eBay: Botnets are Linux-happy eBay may soon offer online banking. It would seem. This afternoon, while fielding questions about PayPal at Santa Clara University conference obsessed with "trust online," chief information security officer Dave Cullinane seemed to indicate eBay is interested in extending the popular online payment system to its logical …
See, using Linux proves to be a better server :)
To be fair, if I taking over a system, a windows box would be bogged down to hell already, competing with trojans, etc.
Atleast with a *nix based system, the admins would "assume" they are virus free, and instead of looking at their top reports, just enjoy their colourful and pretty UI (which, btw, is VERY pretty, baryl is awesome).
This is slightly confusing. Is Cullinane saying the botnets were running from root-kitted Linux webservers? Are the botnets MS windows PCs and the rootkit topic and botnet topic are related but separate?
It seems to read, to me, Linux servers were involved in info collecting or malware installation as they had been compromised. Linux servers could be manually compromised and root-kitted and they compromise the vast majority of Internet accessible web servers. MS boxes are much fewer in number. How do the percentages stack up? I take it the botnet army is MS PCs in homes/offices rather than in web server data centres.
/confused
he doesn't know the difference between a root kit and a spittoon. Phishing as far as I know is more than likely to be run from a cheap web shared hosting, anonymous and fairly quick to set up, most of these run on Linux, there is nothing security wise thats wrong with them it's what they do after that constitutes a crime. DNS poisoning (Google Pharming) are a problem for Bind anyway as for bot nets they _can_ be controlled from web servers they are made up of compromised windows boxes on poorly secured consumer broadband connections now as to whether the servers themselves are rooted I suppose some may be and some are in countries that either can't or won't shut down a rogue server for various criminal/government enterprise reasons that may occur to you. I wouldn't read anything this crew of screw says without the heavy bullshit filters on. The fact is command relay and data retrieval can happen in lots of ways jacking a web server is one of them but not the only one and it's not always such a surprise to the owner (wink wink nod nod say no more ).I think we can count on ElReg readers not being the intended audience for this anyway so I don't know why I bothered with this comment it's just I really hate ebay it's like it's personal you know I would like to see them choke on their own filth and blood.
So EBay is starting to think that whoever contacts them is working from a compromised platform ? Good news then. The first step of security is to trust no one without proof. The second step of security is to trust no proof you haven't verified yourself.
I hope that, with such an approach properly implemented, EBay will be able to show to the rest of the world just how security is done over the Internet. And I would be interested in seeing EBay become a real bank - with a bank's obligation to manage people's money and give it back if the person wants it back.
I'd guess that the rootkitted Linux servers would be used to host the phishing website. Makes sense as the things probably have everything you need to act as a web server already loaded, it's just a matter of "borrowing" a bit of it. Herding the things together provides the necessary redundancy in case one of the dozy sysadmins that's supposed to look after the beastie wakes up for long enough to notice something going on.
The botnets of windoze desktops would then send out the spam to entice the gullible to said website.
The scary thing here is that eBay, with their piss-poor security record and lamentable response to the resulting compromised accounts (El Reg articles passim ad infinitum), may be contemplating opening a *bank*! For Online Banking this would have to be the equivalent of a real, bricks 'n mortar bank having a cardboard vault secured by a piece of string with a wooden toggle on one end.
TeeCee
What has a phishing site got to do with a bot net? Surely the vast majority, and I am talking about 99.9% here, of botnets are Windows infected PCs! So, a couple of phishing sites might just happen to be on Linux servers but so what, I can bet that a great majority of them are also on Windows servers as well. And where is the proof that the Linux machines were root-kitted? And since Unix/Linux servers virtually control the internet it would be a complete miracle if some phishing sites weren't on the OS! I can bet though that the vast majority are on Windows.
And I bet it did please the Microsoft PR person. Since the conference was sponsored by Microsoft how much pressure would it take for them to have this sort of information in the talk and the Microsoft stuff dropped? Not much I would think.
Sorry, but since this is a Microsoft sponsored event then it must be marked as FUD.
"With the desktop, we're starting to run on the assumption that anyone who's trying to contact us from their own personal desktop is probably coming from a compromised computer."
So, er, what machine should I use to contact eBay? Someone else's? Maybe I could buy a botnet and use that, er...
Also, how does this assumption help them. It doesn't put a subset of contacts into a particular category requiring more caution, so presumably eBay are treating all their customers the same as before, but are less happy about it or something.
And this is after the reference to a "system that's within the community that constitutes eBay Inc.". What's that in English? I'm sure a lawyer would have trouble accepting that eBay's customers are part of eBay Inc, so presumably this trusted payment system is only for employees.
The man's an idiot, talking bollocks.
Quote: "...within the community that constitutes eBay Inc"
You can see why he said that - friendly, fuzzy, warm, etc - but it's not a bloody community. It's a multinational corporation.
