back to article eBay: Botnets are Linux-happy

eBay may soon offer online banking. It would seem. This afternoon, while fielding questions about PayPal at Santa Clara University conference obsessed with "trust online," chief information security officer Dave Cullinane seemed to indicate eBay is interested in extending the popular online payment system to its logical …


This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward


    "Queue audience laughter."

    Why line it up and have it wait when you can just issue a signal for it to occur?

  2. Daniel

    Linux server support

    See, using Linux proves to be a better server :)

    To be fair, if I taking over a system, a windows box would be bogged down to hell already, competing with trojans, etc.

    Atleast with a *nix based system, the admins would "assume" they are virus free, and instead of looking at their top reports, just enjoy their colourful and pretty UI (which, btw, is VERY pretty, baryl is awesome).

  3. Patrick Ernst

    Botnets - Linux?

    This is slightly confusing. Is Cullinane saying the botnets were running from root-kitted Linux webservers? Are the botnets MS windows PCs and the rootkit topic and botnet topic are related but separate?

    It seems to read, to me, Linux servers were involved in info collecting or malware installation as they had been compromised. Linux servers could be manually compromised and root-kitted and they compromise the vast majority of Internet accessible web servers. MS boxes are much fewer in number. How do the percentages stack up? I take it the botnet army is MS PCs in homes/offices rather than in web server data centres.


  4. Anonymous Coward
    Anonymous Coward

    What he meant was

    he doesn't know the difference between a root kit and a spittoon. Phishing as far as I know is more than likely to be run from a cheap web shared hosting, anonymous and fairly quick to set up, most of these run on Linux, there is nothing security wise thats wrong with them it's what they do after that constitutes a crime. DNS poisoning (Google Pharming) are a problem for Bind anyway as for bot nets they _can_ be controlled from web servers they are made up of compromised windows boxes on poorly secured consumer broadband connections now as to whether the servers themselves are rooted I suppose some may be and some are in countries that either can't or won't shut down a rogue server for various criminal/government enterprise reasons that may occur to you. I wouldn't read anything this crew of screw says without the heavy bullshit filters on. The fact is command relay and data retrieval can happen in lots of ways jacking a web server is one of them but not the only one and it's not always such a surprise to the owner (wink wink nod nod say no more ).I think we can count on ElReg readers not being the intended audience for this anyway so I don't know why I bothered with this comment it's just I really hate ebay it's like it's personal you know I would like to see them choke on their own filth and blood.

  5. Pascal Monett Silver badge

    Taking the proper approach to security

    So EBay is starting to think that whoever contacts them is working from a compromised platform ? Good news then. The first step of security is to trust no one without proof. The second step of security is to trust no proof you haven't verified yourself.

    I hope that, with such an approach properly implemented, EBay will be able to show to the rest of the world just how security is done over the Internet. And I would be interested in seeing EBay become a real bank - with a bank's obligation to manage people's money and give it back if the person wants it back.

  6. Anonymous Coward
    Anonymous Coward

    Linux servers.

    I'd guess that the rootkitted Linux servers would be used to host the phishing website. Makes sense as the things probably have everything you need to act as a web server already loaded, it's just a matter of "borrowing" a bit of it. Herding the things together provides the necessary redundancy in case one of the dozy sysadmins that's supposed to look after the beastie wakes up for long enough to notice something going on.

    The botnets of windoze desktops would then send out the spam to entice the gullible to said website.

    The scary thing here is that eBay, with their piss-poor security record and lamentable response to the resulting compromised accounts (El Reg articles passim ad infinitum), may be contemplating opening a *bank*! For Online Banking this would have to be the equivalent of a real, bricks 'n mortar bank having a cardboard vault secured by a piece of string with a wooden toggle on one end.


  7. Anonymous Coward
    Anonymous Coward

    What crap!

