Security boffins at ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing as well as other agencies, have found a cybercriminal campaign that has taken control of over 25,000 Unix servers worldwide.
Dubbed "Operation Windigo" it has resulted in infected servers sending out millions of spam emails which are designed to hijack servers, infect the computers that visit them, and steal information.
cPanel and kernel.org have already been identified as victims.
ESET's security research team published a detailed technical paper, presenting the findings of the team's investigations and malware analysis. The paper also provides guidance on how to find out if your systems are affected and instructions for removing the malicious code.
The sheer size and complexity of the operation has remained largely unrealised by the security community which has been too busy trying to work out how to keep the US NSA out.
Windigo has been building for over two and a half years, and currently has 10,000 servers under its control.
ESET security researcher Marc-Étienne Léveillé said that the botnet sends out more than 35 million spam messages every day to innocent users' accounts, clogging up inboxes and putting computer systems at risk.
"Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements."
Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, while Mac users are typically served adverts for dating sites. iPhone owners are redirected to online porn.
It could be more serious. More than 60 percent of the world's websites are running on Linux servers, and many more might not be aware that they have been hacked.