Two weeks ago I received an email that made my heart skip a beat.
It led to a few interesting hours, the resolution of a cyberattack — and a cheeky wink from whoever launched it.
-
The email came from a hosting company where I manage Linux servers for several clients. It made clear that one of the servers was attacking other servers on the internet — sending requests to address after address, performing a port scan.
The client in this case was a company in the United States that hosted a Node.js application on that server. I contacted them immediately to report the incident and got to work on the server.
The application logs told an interesting story.
The attack used was an RCE (Remote Code Execution) attack. It works by exploiting forms or input fields on a website — a newsletter signup, for example — to inject code that runs on the server and causes it to perform arbitrary actions.
In this case, the injected code downloaded and installed malware, which turned the server into a zombie that attacked other servers on command from its operator.
Based on the behavior visible in the logs, this appears to be malware known as Gafgyt (similar to the well-known Mirai), which targets Linux servers.
-
The problem could have been prevented from the outset by adding validation logic to the code that blocks the submission of code snippets through forms and input fields on the site.
It would also have helped to ensure the application wasn't installed directly on the operating system under a root user with full privileges.
I briefed the client's developer on the findings and the changes that needed to be made, but it was equally important to harden security at the server level.
I rebuilt the server using a management platform called CloudPanel, which acts as a buffer between the operating system and the applications installed on the server.
In this platform, each application is assigned its own user, and that user cannot directly access or modify the operating system — which prevents this class of RCE attack at the server level (the application itself may still remain exposed).
-
There was also a moment of humor in all this.
The name of the malware file installed on the server was: uhavenobotsxd.
Loosely translated: You have no bots XD
— as if to say: you don't have a single bot 🙂
--
👋 Hi, I'm Shlomo Strauss — follow me for more content on science and technology.