    What has a phishing site got to do with a bot net? Surely the vast majority, and I am talking about 99.9% here, of botnets are Windows infected PCs! So, a couple of phishing sites might just happen to be on Linux servers but so what, I can bet that a great majority of them are also on Windows servers as well. And where is the proof that the Linux machines were root-kitted? And since Unix/Linux servers virtually control the internet it would be a complete miracle if some phishing sites weren't on the OS! I can bet though that the vast majority are on Windows.

    And I bet it did please the Microsoft PR person. Since the conference was sponsored by Microsoft how much pressure would it take for them to have this sort of information in the talk and the Microsoft stuff dropped? Not much I would think.

    Sorry, but since this is a Microsoft sponsored event then it must be marked as FUD.

  8. Anonymous Coward
    Anonymous Coward

    Wait for it...

    Here comes the pathetic prevarication by all the Linux zealots who like 5 year olds have a back-answer for everything. Is there any point in even discussing security with such an emotionally immature mindset?

  9. jubtastic1


    When you need to infect a million Windows boxes a day you need the right tool for the job.

  10. Ken Hagan Gold badge

    Eh? (2)

    "With the desktop, we're starting to run on the assumption that anyone who's trying to contact us from their own personal desktop is probably coming from a compromised computer."

    So, er, what machine should I use to contact eBay? Someone else's? Maybe I could buy a botnet and use that, er...

    Also, how does this assumption help them. It doesn't put a subset of contacts into a particular category requiring more caution, so presumably eBay are treating all their customers the same as before, but are less happy about it or something.

    And this is after the reference to a "system that's within the community that constitutes eBay Inc.". What's that in English? I'm sure a lawyer would have trouble accepting that eBay's customers are part of eBay Inc, so presumably this trusted payment system is only for employees.

    The man's an idiot, talking bollocks.

  11. Sceptical Bastard

    Wake up, 'Dozeboyz!

    Quote: "...within the community that constitutes eBay Inc"

    You can see why he said that - friendly, fuzzy, warm, etc - but it's not a bloody community. It's a multinational corporation.

    As to the story itself, I await the torrent of 'told ya so' smirks from all the Redmond fanboys out there.

  12. Anonymous Coward
    Anonymous Coward


    That's the way I read it - the article confuses two separate topics, and the title only makes it worse!

  13. JohnG Silver badge

    Most PCs "hidden" by dynamic NAT...

    ..and therefore can't be used to host a phishing website. The compromised PCs (probably running Windows) are used to send the phishing emails, containing a link to the phishing site. The phishing site is likely to be hosted on a compromised webserver, which may well be running linux. I thought this would be bleeding obvious but maybe the bloke from ebay thinks everyone with a compromised Windows system will be running a website from their PC and will have therefore setup static NAT on their broadband router for incoming web traffic.

  14. Anonymous Coward
    Anonymous Coward

    It's true

    If you look at the actual statistics it's clear that most phishing websites do run from very cheap Linux virtual machines which have been compromised.. the statistics are very interesting. most "low importance" web servers will be running Linux due to the ease of acquisition of a Linux virtual machine. Most "high importance" web servers will be running windows (just the way it is, they may still be running Apache though) but if you look at the number of THESE servers that get cracked then the ones that do are ALL running windows!

    This indicates to me that on the low cost end where less skilled or those with less time to spend on security, people are using Linux (because it's cheaper) but on the high end (where people also use Linux but also windows and bsd of course) people have more skills and money and time to spend on security so the only boxes that get regularly cracked are the inherently insecure windows ones!

    Just wish I could find those stats now.. I will post a new comment when I do!

  15. Richard Kay

    Linux used to control botnets

    Because Linux is more readily programmable to perform automated network operations, compromised Linux servers are reputedly used to control Botnets made up of many more compromised Windows boxes. Certainly looking at the automated password guessing attacks on my Linux SSH server logs was enough for me to install Denyhosts to lock em out after a few tries, close logins on any unused accounts and force all users to have strong passwords. I don't know anyone who runs SSH servers on Windows boxes, which would be equally or more vulnerable if these do exist, so presumably these automated attacks have illegal ownership of Linux servers as their objective.

