Detected Linux-botnet used to commit a large-scale DDoS-attacks

Posted: September 12, 2014 in IT Security News
Tags: , , , ,



The Botnet infected Linux-servers which used a vulnerable version of Apache Tomcat, Apache Struts and Elasticsearch.

Experts of Akamai-Prolexic discovered a botnet known as IptabLes and IptabLex. It was used to carry out DDoS-attacks on the DNS-servers and other objects of the network infrastructure. Victims of botnet became misconfigured Linux-servers.

According to experts, in the second quarter of 2014 Prolexic team discovered botnet conducting DDoS-attacks using DNS-flooding and SYN-flooding. The attacks were carried out through compromised servers running a vulnerable version of Apache Struts, Apache Tomcat and Elasticsearch.

Once infected server, botnet gets root rights and expects to receive commands from the C & C-server. Experts have found that malware used two unchanging IP-address.

Akamai experts advise to Linux-based servers administrators to install the latest update and change the security settings. They note that before these servers are not used to conduct DDoS-attacks.

Maximum Linux Security

Antivirus unable to cope with the new threat. Currently botnet detected only 23 out of 52 antivirus programs.

In order to clean the infected system from virus, administrators need to perform several bash-commands:

sudo find / -type f -name ‘. * ptabLe *’ – exec rm -f {} ‘;’
ps -axu | awk ‘/\.IptabLe/ {print $ 2}’ | sudo xargs kill -9

Then you need to reboot the system and perform a detailed check.

Prolexic logoProlexic Technologies is the world’s largest, most trusted distributed denial of service (DDoS) protection and mitigation provider.

Prolexic report can be found here:

  1. Adam K. says:

    It’s somewhat odd to build a malware able to gain root privileges and use it only for DDoS. 

  2. Steven J says:

    Linux is as secure as ever. The real security hole lies with some of Linux’s administrators and users.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s