how fast they can expect a response, and the nature of the response tells them the expertise available to the hosting firm. Some of the work is obviously done by 'bots, but the way the attacks change shows a human herder adapting. Some people have tried using CAPTCHA's to stop 'bots, and failed. Only constant monitoring by a human works as a defense, and many small sites don't have this.
http://en.wikipedia.org/wiki/CAPTCHA

Does anyone else have reports of a similar pattern of targeted attacks? How about links to give hosting firms on how to tighten up phpBB?

Regards,

prehistoric

Yes - I moderate at shemes.com forum, and this was happening all last year - it was finally fixed in Sept or Oct.

However, shemes.com is *not* a *nix site at all.

So, I don't think *nix sites are being targets - I think that *any* site running BBS / Forum software is being targeted - the ones we hear about, of course, have holes / vulnerabilities that have not been properly patched.

Hi John,

The timing is curious. The evidence that the attacks had active human assistance began in late Oct. or early Nov. My belief that we were being targeted was generally rejected, because of the high level of background noise on the 'net from random attacks.

Many people changed their beliefs after I managed to provoke an intruder into arguing with me on a thread on John Murga's forum. The implied insults would not have been recognized by a 'bot, and were not picked up by human users who had not been following activity on other sites. The intruder posted a revealing message when the site went down for maintenance, thinking they were after him, then apparently turned the login over to a 'bot.

The day after the intrusion was detected the site where I had discovered the clues about the attackers was taken down with a particularly vicious script that left it off-line for several days while the hosting firm recovered. There have been similar attacks on two other sites.

At this point I'm pretty sure we are dealing with a small German-speaking group dominated by one individual with a fair amount of skill, a very large ego and no tolerance for disagreement. The supporting cast may not be able to do much beyond solving CAPTCHAs and running scripts. I'm sure even the ring leader did not develop the tools for the attack, several examples from scripts show they were first aimed at targets running Windows. He is in the process of adapting them; we have seen changes.

Checking IP addresses for these attacks shows they come through sites all over, except those where German law applies. Evidence of active human support seems to show they operate on CET. One of the clues which led me to believe we were targeted was a flurry of sudden probes on similar sites immediately following revealing posts on a forum dedicated to that linux community.

I've left out the name of the distro because I've seen responses which indicate the attackers are running Google searches for that name.

This particular problem isn't big news, but it may be a harbinger of things to come. The pattern of concentrating on small, poorly-defended sites while developing skills to attack harder targets is disturbing evidence of planning.

Regards,

prehistoric

I see what you mean now - I thought you meant targeting of small *nix sites only, but you were in reality speaking of targeting of small, poorly defended sites *in general* - in which case, I would have to agree with you. I know of at least 2 other sites where similar behavior started, but in one the site was actually rather well defended, and the annoyance was gone in a matter of days, and another, which site (forums at least) was eventually taken down permanently.

I also may have further info regarding that as well - if these such attacks were also a precursor to finding holes and the like, then I have a good idea not only of the uname but what the site recorded as his IP address (not saying that he was foolish enough to not use anonymity protocols, but if it is the same person, the MO seems to fit) and might be able to provide further clues.

Serious breach affecting sites hosted on Linux servers.

This sounds like the exploit used in the attacks mentioned above. http://servertune.com/kbase/?View=entry&EntryID=261

It would appear that the attacks were against servers running Linux and the motivation was to grab passwords and recruit 'bots for phishing attacks, primarily against Windows users with accounts also hosted on those sites. Attacks on the small Linux distribution sites were either experiments or the result of personal animus.

This is a sophisticated rootkit which uses loadable kernel modules. The rest of the file system can be unmodified, or, if it is modified, restoring it to original state will leave the rootkit in place as a backdoor.

prehistoric

Not phpBB related, per se, but it speaks to possible infections of Iinux Sites.

Thanks, i_rod,

We don't have that specific vulnerability, AFAIK, but the way the attack proceeds suggests a similar strategy.

Keep looking for leads. I don't just want to block these attacks, I want to expose the attackers. When malicious bastards in one country can reach around the world to interrupt the work of a productive genius like Barry Kauler, who is giving things away with both hands, civilization is disintegrating into chaos.

As Bruce Schneier said, in response to a question about the 9/11 attacks, there is a simple solution, ground all airplanes. I don't like the corresponding solution for computer security.

prehistoric

[color = Dark Red]prehistoric;[/color]

I guess I was trying to address your topic, more than your specific case.

With the proliferation of more user-friendly flavours linux distros, our value to exploiters is reaching the point where it is worth their while to consider us secondary targets and commit their resources accordingly. Posting incident reports in this forum seems a good idea to me; ...keeping abreast of what is going on across the platform. I'm sure your timely topic will excite some visitors researching possible *nix infections/vulnerabilities on their linux sites who have just heard of the "SilentBanker" trojan.

Good luck.

p.s. I'm not sure I've got the BBCode drill for this site right. The changes aren't showing up in "Preview".

