Like most mainstream operating systems these days, fully patched installations of Linux provide a level of security that requires a fair amount of malicious hacking to overcome. Those assurances can be completely undone by a single unpatched application, as Andre' DiMino has demonstrated when he documented an Ubuntu machine in his lab being converted into a Bitcoin-mining, denial-of-service-spewing, vulnerability-exploiting hostage under the control of attackers.

A security researcher with George Washington University, DiMino noticed several IP addresses attempting to hijack the Linux server by exploiting a now-patched PHP flaw that gave attackers the ability to remotely execute commands on vulnerable machines. DiMino was curious to know what the people behind the attacks intended to do with his machine, so he set up a "honeypot" box that, for research purposes, ran an older version of the Web development language.

The attackers' HTTP POST request contained a variety of commands that in short order downloaded a Perl script that was disguised as a PDF document file, executed it, and then deleted it. To ensure success, the attackers repeated the steps using curl, fetch, lwp-get requests. The Perl script was programmed to sleep for periods of time, presumably to prevent administrators from noticing anything amiss. Eventually, the compromised machine connected to an Internet relay chat channel, where it downloaded another script and executed it. Then he ran forensic software and snapped lots of screen shots so everyone could follow along.

In short order, the machine was running a host of apps installed by the attackers. Some of them hijacked the server hardware to perform the mathematical operations required to "mine" Bitcoins and another digital currency known as Primecoin. The server was also equipped with apps to perform denial-of-service attacks on other machines and to scan other machines for known vulnerabilities and exploit them when found.

"Across my honeypots, I'll see dozens of these a day, including Linux ELF [executable and linkable format] files, perlbots, and vintage shells," DiMino wrote in a blog post published Tuesday. "While these injected perl and shell scripts are typically considered the patio gnats of the Internet, more annoying than anything else, they do have the potential to cause considerable harm."

Not just for Windows anymore

DiMino's anatomy lesson is a graphic demonstration of recent advances in exploits for Linux. Once primarily the domain of machines running Windows, point-and-click exploits are used to commandeer machines so attackers can use them in online crime schemes. The increased horsepower and bandwidth available in many Linux servers often makes them more attractive than personal computers running Microsoft OSes. And as has always been the case, hijacked bots don't come with expensive electricity bills, and they often make it easy for criminals to cover their tracks.

The takeaway from the demonstration is just how important it is for admins working with any OS to stay on top of security patching. DiMino counsels admins to go a step further by learning how to actively monitor network activity on the machines they watch over. His blog post provides instructions for using the Volatility software framework to perform forensics on server memory. Among other things, it allows users to identify remote connections and the processes that initiate them.

"Besides ensuring that Internet facing servers are properly patched and hardened, knowing how to quickly track such a compromise should be part of best practices," DiMino wrote.