Slashdot Mirror
Cracking All The Live Long Day & RH6/7 Worms
BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.
What if the guy knew it was a honeypot, and he wanted to get caught? What if he wanted you all to mount the file system images, so he could take over your computers? Maybe he'll use you all to mount a DoS attack on slashdot. Oh, the irony!
"I am a cipher, a cipher, wrapped in an enigma, smothered in secret sauce" -Jimmy James
I think Red Hat should put out a new 7.01 point release with all the security fixes included. If you're doing a fresh install today you actually have to download over 100mb of patches right after you've finished installing! While 100mb isn't anything these days it does take a little while and many newbies probably don't know about up2date etc.
It would be much easier if they provided updated ISO images (yeah I know I could make them myself, and someone else probably already has). Sine Red Hat 7.1 is still a good way of I think 7.01 would be a good idea.
What does Honeypot want? Cheap forensic analysis on a cracked box?
Well if you want to try, have a read of the Nov & Dec Dr.Dobbs. It has a pair of articles about recovering deleted data and has pointers to useful tools.
The vulnerabilities being exploited have been documented since at least Redhat 4 days. That they have not been repaired and the packages update is as inexcusable as the assorted Microsoft vulnerabilities.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
if you believe what this guy says on his summary of the worm.
here
However, these are the same things that have vulnerabilities in MS-land, and usually patches have been out. How many times have bugs been found in the NT kernel? Isn't it usually IIS? That is an add-on service.
Engineering and the Ultimate
Actually, you don't need to re-install to get rid of it, as it doesn't actually touch any of your binaries. Just boot in "emergency" mode,
/usr/src/.poop
/etc/inetd.conf
/sbin/asp
/etc/rc.d/rc.sysinit
rm -R
comment out the "asp" stuff in
rm
change your passwords (an email was sent - not sure what the contents were)
remove the "asp" line in
The ftpd hole was fixed for you, and you also need to make sure rpc.statd is turned off.
I'd also suggest you go through your logs so you can see who gave you the worm, so you can tell them that they've been 0wn3d.
Also, _all_ of your index.html files have been replaced by a ramen advertisement.
Engineering and the Ultimate
Actually, it is destructive - it replaces _every_ index.html on your system with an advertisement for Ramen.
Engineering and the Ultimate
I think the problem is that most people confuse the "potential" for better code, with "automatic" better code. Just because I release the source code doesn't make it secure. However, you _can_ find programs that have been secured. Open-source does not remove the need for security-conscious people, it just gives them better tools. With source code, if you get 0wn3d, its your fault. With proprietary code, it's the other guys fault :)
Engineering and the Ultimate
Turning off services is much better than hosts.allow/deny.
the problem is that most of the distributions started out making an OS for Sysadmins, and they can't get it out of their system. Ever heard of a network exploit for Corel Linux? Why not? It's for users, and doesn't have _any_ services running. When someone clicks on "desktop install", that's what they should get. Then you don't have to mess with files like hosts.allow/deny, ftpusers, and stuff like that. If you want to run an FTP site, then you should know how that stuff works, but most desktop users don't even know that they are running an FTP site, and that is the distributions fault.
Engineering and the Ultimate
But then Microsoft have brought this venom on themselves by their anti-competitive practices, so MS loyalists should not be surprised at the venom that is directed at them. RedHat isn't particularly popular with the /. crowd either, but then there are plenty of Linux vendors to choose from, unlike in the Windows market.
Yes, although MS driving competition out of the web browser and mail client markets, combined with lying about the abilities of MCSEs makes a virus far more likely to spread as the desktop is virtually the same everywhere and the servers are less secure. That isn't a problem with the OS per se, but more a problem with a lack of competition in the market.
The "myth" isn't so untrue. Remember, you have to have vulnerable versions of rpc.statd and wu-ftpd installed/running for this 'worm' to gain access to the machine. That's really the system admin's fault for not keeping up to date.
Linux and other *nixish OSes are fairly "virus-resistant" (no OS is "virus-proof") as long as you don't run the virus as root, apply the patches for known security issues, and basically do your job as a sysadmin...
