“Operation Windigo” Attack Infects 10,000 Unix Servers, Millions of PCs at Risk

Even the cPanel and kernel.org Linux servers have been affected

By on March 19th, 2014 09:07 GMT

The Linux servers occupy the largest share of this market, which means that they are the most prone to attacks from hackers and other malevolent cyber-criminals. ESET researchers and a few other agencies have shown that Unix servers have been used to spread malware and send spam emails.

As the teams from ESET, CERT-Bund, the Swedish National Infrastructure for Computing, and a few other groups have discovered, this concerted action from unknown cyber-criminal groups has been going on for quite some time.

The attack received the name of “Operation Windigo” and is one of the largest that has surfaced in the past few years. The main worrying aspect of it is that it affects Linux servers, which should be somewhat more protected from this kind of problems.

“Windigo has been gathering strength, largely unnoticed by the security community, for over two and a half years, and currently has 10,000 servers under its control. Over 35 million spam messages are being sent every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk.”

“Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.

Fortunately, the method of infiltration used by the hackers to gain access to Linux server is not a vulnerability or an exploit, which could be easily fixed. It's more or less human error. The ESET researchers have explained that other ways of protecting a system, like anti-virus and two-factor authentication, are used on desktops, but rarely on the servers.

Most of the infected servers have been compromised because the administrator credentials were no longer secure and hackers had an easy time getting in. You mustn't think that you are immune to this problem, as even cPanel and kernel.org servers have been infected.

As with every problem, there is good news and bad news. The good news is that you can easily find if your server has been infected by running the following command:

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

The bad news is that the only way of fixing the problem is to wipe the server and start from scratch, which in many cases is a very difficult task. More details about “Operation Windigo” can be found on the ESET website.