As to the story itself, I await the torrent of 'told ya so' smirks from all the Redmond fanboys out there.
..and therefore can't be used to host a phishing website. The compromised PCs (probably running Windows) are used to send the phishing emails, containing a link to the phishing site. The phishing site is likely to be hosted on a compromised webserver, which may well be running linux. I thought this would be bleeding obvious but maybe the bloke from ebay thinks everyone with a compromised Windows system will be running a website from their PC and will have therefore setup static NAT on their broadband router for incoming web traffic.
If you look at the actual statistics it's clear that most phishing websites do run from very cheap Linux virtual machines which have been compromised.. the statistics are very interesting. most "low importance" web servers will be running Linux due to the ease of acquisition of a Linux virtual machine. Most "high importance" web servers will be running windows (just the way it is, they may still be running Apache though) but if you look at the number of THESE servers that get cracked then the ones that do are ALL running windows!
This indicates to me that on the low cost end where less skilled or those with less time to spend on security, people are using Linux (because it's cheaper) but on the high end (where people also use Linux but also windows and bsd of course) people have more skills and money and time to spend on security so the only boxes that get regularly cracked are the inherently insecure windows ones!
Just wish I could find those stats now.. I will post a new comment when I do!
Because Linux is more readily programmable to perform automated network operations, compromised Linux servers are reputedly used to control Botnets made up of many more compromised Windows boxes. Certainly looking at the automated password guessing attacks on my Linux SSH server logs was enough for me to install Denyhosts to lock em out after a few tries, close logins on any unused accounts and force all users to have strong passwords. I don't know anyone who runs SSH servers on Windows boxes, which would be equally or more vulnerable if these do exist, so presumably these automated attacks have illegal ownership of Linux servers as their objective.
As Linux use grows there will be more Linux admins without the skills needed to keep their systems secure. Good security is always a combination of good software, skilled administration and constant vigilance. There are quite a few hardened Windows systems out there too, but fewer Windows admins who know how to do this compared to the number who don't. Most Unix/Linux admins care about security but too few Windows-only users who have installed software seem to do so.
'Most "high importance" web servers will be running windows (just the way it is,'
Actually, many "high importance" servers will be Linux too. Or Sun/HP boxes. Windows doesn't get much of a look in, really.
there are a few companies that use windows boxes for hosting, but they have higher costs and, despite being in the same "low end" market, they are more expensive. I would suspect that these make money on those who don't know anything but the ticket price: don't pay the top dollar because that's a waste. Don't pay bottom dollar because they *must* be cutting corners somewhere. Go a couple of steps up from cheapest.
I certainly would not be surprised with a larger number of compromised linux machines hosting phishing sites, or sending spam.
Many home linux users of course open up servers on their machine for their own use, ssh, ftp. And probably don't examine their log files regularly.
For fun, just
cat /var/log/messages | grep sshd | grep failed
Anyone not setting up proper iptables filters to block multiple wrong attempts is very vulnerable.
Poor passwords are just as likely on a linux box as on a windows one.
Certainly possible, and I'm speaking as a *nix zealot here, who also spent some time as a Computer Security Officer.
If a bad guy cracks a password on your system, that is adequate to use your machine. Doesn't even have to get rootkitted or even crack root access.
If they set up shop on your system even as a Joe_user they can nice their malware so that it can serve their botnet and you aren't aware its running, esp. if it does most of its activity when you aren't around to notice.
Linux *is* after all a multiuser system, so if they aren't using up so much resource as to draw your attention, then they can get away with using your system for quite a long time.
As part of my routine paranoia I use denyhosts to monitor and block ssh attacks on my home system, and even on dynamic ADSL I get ssh attempts from upward of 20 different ip addresses a day, and at least that many ftp. I could shut down these services, but I use them to access my systems from the field, and I have friends who legitimately use my system, so I leave them available but guarded.
My point is that if one of the ssh or ftp attackers found a usable password, they could use the system as an ordinary user to do their dirty work, and spend time attempting to crack root locally in their spare time.
Computer security is not just a Microsoft problem, they just make breaking it easy.
quote:
"For fun, just
cat /var/log/messages | grep sshd | grep failed
Anyone not setting up proper iptables filters to block multiple wrong attempts is very vulnerable."
---
Errr, so what ?
My FreeBSD's quite safe here.
They're trying to guess my root password ?
-root can't log from ssh
-root can't log via ftp
I can give you my root password any time, and watch you do nothing at all with it.
Why, if you like I can even give you my phpmyadmin root password so you create yourself a FTP user in the SQL tables.
Shame apache's going to deny your IP though.
Of course, if people aren't good enough to deny root access to ftp and ssh, it's more a problem of educating them than being highly skilled.
I say, the problem isn't with users on this one, it's with the software makers for not shipping secure configurations by default.
They recommend root login be denied ? Then disable it in the default conf and be done with it !
Just compare apache's default config file, and the recommended secure one.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