Do you like German cars?
This is an interesting ecological approach to the security problem though. :-)
A worm that has the sole job of wandering around and fixing the exploit wherever it finds it and using the box for a little while to find other exploitable boxes, then moving on.
Need a Python, C++, Unix, Linux develop
For several reasons, this seemingly-great "set a worm to fix a wormhole" idea is NOT useful.
For starters, consider this scenario:
1. You know your machine is vulnerable, so you check out its wu-ftpd and rpc.statd binaries and the various logfiles. Whoa, there are worm tracks here! How do you KNOW (not just suspect, KNOW) whether the "bad" worm or the "good" worm was here?
2. Assume that the "good worm" has been coded to announce and identify itself. A) Most victims won't be able to judge whether to believe it, and B) the forthcoming "bad worm variant 2" will pretend to be the "good worm" anyway, so the ID cannot be trusted in the first place. The "bad worm variant 3" will be even better at hiding its damage while pretending to be the "good worm".
The net result: Systems hit by the "good worm" will have to be cleaned up and rebuilt just like systems hit by the "bad worm", unless the sysop/user is too clueless to notice the presence of either one. Thus, the "target audience" for this hypothetical white-hat is limited to clueless users who haven't already been hit by the "bad worm". To say nothing of the lawsuits unleashed by offended sysops who had to clean systems "your" worm "attacked".
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
If this were a Microsoft product, many slashdot readers would start saying "This is what you get" and "M$ sucks!"
:)
In reality, most security issues with Windows are of the same ilk: Admins that haven't a clue as to what they are doing and manage to fsck everything up and leave holes wide open.
Next time you read about some hole in Windows, or are tempted to say something smug about Windows 2000 security: Just remember this.... Nobody likes a smart ass, especially a hypocritical one
-
The IHA Forums
Natural != (nontoxic || beneficial)
This wu-ftpd bug was widely reported in June and observing system admins plugged it already. According to CERT's security advisory older versions of proftpd also required updating.
I've helped lots of people get to Linux actually. They do need their hands held until they can get the hang of things. It's not intuitive for most people to immediately install an operating system and come to the realization that the first thing they must do is secure it. This is a problem that seriously annoys me about Red Hat and some other Linux distros, as people should only need to learn about securing services if they want to run them. When I first learned Linux back in 96, I was running a horribly insecure system with every service running. I didn't even know how to update it. It pisses me off that Linux vendors don't accomadate new users who don't know better yet.
But what I really don't understand is why you're upset.
---
When I first decided to leave my box on 24-7, and connected to the Internet, I was naive enough to think since I had nothing important to offer, no one would bother hacking it.
/usr/bin directory then appeared to have left. I deleted all accounts and changed passwords just in case it was more than just flexing muscles. I think they just wanted to take it offline, since it was running an Eggdrop on IRC. I'm glad they did it though, and that they kept trying to break in for weeks after that (I could tell from looking at the logs.) It helped show a newbie what to do and what not to do. I would have been a lot more upset though if they deleted some of my important data.
I got hacked though through the Wu-ftp bug, which I was aware of -- but like I said, I didn't think anyone would consider my stupid box worth attacking. Fortunately, they didn't do much damage. They deleted the
Thanks for the information. Now that I know what to look for I can check out the few systems that I have installed.
I won't need the perl program as I'll fix any holes that may be open.
I have discovered a truly marvelous sig, unfortunately the sig limit is too small to contain i
Yes you are, new users. sure you and most people here know all that stuff but frankly I didn't even know there /was/ such a thing as hosts.allow or a hosts.deny file untill some one started scanning my system. I wouldn't have even noticed if not for something on SlashDot talking about IPchains. I turned it on and wow.. the things I discovered. I did a full reload incase I had been cracked and reset up, I found out about the hosts.allow and deny so I tried to set it up. unless you already know what you are doing it is rather hard to find out the format the two files need to be in. lets face it alot of clueless people are getting into Linux and I was one of them. we need to put out something that covers the things people here assume every one already knows. I thought I had my system closed through the deny and allow files for a week befor I discovered that I had the wrong format and they were doing nothing. I have corected it now but thanks to this ramen problem I have discovered that I needed to do more {no I haven't been hit.. I atleast know to keep up-to-date}. How meny of you knew on your first install of Linux that you had to change the hosts.allow and the hosts.deny? how meny of you knew the format to use? how meny of you knew that you could add anonymous to ftpusers to close anonymous FTP? I know I didn't know any of this when I first started. I am learning and we need to stop bashing those that don't know and help them find out. remember even /you/ had to learn this at one time. you were not born all knowing.
