back to article Malware scum want to build a Linux botnet using Mirai

Diligent hackers have decided routers and cameras aren't enough, and have reportedly crafted Mirai variants targeting Linux servers. That unwelcome news came from Netscout, whose Matthew Bing wrote: "This is the first time we've seen non-IoT Mirai in the wild." Bing's post explained that the botmasters are trying to use a …

  1. Korev Silver badge

    The "VPNFilter" variant "still tries to brute-force factory default usernames and passwords via telnet",

    if a Hadoop system has a publicly exposed YARN service, "it is not a matter of IF but a matter of WHEN your service will be compromised and abused".

    Why would any even partially competent sysadmin still do these things?

    1. Christian Berger

      Because of Hype

      "Why would any even partially competent sysadmin still do these things?"

      There are lots of people out there who happen to come accross a few gigabytes of data. Then they find out that when they put it into an SQL table and don't think about what they are doing everything is slow. They decide that this must already be "big data" so they google "big data" and come accross all those tools designed for it. Since they previously have proven that they have no idea what they are doing, they will of course fail installing their fancy new toys.

      People who both know what they are doing and have to use things like Hadoop to achieve their goals are rather rare. Therefore it's likely that any given installation was done by people who have no idea what they are doing.

    2. bombastic bob Silver badge

      Hello the 90's called

      and your Linux system has an insecure telnet server running???

      icon for facepalm reaction

      I google'd a bit, thinking that maybe there was something out there about telnet and hadoop, and I kept seeing something about port 9000 and not being able to connect to it. Seriously, what's up with the telnet anyway, or is this just being used as a troubleshooting tool (and now, attack vector)? I hope that it's not actually USING a telnet-based command/config thingy but who knows...

      /me withholds the 'meme-worthy' reference regarding the number 9000 - dunno if it would actually really apply in this situation.

      It might be interesting to know exactly what it is this vulnerability is dealing with, something I can't seem to find with a simple search [and I have no need/desire to install Hadoop in a VM just to see what's up with it].

    3. Robert Helpmann??

      tries to brute-force factory default usernames and passwords

      So a dictionary attack, then? Yes, that's still a form of brute force attack, but I would expect a bit more precision in the explanation and hope for perhaps a bit less implied condescension.

  2. Michael H.F. Wilkinson

    So we might see people

    ripping YARNs.

    Sorry, couldn't resist. I'll get me coat and silly walk out of here

  3. m0rt

    I saw that picture on the article front page, and thought that they were unicorn penguins.

    Then I realised what they were.

    I am disappointed.

    Why can't there be unicorn penguins?

    Oh wait...

    1. Anonymous Coward
      Anonymous Coward

      Just don't play leap frog with them.

  4. bombastic bob Silver badge

    using TCP port 8088?

    something that can be looked at in logs...

    according to THIS web site (a google cache of a web site that wouldn't load with noscript, because, nginx and scripty requirement) the telnet port 8088 is being used in the YARN exploit of Hadoop. Also apparent, this has been going on for a while and just recently had a nice big uptick in activity (the article was from 11/15).

    Apparently they had some honeypots set up listening on this port, and were attempting to identify variants of the thing worming around 'teh intarwebs'.

    ah well, there goes my "over 9000" lame meme joke

  5. RyokuMas Silver badge

    It's 2018...

    ... and malware miscreants have finally decided that Linux is worth pwning.

    ... sorry. Couldn't resist. Yes, I am expecting my downvote counter to go through the roof...

    1. Antonius_Prime

      Re: It's 2018...

      I'm always one for bucking a trend of band wagoneers. Have the upvote.

      It was a clever joke, one that clever people should get a wholesome, hearty chuckle from.

      1. bombastic bob Silver badge

        Re: It's 2018...

        yeah, I think most people just recognize that Linux has NOT been a target because criminals go for the low hanging fruit, and don't want to do anything that requires actual work nor thinking to accomplish.

        and I got my 'lame honeypot' listening on 8088 now (simple inetd invoke 'echo' to send back a "go away" message). I 'allegedly' did the same kind of thing for 'code red' back in the day. Perhaps I could study this a bit and have it [allegedly] do some kind of command/control back to the SENDER [assuming it to be exploited Hadoop server] and [allegedly] SHUT IT DOWN. But that might be considered *illegal* gray-hat activity so I wouldn't actually DO that, and (gutless disclaimer) you shouldn't either (nudge nudge, wink wink, know-what-I-mean). But then again _I_ lack the knowledge of how Hadoop works. Just finding the TCP port took a bit of time and search-fu, and if I'm right and it _IS_ tcp port 8088 then all is well and I'll just tie up the botnet trying to exploit my non-Hadoop server box and maybe log it if I'm in the mood...

    2. GnuTzu

      Re: It's 2018...

      "Yes, I am expecting my downvote counter to go through the roof."

      Not so much. At the time of this comment, you're up 8 and down 0.

      The simple fact is that they'd eventually come after Linux. It was inevitable. But, notice it was more about badly administered boxes than Linux itself.

  6. Anonymous South African Coward Silver badge

    Most probably already pwned and running riot somewhere. Or borked solid.

  7. Smartypantz

    So lame

    Every time the details of some exploit surfaces it seems that the thing that makes it possible is always sheer stupidity! Default passwords on telnet connections and so on and so on

    It must bee the easiest thing in the world to build a massive honeypot to capture the wannabe IT-criminals of the world!? Sadly it seems that the IT branch of our law-enforcement is even stupiduuhhrr..

    So the way to keep a secure server running is to not be dummer than, say... a potato! Doesn't really seem that hard ?!??!?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021