
Thousands of Linux Servers Infected by Lilu (Lilocked) Ransomware - fortran77
https://fossbytes.com/lilocked-ransomware-infected-linux-servers/
======
fortran77
Interesting that they don't know how its getting in (and getting root access)

> The mechanism behind how it gets access in unknown yet.

I wonder if there's a zero day. (Though there a are a lot of unpatched web-
facing Linux servers out there!)

~~~
bediger4000
My guess would be that the ransomers bought a list of web shell URLs and
passwords, and went from there. [https://backsib.com/](https://backsib.com/)
sells backdoor access for 40 cents each in lots of 50. I believe there are
other groups doing the same sort of thing for "WSO" web shells. Sure, they'd
get a lot of dead/unattended sites, but they'd get a few live ones, too.

I'm also going to guess that there's really not that many servers infected. As
an example, there's a sort of vigilante malware for WordPress sites that
renames files it considers malware to ".php.suspected". Google for
".php.suspected" (quotes included). Somewhere in the first page of results
you'll find something like [https://precision-grinding.com/wp-
content/plugins/revslider/...](https://precision-grinding.com/wp-
content/plugins/revslider/temp/update_extract/revslider/), which has been
victimized over and over and finally the vigilantes got in there. You won't
find the same when googling for ".lilocked". Tons of posts about it, tons of
articles advising how to remove it, no instances.

~~~
fortran77
Why do Linux users insist that there's "no malware on Linux" and that it's so
much safer because you can read the source code, etc., etc.,? It seems that
there are a lot of these things.

~~~
bediger4000
The backdoors are more WordPress than Linux malware - a lot of them at least
nominally run on both Windows and Linux hosts of WordPress, but you have a
good point.

There's also something to the "read the source" thing - there are a lot of
WordPress and/or Joomla backdoors, web shells, trojans, etc, but since you can
read the source, you can understand them. There's no need for a Wizard from
IBM or Kasperskey or Symantec or MacAfee to tell you what WSO does - you can
see it for yourself. If it's PHP or Perl or shell scripts, no exotic
disassembly is needed - any old fool an see what it does. This de-mystifies
the malware, I think.

~~~
fortran77
If Linux allows Wordpress and PHP to run in such a way that it can take over
the system, then I believe it to be Linux's fault.