Question reality.
Has anyone managed to unsubscribe once they found your email?
I used to have a free subscription to macweek, which seems to be where they got the email address they use. They took it on themselves to take this as consent to receive eweek a couple of years later. I've emailed them demanding that they stop. I"ve sent abuse complaints upstream. Nothing seems to work.
For some reason, i doubt that frims that build their subscription numbers this way have enough of a clue to tell me anything interesting . . .
It's in rpc.statd and wu-ftp. More info at CERT
Best Slashdot Co
There goes the assertion/urban myth that Linux was proof against virii and such.
I would think a *horrible* vector would be one that alternated Windows/Linux targetting.
A Windows virus that targets Linux, transmutes itself, than looks for other Windows machines on the network.
Rinse, lather, and repeat.
Geek dating!
GPL Deconstructed
LinuxSecurity.com is offering bandwith to download the images at http://honeynet.linuxsecurity.com/
A project such as this does such a good job of exposing users to the methodologies of the black hat community. This is a great project for anyone who has even been hacked or might be hacked in the future. Its an excellent idea to play with a compromised system to see what one looks like, what gets "messed with" and what needs to be fixed.
-mark
-mark
If your computer says LINUX, run...computers can't talk! [unless you have text-speech software]
This worm has been being discussed on the incidents (not bugtraq, as C|Net says) mailing list.
It's basically a bunch of existing tools snapped together by some brute-force driver scripts.
My analysis is at http://members.home.net/dtmartin24/ramen_worm.txt. Fifteen minutes of fame, here I come!
The OpenHack challenge is just another one of those crack-this-box challenges which you see every month or so. Not to take anything away from it, but I find forensics much more interesting. What do you find more interesting: trying to crack a box, or trying to produce a cost-analysis report and details on _who_ cracked a box. I'll take the forensics any day.
rwm
Since what makes Windoze a popular target for Virus and Worm hackers is its popularity. Since the popularity of Linux is growing (RH in particular as the distro most well known outside the hacker community), it was only a matter of time until someone started exploiting security flaws that plague non-experienced user/administrators.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Because it's generally easier to sell someone a security system to keep your house from being broken into, than a camera that will only tell you where they went after they left.
If this was a story about MS2000 or something, it would be full of comments about how crappy it is. Now it's a story on Linux, and all anyone can talk about is how "it really isn't that bad" and "worms happen." It "really isn't that bad" because it wasn't made to destroy anything--odds are, the next one will be.
-- Hobbits suck!
Cracking All The Live Long Day & RH6/7 Worms
;)
The title immediately conjured an image of internet worms, self-replicating, and using host machines to number crunch (in the distributed.net case, "crack"). Imagine a Seti@home or distributed.net worm.
Now *that* would be a decent worm.
"Why are these processes eating up all the CPU! Why are they talking to setiathome.ssl.berkeley.edu!"
It's 10 PM. Do you know if you're un-American?
I still don't understand why every network service isn't turned off by default. If you need it, you better know how to keep it secure. If you know how to keep it secure, chances are you know how to turn it on.
AFAIK, any normal RH Linux box needs these system services:
crond
keytable
random
syslogd
xfs (if running X)
A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).
The only thing that MIGHT want to be turned on by default is SSH. But there's really no reason that the user shouldn't have to do event this themselves.
The problem is obviously the entry-level Unix/mid-level MS users who are starting to use Linux. They need their hands held. So put a $!@#$ memo in the installer that says to read "services.txt" or something to get your system services going. Or, perhaps RH should open a web browser with a "Configuring Services" FAQ when you login to X as root (most people do this, annoying enough).
