Linux Australia Server Leveraged by a C&C Botnet

Linux Australia Server Leveraged by a C&C Botnet

A massive security breach in the Linux system has been reported in Australia. In an official statement posted on April 4, the company revealed that on March 22 “a large number of error reporting emails were sent by the Conference Management (Zookeepr) hosting server.”

The server is known to have hosted the conference systems for 2013, 2014, and 2015, plus the one for PyCon Australia for both 2013 and 2014. Those serves control a large amount of personal information concerning conference participants. As a result, numerous names and contact details (such as telephone numbers, physical and e-mail addresses, passwords) have been exposed during the continuation of the breach.

The attack was triggered remotely and employed root-level access to the server.

The server was rebooted so that the malicious software could load into memory. As a result, a botnet command and control was established.

It is still unclear what system vulnerability has been exploited. System admins haven’t found what the real reason for the breach is either. They are certain however that data collection was not the attackers’ interest, even though personal information is what it seems to be affected so far.

Investigators are currently attempting to decode the attack and exclude any possibilities of its repetition. They have already inspected the initialization scripts for the attack and decommissioned the exploited server. The latter is about to be replaced by a stronger one.

Linux has also reported that numerous reboots have been done to ensure that the malicious software was completely removed.

Other measures taken include:

  • More solid restrictions for services relying on Internet connection.
  • Introducing key-based logins.
  • More frequent system updates.
  • Adopting an expiration date for system user accounts, predetermined to 3 months after a conference has passed.

Conference participants are asked to change their passwords in case they use the same details to log in other accounts.