Linux Servers Being Compromised

“The gang behind Operation Windigo uses infected systems to steal credentials, redirect web traffic to malicious content, and send spam messages. According to our analysis, over 25,000 servers have been affected over the last two years.”
Pierre-Marc Bureau @

In the news there are increasing reports of Linux servers being compromised and turning into spam-bots or hosts to malicious websites. As a Linux admin I see scores of spam e-mails coming through my /var/log/syslog file and username/password guesses on SSH, e-mail, and website login forms. It is important that any Linux admin keep current on updates and lock down unneeded applications and ports. Webmasters need to keep their Joomla, Drupal, and WordPress at the most recent stable releases. Also in applications like WordPress, plugins can be security risks and should be updated frequently or disabled if no longer needed.

The Windigo campaign has affected more than 25,000 Linux servers and sadly is not easily removed. If you find that your server has been compromised it is recommended that do a clean install of your server and not attempt a repair.

There is a command you can run to see if your current Linux system is infected: 

$ ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo “System clean” || echo “System infected”

Read more about the Windigo Campaign at


About Brian Aldridge

I am a software developer and podcaster. Catch me weekly on Infection - The Survival Podcast at

Leave a Reply