{
	"id": "24394305-8611-448f-95ea-a267dad0dcda",
	"created_at": "2026-04-06T00:16:44.370213Z",
	"updated_at": "2026-04-10T03:34:57.314843Z",
	"deleted_at": null,
	"sha1_hash": "3635fbd53a2c6cc930087373f0dea357e259becd",
	"title": "Windigo Linux Analysis - Ebury and Cdorked",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 152784,
	"plain_text": "Windigo Linux Analysis - Ebury and Cdorked\r\nBy Daniel Cid\r\nPublished: 2014-03-19 · Archived: 2026-04-05 18:41:50 UTC\r\nOur friends over at ESET released a very detailed document about the Windigo Operation. The Windigo Operation\r\nhas been responsible for the compromise of thousands of Linux servers over the years. When you hear terms like\r\nEbury, CDorked, Calfbot and others, they are all related to each other.\r\nOver the last few years, our team has been handling and fixing compromised servers and we can attest to how\r\ncomplex the clean up for this infection can be. We’ve seen that the servers we’ve fixed have been misused for\r\ndistribution of malware, SPAM and, in some cases, to steal credit cards on compromised web servers used for e-commerce.\r\nWindigo Timeline\r\nThe timeline released by ESET matches what we have been seeing and it goes back to 2011 when Linux/eBury\r\nwas first seen. It goes through many evolutions, including our joint analysis of CDORKED on 2013 and the SSH\r\nbackdoors:\r\nWindigo Indicators of Compromise (IOC)\r\nIf you run a Linux server and you are worried it might be infected, they provide a few techniques (indicators of\r\ncompromise) to check if the server is hacked.\r\nFor Linux/Ebury. Run the ssh -g command. If it returns an error about missing argument, you know you\r\nare compromised.\r\nFor Linux/CDorked. Run curl to favicon.iso and see if you get redirected to Google.com. If you do, you\r\nknow you are compromised.\r\nhttps://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html\r\nPage 1 of 2\n\nThese apply to the latest versions of the malware. Old versions have different indicators and we explain them on\r\nour previous blog posts. Note that with the release of this document, the malware authors will likely change\r\noperations and the behavior of the code. So do not expect it to last long.\r\nWe recommend reading the whole PDF here: http://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf\r\nIf you need help cleaning up a compromised Linux server, let us know.\r\nDaniel B. Cid is Founder of Sucuri and the VP of Engineering for the GoDaddy Security Products group. He is\r\nalso the founder of OSSEC and CleanBrowsing. You can find more about Daniel on his site dcid.me or on Twitter:\r\n@danielcid\r\nRelated Tags\r\nWebserver Infections\r\nSource: https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html\r\nhttps://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html"
	],
	"report_names": [
		"windigo-linux-analysis-ebury-and-cdorked.html"
	],
	"threat_actors": [
		{
			"id": "1934b371-2525-4615-a90a-772182bc4184",
			"created_at": "2022-10-25T15:50:23.396576Z",
			"updated_at": "2026-04-10T02:00:05.341979Z",
			"deleted_at": null,
			"main_name": "Windigo",
			"aliases": [
				"Windigo"
			],
			"source_name": "MITRE:Windigo",
			"tools": [
				"Ebury"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3844202f-b24a-4e16-b7b9-dfe8c0a44d5d",
			"created_at": "2022-10-25T16:07:24.526179Z",
			"updated_at": "2026-04-10T02:00:05.023222Z",
			"deleted_at": null,
			"main_name": "Operation Windigo",
			"aliases": [
				"G0124"
			],
			"source_name": "ETDA:Operation Windigo",
			"tools": [
				"CDorked",
				"CDorked.A",
				"Calfbot",
				"Ebury"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434604,
	"ts_updated_at": 1775792097,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3635fbd53a2c6cc930087373f0dea357e259becd.pdf",
		"text": "https://archive.orkl.eu/3635fbd53a2c6cc930087373f0dea357e259becd.txt",
		"img": "https://archive.orkl.eu/3635fbd53a2c6cc930087373f0dea357e259becd.jpg"
	}
}