Windigo Linux Analysis – Ebury and Cdorked

1 minute read

Our friends over at ESET released a very detailed document about the Windigo Operation. The Windigo Operation has been responsible for the compromise of thousands of Linux servers over the years. When you hear terms like Ebury, CDorked, Calfbot and others, they are all related to each other.

Over the last few years, our team has been handling and fixing compromised servers and we can attest to how complex the clean up for this infection can be. We’ve seen that the servers we’ve fixed have been misused for distribution of malware, SPAM and, in some cases, to steal credit cards on compromised web servers used for e-commerce.

Windigo Timeline

The timeline released by ESET matches what we have been seeing and it goes back to 2011 when Linux/eBury was first seen. It goes through many evolutions, including our joint analysis of CDORKED on 2013 and the SSH backdoors:

Windigo Timeline

Windigo IOC’s

If you run a Linux server and you are worried it might be infected, they provide a few techniques (indicators of compromise) to check if the server is hacked.

1- For Linux/Ebury. Run the ssh -g command. If it returns an error about missing argument, you know you are compromised.

2- For Linux/CDorked. Run curl to favicon.iso and see if you get redirected to If you do, you know you are compromised.

These apply to the latest versions of the malware. Old versions have different indicators and we explain them on our previous blog posts. Note that with the release of this document, the malware authors will likely change operations and the behavior of the code. So do not expect it to last long.

We recommend reading the whole PDF here:

If you need help cleaning up a compromised Linux server, let us know.

Spotlight on Women in Cybersecurity

less than 1 minute read

Sucuri is committed to helping women develop their careers in technology. On International Women’s Day, Sucuri team members share their insights into workin...

Hacked Website Trend Report – 2018

less than 1 minute read

We are proud to be releasing our latest Hacked Website Trend Report for 2018. This report is based on data collected and analyzed by the GoDaddy Security / ...