Botnet Discovered On Linux Servers

Recommended Posts

14 September 2009, 10:52

Botnet discovered on Linux servers

A network of hijacked Linux servers is apparently being used to distribute malicious software to Windows PCs. According to an analysis by web developer Denis Sinegubko, the comprised systems all have one thing in common: the light weight web server nginx is running and serving content through port 8080. Otherwise, these systems are inconspicuous and appear to operate quite normally. This new tactic was discovered when links to malware posted in China were replaced by dynamic DNS names from and

The infected servers then register at the dynamic DNS services using particular host names with their IP address. Sinegubko says that the dynamic DNS providers have already deleted more than 100 host names from their databases, but the botnet operators are apparently reacting quickly and registering systems under new names. Sinegubko says his list currently has 77 IP addresses.

It is not clear how the servers were compromised. Sinegubko speculates that some admins may have been sloppy enough to use the root account for (S)FTP operations and to store their root passwords in FTP program settings. The hijackers may have accessed these and sniffed out the root passwords to penetrate these systems.

See also:

Dynamic DNS and Botnet of Zombie Web Servers, Denis Sinegubko's blog post.

Heise security -

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.