---
I think I've got a moderator following me around with an itchy finger on the "Overrated" trigger.
Take heart, brother. :)
If it ain't broke, it doesn't have enough features yet.
When are the distribution makers going to learn? wu-ftpd is riddled with bugs and security holes. Why does something like this come standard with the world's most popular Linux distribution?
(Ideally it would come with proftpd, but with it disabled out-of-the-box...)
Differences to be noted:
1. Problem is presented quickly and fully.
2. Problem can be prevented by changing text based config files.
3. Problem can be patched at no cost.
4. No cost was incured to begin with. Who wants to bash volunteers?
5. Reinstal will not subject you to liscence keys, bogus copy protection schemes, and outright adverts like, "Everything you do will be easier and more fun. Be sure to register today!"
The ranting seems to be all yours. Get thee hence, MicroTurd.
Friends don't help friends install M$ junk.
these same types of vulnerabilities into their products time and time again. It's one thing when a vulnerability is truely ORIGINAL, but 99% of these are derivative and much older vulnerabilities that could have been detected IF someone checked for them. As a product of carelessness, sure it can happen, but for supposedly legendary "peer review" where thousands of programmers are supposed to check, it should RARELY ever happen. Yet RedHat and most other distributions never fail to release a new distribution with at least 5 remote vulnerabilities, many with the same servives--over and over. I'd at least expect RedHat to check....
Oh well, I've got to run. I believe in the POTENTIAL for Open Source to be a mechanism for secure code (at least for certain TYPES of code), but it's generally not happening today.
RedHat claims that the wu-ftp bug (RHSA-2000-039-02) only effects RH5.2 and RH6.2
-no broken link
Hopping through CERT and eventually into Red Hat I found this. Fixes only for RH5 and RH6 (RH7 didn't exist at the time). I can't get to RH's FTP to check the status for wu-ftpd in RH7 right now, but their list of security advisories for RH7 does not mention wu-ftpd.
In his analysis he says RH7's vulnerability comes from LPRng, not wu-ftpd. A patched version of LPRng is offered as an update by Red Hat here.
Yes, I know I'm an idiot for not patching/firewalling my system. However, I got hacked (note, though, the servers I maintain did not get hacked, even though I'm relatively certain it was tried). I love getting 0wn3d. Oh well.
Engineering and the Ultimate
Sad to admit I had a box cracked with the rpc.statd exploit. The box wasn't anything particularly special, in fact, it was outside the firewall and expected to be cracked some time. Not a honeypot but just a server we didn't care if it did get cracked. Nothing seemed to have come of it and the box has since been rebuilt but for the interested, here is the log file the crack generated as caught by Logcheck:
/bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd
rpc.statd[443]: SM_MON request for hostname containing '/': *INSERT BUNCH OF CRAPPY CHARACTERS*/bin/sh -c echo 9704 stream tcp nowait root
There were a lot of funky characters in the middle that slashdot wouldn't take.
Check out Althea for a stable IMAP email client for X. Now with SSL!
I know it's been discussed before, but wouldn't it be useful for someone to hack the worm to run around and close up the security holes without damaging the system? It could use an exploit to gain root, rpm -U the packages, do a bandwidth-limited scan for 24 hours and then clean up after itself.
It's pretty sloppy for RH to leave security fixes for these holes out of 7.0, but anyone running a server on a high-bandwidth line should probably know enough to get security updates frequently. Nobody deserves to get hacked, but you need to expect the worse as a sys admin. Leaving the default install on a server is absolutely amateurish.
From hell's heart I fstab at /dev/hdc
I expect this'll get modded down, but...
It seems that the RedHat exploit is at least as big a story as the Honeypot project. While they're both 'cracker' related, one is an opt-in research project and one is an advisory news item.
Don't they deserve separate top-level stories to clear it up? This isn't some downgraded Slashback or quickies thing. Both deserve their own thread.
Or is it just negative news about a pet issue, getting swept into a little dark corner at the end of something else?
[
I love the smell of Karma in the morning