Security researchers from antivirus provider ESET on Tuesday announced a massive cyber attack that has managed to take control of at least 25,000 Linux/Unix servers over the last two years. The infected servers are used to steal credentials, send spam, and redirect web traffic to malicious web pages.
Dubbed Windigo, the cyber criminal operation has three main components: Linux/Ebury - an OpenSSH backdoor that controls servers and steals credentials, Linux/Cdorked - an HTTP backdoor that redirects web traffic to fraudulent content, and Perl/Calfbot - a spam-sending program.
According to the report, out of the 25,000 servers that Windigo infected over the last couple of years, around 10,000 are still under its control. It's not a small number considering the fact that each of these machines has access to significant bandwidth, storage, computing power, and memory. Researchers believe that the infrastructure is generating more than 35,000,000 spam messages per day.
Windigo has compromised Linux Foundation's kernel.org systems and the developers of the cPanel Web hosting control panel. Regions like Germany, France, the UK, and the US have been worst hit by the attack.
Researchers concluded that password authentication to access servers is inadequate, suggesting that two-factor authentication should be used instead. If you want to check your system for Windigo infection, you can do so by running the following command:
ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
It's strongly recommend that operating systems of infected machines be completely reinstalled.