Operation Windigo: Thousands of Linux and Unix Servers hacked to deliver malware, spam

Hackers compromised thousands of Linux and Unix servers and used them for stealing SSH credentials, sending millions of spam messages and infecting visitors with malware.

The campaign has been dubbed as Operation Windigo, which was uncovered by researchers at security firm ESET.

According to the report, the operation has been ongoing since 2011 and more than 25,000 servers have been compromised in the last two years. 

Even some of high profile servers including Cpanel and Kernel.org had been affected by this campaign.

Millions of users to legitimate website hosted on affected servers are being served with malware via exploit kits and 35 Million spam messages are being sent each day from the compromised servers.

Three main components used in this operation are:

  • Linux/Ebury – an OpenSSH backdoor used to keep control of the servers and steal credentials
  • Linux/Cdorked – an HTTP backdoor used to redirect web traffic. We also detail the infrastructure deployed to redirect traffic, including a modified DNS server used to resolve arbitrary IP addresses labeled as Linux/Onimiki
  • Perl/Calfbot – a Perl script used to send spam

Detailed technical paper on "Operation Windigo" is here.