When it comes to computer viruses, all platforms are targeted. However, as Linux is often used to run websites and deliver Web content, hackers have targeted it the most. Interestingly, the volume of malware infecting Windows and Android devices using the Linux platform is only a small portion of threats, but experts have started to see a steady stream of attacks of scripts and executable malware.
In addition, a growing number of samples targeting services are being detected. Although these services are made to be independent of platforms, running on Linux services is actually quite common.
Targeted Linux-Based Web Servers
There are several reasons that Linux-based Web servers have become a big target for criminals who want control over redirecting traffic.
- The Linux underlying operating system runs a significant percentage of Web servers on the Internet. This includes a large number of high-volume and critical connected websites from around the world.
- Linux servers are thought to be much safer compared to other operating systems, so infections can be overlooked. Because of this, a Linux-based Web server can stay infected for years, creating opportunity for criminal organizations to make a lot of money.
How PHP Scripts Affect Linux
Many of the malicious PHP scripts running on Linux-based Web servers have the capability of making them operate as nodes within larger traffic distribution systems. In addition, a significant number of features detected are that of a more conventional botnet. For this reason, the system can execute other dangerous payloads, including attacks like DDoS.
As explained by PHP.net, PHP scripts are capable of many things. However, compromised PHP scripts typically run on platforms with vulnerabilities, like those that have bad patched versions of WordPress. For instance, an exploit was discovered in 2013 within the PHP engine that runs the Pleask content management system. With this, malicious actors were able to use a particular post command that provided access to that specific engine in order to run any PHP script wanted.
To better understand how Linux-based Web servers are compromised, it helps to look at Darkleech, which is fully explained by PC World. This Linux malware was installed on legitimate but also compromised websites, which in turn used Web browsers with known vulnerabilities to perform drive-by attacks. This malware was able to compromise more than 40,000 domains and website IPs. In fact, in one month alone, 15,000 attacks were recorded, including those on Seagate and the Los Angeles Times.
With Linux, a large portion of infected servers work by redirecting traffic to landing pages of crime kits, which are, in truth, Linux servers. For these and other reasons, Linux administrators should be aware of how serious malware infections are. On a monthly basis, literally tens of thousands of highly suspicious samples of PHP code run on Linux-based Web servers. However, to avoid being detected, criminals have gone to great lengths to hide the scripts. In fact, there are instances when PHP scripts have over 50 layers of obscurity.
It is imperative for administrators to use strong patches immediately but also to implement multi-layered protection for the Linux operating system and any services running on that system. With the growing threat to the Linux platform, it becomes obvious that hosting and security firms need tighter relationships.
With this, protection against subtle attacks, like those initiated by Darkleech, is possible. The challenge is that many Linux-based attacks are hard to detect. For that reason, servers must be thoroughly cleaned by hosting providers, and administrators need to become more aware of current and growing threats, as well as newer options of protection against malware.