widespread attack campaign that has infected more than 25,000 Linux and UNIX servers

AnCatDubh · 19-03-2014 9:32pm #1

Security researchers from ESET have uncovered a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. The servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as many as 35 million spam messages a day. 'Windigo has been gathering strength, largely unnoticed by the security community, for more than two and a half years and currently has 10,000 servers under its control,' said Pierre-Marc Bureau, security intelligence program manager at ESET, in a statement.

via slashdot, securityweek,

Khannie · 20-03-2014 11:24am

Run this to see if you're infected or not:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo &#8220;System clean&#8221; || echo &#8220;System infected&#8221;

syklops · 20-03-2014 1:14pm

Khannie wrote: »
Run this to see if you're infected or not:
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo &#8220;System clean&#8221; || echo &#8220;System infected&#8221;

I don't know what that command is meant to do but it doesnt do anything on my system.

Looking up the man page for ssh and searching for -G returns nothing.

Looking at the logic of the command also doesnt make any sense. Whatever ssh -G is meant to do it then sends output to STDERR (2>&1) and the output is piped to grep which looks for the words illegal or unknown but then sends that output to /dev/null and if the command is successful it prints "system is clean" or "system infected".

It seems to me this is a complicated looking command which does nothing and will always return "System clean".

What happens when you execute this on your system:

echo "This sytem is infected with an illegal and unknown malware" 2>&1 | grep -e unknown -e illegal > /dev/null && echo "System clean" || "System infected"

Khannie · 20-03-2014 1:19pm

I wondered that myself so I did a little digging. It wont always return "system clean". It's checking the return value rather than the output so the redirect to dev null isn't relevant. ssh -G doesn't exist on a normal system. If it exists on yours then your system is infected.

edit: I didn't see your edit until after I'd posted. I ran something similar to your edit during my testing and got "system infected".

oscarBravo · 20-03-2014 1:27pm

As Khannie says, it's a check for whether "ssh -G" returns a usage message, which it should on an uninfected system. The existence of a -G option to ssh is the indicator of infection.

syklops · 20-03-2014 1:34pm

Khannie wrote: »

I wondered that myself so I did a little digging. It wont always return "system clean". It's checking the return value rather than the output so the redirect to dev null isn't relevant. ssh -G doesn't exist on a normal system. If it exists on yours then your system is infected.

Well don't I feel like an idiot.

Nice explanation of the command here

Khannie · 20-03-2014 1:36pm

syklops wrote: »

Well don't I feel like an idiot.

Not at all. It's nuanced.

widespread attack campaign that has infected more than 25,000 Linux and UNIX servers

Comments