Linux-botnet
The Botnet infected Linux-servers which used a vulnerable version of Apache Tomcat, Apache Struts and Elasticsearch.
Experts of Akamai-Prolexic discovered a botnet known as IptabLes and IptabLex. It was used to carry out DDoS-attacks on the DNS-servers and other objects of the network infrastructure. Victims of botnet became misconfigured Linux-servers.
According to experts, in the second quarter of 2014 Prolexic team discovered botnet conducting DDoS-attacks using DNS-flooding and SYN-flooding. The attacks were carried out through compromised servers running a vulnerable version of Apache Struts, Apache Tomcat and Elasticsearch.
Once infected server, botnet gets root rights and expects to receive commands from the C & C-server. Experts have found that malware used two unchanging IP-address.
Akamai experts advise to Linux-based servers administrators to install the latest update and change the security settings. They note that before these servers are not used to conduct DDoS-attacks.
Antivirus unable to cope with the new threat. Currently botnet detected only 23 out of 52 antivirus programs.
In order to clean the infected system from virus, administrators need to perform several bash-commands:
ps -axu | awk ‘/\.IptabLe/ {print $ 2}’ | sudo xargs kill -9
Then you need to reboot the system and perform a detailed check.
Prolexic Technologies is the world’s largest, most trusted distributed denial of service (DDoS) protection and mitigation provider.
Prolexic report can be found here: http://www.prolexic.com/
It’s somewhat odd to build a malware able to gain root privileges and use it only for DDoS.
Linux is as secure as ever. The real security hole lies with some of Linux’s administrators and users.