    As Linux use grows there will be more Linux admins without the skills needed to keep their systems secure. Good security is always a combination of good software, skilled administration and constant vigilance. There are quite a few hardened Windows systems out there too, but fewer Windows admins who know how to do this compared to the number who don't. Most Unix/Linux admins care about security but too few Windows-only users who have installed software seem to do so.

  16. Anonymous Coward
    Anonymous Coward


    'Most "high importance" web servers will be running windows (just the way it is,'

    Actually, many "high importance" servers will be Linux too. Or Sun/HP boxes. Windows doesn't get much of a look in, really.

    there are a few companies that use windows boxes for hosting, but they have higher costs and, despite being in the same "low end" market, they are more expensive. I would suspect that these make money on those who don't know anything but the ticket price: don't pay the top dollar because that's a waste. Don't pay bottom dollar because they *must* be cutting corners somewhere. Go a couple of steps up from cheapest.

  17. Richard Greenway

    Linux Phishing

    I certainly would not be surprised with a larger number of compromised linux machines hosting phishing sites, or sending spam.

    Many home linux users of course open up servers on their machine for their own use, ssh, ftp. And probably don't examine their log files regularly.

    For fun, just

    cat /var/log/messages | grep sshd | grep failed

    Anyone not setting up proper iptables filters to block multiple wrong attempts is very vulnerable.

    Poor passwords are just as likely on a linux box as on a windows one.

  18. Curtis W. Rendon

    *nix botservers

    Certainly possible, and I'm speaking as a *nix zealot here, who also spent some time as a Computer Security Officer.

    If a bad guy cracks a password on your system, that is adequate to use your machine. Doesn't even have to get rootkitted or even crack root access.

    If they set up shop on your system even as a Joe_user they can nice their malware so that it can serve their botnet and you aren't aware its running, esp. if it does most of its activity when you aren't around to notice.

    Linux *is* after all a multiuser system, so if they aren't using up so much resource as to draw your attention, then they can get away with using your system for quite a long time.

    As part of my routine paranoia I use denyhosts to monitor and block ssh attacks on my home system, and even on dynamic ADSL I get ssh attempts from upward of 20 different ip addresses a day, and at least that many ftp. I could shut down these services, but I use them to access my systems from the field, and I have friends who legitimately use my system, so I leave them available but guarded.

    My point is that if one of the ssh or ftp attackers found a usable password, they could use the system as an ordinary user to do their dirty work, and spend time attempting to crack root locally in their spare time.

    Computer security is not just a Microsoft problem, they just make breaking it easy.

  19. Anonymous Coward
    Anonymous Coward

    Cue the loonix zealots

    Yawn. Get back to your bedrooms and resume your usual activities of habitual pud pulling over the latest lunix abuser magazine cover disk containing yet another crackpot loonix mutation.


    A Windows Guy

  20. ryan


    being a fanboy about anything is a bit sad, but an *operating system* fanboy? that's on a par with text-editor fanboyism.

    disturbing stuff.

  21. Dam

    Re: Linux Phishing


    "For fun, just

    cat /var/log/messages | grep sshd | grep failed

    Anyone not setting up proper iptables filters to block multiple wrong attempts is very vulnerable."


    Errr, so what ?

    My FreeBSD's quite safe here.

    They're trying to guess my root password ?

    -root can't log from ssh

    -root can't log via ftp

    I can give you my root password any time, and watch you do nothing at all with it.

    Why, if you like I can even give you my phpmyadmin root password so you create yourself a FTP user in the SQL tables.

    Shame apache's going to deny your IP though.

    Of course, if people aren't good enough to deny root access to ftp and ssh, it's more a problem of educating them than being highly skilled.

    I say, the problem isn't with users on this one, it's with the software makers for not shipping secure configurations by default.

    They recommend root login be denied ? Then disable it in the default conf and be done with it !

    Just compare apache's default config file, and the recommended secure one.

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020