Stories
Slash Boxes
Comments

SoylentNews is people

Submission Preview

Link to Story

CTB-locker re-focusing attacks on Web-Servers

Accepted submission by q.kontinuum at 2016-02-24 17:31:42
Security

from the linux-is-safe-dept:

I read on a german IT news site [heise.de] that the CTB-locker trojan now focuses on attacking websites. I was wondering for some time one something like this will happen. The current version of the trojan seems to be implemented in PHP [kernelmode.info]. How it finds its way to the web-servers is not yet clear, but according to the German news site it appears that the majority of affected web-sites was running word-press. According to
this news site [bleepingcomputer.com], the initiators of CTB-crypt are using an affiliate-model to propagate the script. People already having access to hacked servers can support them and get a cut of the profits. Currently there is no hint of systemd being involved.

The trojan uses a file "extensions.txt" to specify which files to encrypt. I wonder what happens if this file already exists, belongs to root and is immutable. Unfortunately I didn't find any information to which path tje trojan wants to write this file...


Original Submission