Get tough on Windigo


This probably not a name you have heard of. However your server could be unwittingly part of a larger group of compromised machines. This article covers the issue in more detail but the gist is

The campaign was uncovered by researchers from security firm Eset, in collaboration with Germany’s federal agency computer emergency response team, the Swedish National Infrastructure for Computing and other agencies.Operation Windigo is described as a “complex knot of sophisticated malware components” that are designed to hijack servers, infect the computers that visit them, and steal information.”Windigo has been gathering strength, largely unnoticed by the security community, for over two-and-a-half years, and currently has 10,000 servers under its control,” said Eset security researcher Marc-Étienne Léveillé.

So what can you do to help yourself and other net users ?

Eset researchers are appealing for Unix system administrators and webmasters to run the following command which will tell them if their server is compromised or not:

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

The Ebury back door deployed by the Windigo cyber crime operation does not exploit a vulnerability in Linux or OpenSSH. Instead it is manually installed by a malicious attacker. The fact that they have managed to do this on tens of thousands of different servers is chilling says the article above.

Again it is time to redouble efforts to make sure your servers are not part of this or other campaigns by scanning regularly and patching vulnerabilities wherever possible