Cybersecurity business Akamai has released details of an extensive cyber-attack taking place on compromised Linux servers that are unwittingly leaving themselves open to activity from cyber criminals. Previously, Microsoft Windows systems had been the main targets of hacking, so this recent development sees a change in tactic for cyber crooks.
XOR DDoS Botnet Floods the Bandwidth
The Linux servers act as a platform from which to launch the XOR DDoS (Distributed Denial of Service) botnet, which then floods the internet with a huge volume of junk traffic ultimately preventing websites and hosting companies from operating online until the problem is resolved. The bandwidth floods range from single digit Gbps up to 179Gbps which is classified as a huge volume attack. However, the largest recorded outage was as high as 400Gbps.
The process begins when an under-secured Linux server is controlled by an attacker brute-forcing the machine’s Secure Shell (SSH) which is an encrypted remote log-in protocol enabling control of the root directories. Those computers that have protected themselves with extremely strong passwords or by disabling root log-in will not currently be open to this particular type of attack.
Once the hackers have gained access to the root of a server, they are able to execute a bash shell script which effectively downloads and runs malicious binary code from the infected machine. After this has been achieved, the attackers are then able to use the server as a platform to flood other targets with junk DNS or SYN traffic.
According to Akamai, the botnet is being launched as much as 20 times a day. Approximately 90% of the targets are based in Asia, mostly belonging to the gaming sector, with educational institutions also highly at risk.
How to Protect your Servers against a Security Attack
It is essential that businesses who keep any sort of company data online, have robust security measures in place. Businesses running Linux servers or indeed any kind of system or website, need to protect their operating machines with complex passwords that are changed on a frequent basis.
Steer clear of using the same password for multiple services on your computers in order to limit the amount of damage that hackers can commit in the event that they do gain access to your system.
Details of passwords should never be kept online. In terms of anti-virus and anti-malware software, it’s not good enough to simply download it, set it up and never touch it again. Security patches, including new fixes, are regularly released, so make sure you run the updates immediately, setting the option to auto-update where possible.
In The Event of an Attack
If you suspect that your organisation’s systems have been compromised, contact network support and get them to run a malware check and follow the specific set of instructions recommended to remove this high risk Trojan infection from your computers.
Be aware though that as the attackers plans are thwarted, they will find more sophisticated methods of distributing this botnet on Linux servers or on any other platform that they choose to target. Unfortunately, this is probably only the beginning of the damage that the XOR DDoS botnet is likely to cause to businesses all over the globe, so don’t hesitate to lock your systems down and ensure that your servers aren’t its next victim.
Alex Viall is the Director of Mustard IT Support, a London based company which offers professional IT support to businesses across London and the Home Counties.
