Botnet of Linux Servers with Dynamic IP Discovered

Sep 14, 2009

A Russian Web developer has found a network of a couple of hundred Linux servers that could distribute malware to Windows systems.

Linux being the server system of choice hasn't exactly escaped malware hackers. According to a current blog entry> from Russian developer Denis Sinegubko, a network of (meanwhile just under a hundred) infected Apache servers manage Windows systems through the dynamic DNS providers and and can thereby provide the malicious code.

The compromised Linux servers include dedicated or virtualized Apache webservers. The malware apparently landed on the target clients not because of an Apache vulnerability but due to weak or intercepted passwords or a security hole in the management software used. The attackers therefore installed next to Apache the small Nginx webserver that distributed the malware to the Windows clients. Site admins wouldn't normally notice the break-in because the Apache service wouldn't be affected.

The exact purpose of and, above all, the gateway used for the attacks are still not fully known. Shortly after Sinegubko's blog, the site took more than 100 systems off the net, and blocked about 100 domains after he contacted them. Unfortunately a cat-and-mouse game can ensue because dynamic hostnames can easily be registered.

Related content


  • Linux botnet

    It's a Linux botnet just like an Adobe exploit on Windows is a Windows botnet.
  • maybe not apache

    I think Apache is also running on windows, so linux to be use?
  • Linux-Botnet

    Yes, it's a Linux-Botnet, as the nginx-Version installed on it is the Linux-Version. So it has nothing to do with apache.
  • Linux

    Is this really a Linux botnet or an Apache botnet running on Linux? Meaning Linux is really not the issue but Apache which could be int he same position if installed on Unix or Windows?
comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More