One other characteristic of this incident is that the attackers were monitoring our forums to see the response. This is the thing which convinced me this wasn't merely a byproduct of attacks on different systems. In some cases I believe the only purpose of some strings in spam was to enable them to search the web to see if we posted them anywhere. If they keep this up someone is going to set up a trap.

prehistoric

We have a renewed attack on a forum. One distinguishing characteristic of the latest round is that the administrator is locked out of his own forum and can't even view it. Spam posting of objectionable material continues unabated, even in a locked forum. This pretty well demonstrates that the attackers have cracked the system and are able to get in via passwords. I am posting a series of the forum posts (php source, not pictures) as spam reports, and hope everyone will understand this is emphatically not content chosen by the site administrator or hosting company. If some links do not lead to malware I would be very surprised. Handle with care.

prehistoric

prehistoric;

Can you confirm that the forum under attack is hosted on linux? I know Barry and John's sites are on Linux, but you demurred from identifying the forum whose admin is locked out; ... for security reasons I assume.

I'd like to audit the results on the forum, if you are comfortable proving a link; ... say via a CC PM.

prehistoric:

Thanks for your PM.

It leaves me puzzled on a few points. Perhaps you can clarify.

According to your PM, you stated:

A. “...they are running a LAMP (Linux-Apache-MySQL-Php) site, with phpBB, (don't have the exact version handy, copyright 2002,2005 sounds old,) but not running cPanel.”

B. “...but the site is hosted by a company in the U.S.”

C. “The original attack was on [Bbbbby's] site [linux.com/blog], which is hosted by Servage, (in Australia, I believe.)”

D. “ One attack took his site down and replaced the home page with the LoLoLo Trojan


According to my research
They're running:
A. Apache/2.0.63 (Unix) mod_ssl/2.0.63 OpenSSL/0.9.8b mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

B. Hosted by: ACENET, INC
Acenet HO is in the Netherlands with Domain Servers listed at:
DNS.DI.NL
DNS2.DI.NL
DNS3.DI.NL

C. Servage is located in Germany.
servage,net 77.232.66.127
http://servage.net
running: Apache, Linux Apache/2.2.4 and Linux Apache/2.2.3 on Hosting Segment H1
With a liboskit_linux_dev.a driver set.

D. Name Troj/Lololo-A Type
Trojan
How it spreads
Web browsing
Affected operating systems
Windows
Side effects:
Drops more malware
Downloads code from the internet
Protection
Download virus identity (IDE) file
Protection available since 23 March 2007 15:02:21 (GMT) Protection history
Updated -20 December 2007 12:23:01 (GMT)
Published -23 March 2007 15:02:21 (GMT)
Detected by All versions of Sophos Anti-Virus

Where I run into trouble is understanding how, in your estimation, the Windows-o-tropic lololo virus gets written into (hacked into) the complex algorithym(s) that, presumably, encode a *nix website and which is necessary to capture admin passwords and access. My literature review indicates that both ClamAV 0.91.2 2008.01.15 Trojan.Spy and
Sophos 4.24.0 2008.01.15 Mal/Generic-A have been sensitive to the lololo for at least the last 11 months;... to interdict inadvertent spreading of the trojan to PCs.

My question is: Given that the sites you reference can be hacked (say, by something like Wpe pro), if they aren't running a Windows OS, how can they be “taken down” by lololo?

This is progress.

I had been told, by a private email, that the one site was hosted in the U.S. My information about Barry's site could have been an incorrect inference from what I read on his blog.

I was assuming the sites were redirecting traffic, and, yes, the LoLoLo Trojan is aimed at Windows.

I've been assuming other people with more networking experience have been running the checks you have. When I checked some URLs I got sites all over the 'net. After that I started thinking about psychological approaches, because the networking approach was confusing and the attackers seemed to respond predictably. I will pass your findings on, through a channel I hope is secure, and see if we are dealing with yet another level of deception.

Material just posted today appears to include child porn. I will pass the source to SIRT.

The questions I find hard to answer at this point all revolve around who can you trust? I'll get back when I have a better idea about that.

Thanks, a lot,

prehistoric

prehistoric;

Not only is the LoLoLo peculiar to Windows, but unless there is a new variant, it doesn't code for “taking down” a web site or a server. For anything like that, a remote operator would have to hack into the data systems of the linux distro, install another trojan, and relay system access codes back to the user ....and that's just for starters.

You mention above that you've been checking URLs; which I assume are your best guess at infected sites.
Unless you have the tools and the know-how, I would advise against this. Your IP is vulnerable to capture and therefore, so is all the information needed to profile your system and any security weaknesses. In the 'olden times', you could get away by using proxies. Nowadays, any hacker worth his salt can “tunnel” through your proxy chain faster than a Jewish Momma can plough through your self-esteem.

Live CD's afford session prophylaxis. But they don't hide your IP very well and they're only effective while you're running them. As soon as you access the net via your HDD and main OS, you're subject to port and system scans by whatever “Shadenfreuden” might have decided to make you their 'project'. I'm not being alarmist or implying probabilities; ...just informing you of a “downside risk”.

@i_rod,

Never meant to imply that LoLoLo "took down" the site, just that I knew the site could not be running that if it were still running the system it was supposed to be running.

I've had a response from the administrator in charge of the site in question. He certainly did not know his hosting firm was headquartered in the Netherlands. I'm hoping he will post his experience here. I've been assuming the people paying for hosting made sure their hosting firm was above suspicion.

As for checking URLs, I never deliberately visit suspect sites with a browser. I consult whois. I use wget to fetch html without executing it. I also use a system with hard drive physically disconnected on which to run a live CD. The IP is dynamic. Even so, I try to leave close investigation to experts.

Much obliged for the help,

prehistoric