Cracking All The Live Long Day & RH6/7 Worms

← Back to Stories (view on slashdot.org)

Cracking All The Live Long Day & RH6/7 Worms

Posted by Hemos on Wednesday January 17, 2001 @06:36AM from the carrot-juice-and-get-yourself-a-new-tatoo dept.

BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.

21 of 120 comments (clear)

Min score:

Reason:

Sort:

Red Hat 7.01 by Majix · 2001-01-17 02:48 · Score: 3

I think Red Hat should put out a new 7.01 point release with all the security fixes included. If you're doing a fresh install today you actually have to download over 100mb of patches right after you've finished installing! While 100mb isn't anything these days it does take a little while and many newbies probably don't know about up2date etc.

It would be much easier if they provided updated ISO images (yeah I know I could make them myself, and someone else probably already has). Sine Red Hat 7.1 is still a good way of I think 7.01 would be a good idea.
Re:Hypocritical? by cyber-vandal · 2001-01-17 02:51 · Score: 3

Yes, although MS driving competition out of the web browser and mail client markets, combined with lying about the abilities of MCSEs makes a virus far more likely to spread as the desktop is virtually the same everywhere and the servers are less secure. That isn't a problem with the OS per se, but more a problem with a lack of competition in the market.
Re:Oh well! by Scoria · 2001-01-17 03:09 · Score: 3

The "myth" isn't so untrue. Remember, you have to have vulnerable versions of rpc.statd and wu-ftpd installed/running for this 'worm' to gain access to the machine. That's really the system admin's fault for not keeping up to date.

Linux and other *nixish OSes are fairly "virus-resistant" (no OS is "virus-proof") as long as you don't run the virus as root, apply the patches for known security issues, and basically do your job as a sysadmin...

--
Do you like German cars?
Re:Analysis of Ramen worm by Omnifarious · 2001-01-17 05:06 · Score: 3

This is an interesting ecological approach to the security problem though. :-)

A worm that has the sole job of wandering around and fixing the exploit wherever it finds it and using the box for a little while to find other exploitable boxes, then moving on.

--
Need a Python, C++, Unix, Linux develop
RH Crack by wiredog · 2001-01-17 01:45 · Score: 5

It's in rpc.statd and wu-ftp. More info at CERT

--

Best Slashdot Co
1. Re:RH Crack by ryanr · 2001-01-17 02:27 · Score: 3
  
  For which, the Ramen worm? It also uses the LPD hole, in RH7.0. Check out this comment:
  http://slashdot.org/comments.pl?sid=01/01/17/18362 35&cid=12 by the guy who posted a well-done analysis to the incidents list.
Oh well! by 2nd+Post! · 2001-01-17 01:46 · Score: 3

There goes the assertion/urban myth that Linux was proof against virii and such.

I would think a *horrible* vector would be one that alternated Windows/Linux targetting.

A Windows virus that targets Linux, transmutes itself, than looks for other Windows machines on the network.

Rinse, lather, and repeat.

Geek dating!

--

GPL Deconstructed
Download Site / Comments by marks · 2001-01-17 01:53 · Score: 4

LinuxSecurity.com is offering bandwith to download the images at http://honeynet.linuxsecurity.com/

A project such as this does such a good job of exposing users to the methodologies of the black hat community. This is a great project for anyone who has even been hacked or might be hacked in the future. Its an excellent idea to play with a compromised system to see what one looks like, what gets "messed with" and what needs to be fixed.

-mark

--

-mark
If your computer says LINUX, run...computers can't talk! [unless you have text-speech software]
Analysis of Ramen worm by fizbin · 2001-01-17 01:57 · Score: 5

This worm has been being discussed on the incidents (not bugtraq, as C|Net says) mailing list.

It's basically a bunch of existing tools snapped together by some brute-force driver scripts.

My analysis is at http://members.home.net/dtmartin24/ramen_worm.txt. Fifteen minutes of fame, here I come!
Re:Lets see.. by rwm311 · 2001-01-17 02:06 · Score: 3

The point of the Honynet Project is to raise awareness and teach the fundamentals of forensics. The book is just a "job well done" and pat on the back.

The OpenHack challenge is just another one of those crack-this-box challenges which you see every month or so. Not to take anything away from it, but I find forensics much more interesting. What do you find more interesting: trying to crack a box, or trying to produce a cost-analysis report and details on _who_ cracked a box. I'll take the forensics any day.

rwm
It was a matter of time, really... by Bonker · 2001-01-17 02:09 · Score: 3

Since what makes Windoze a popular target for Virus and Worm hackers is its popularity. Since the popularity of Linux is growing (RH in particular as the distro most well known outside the hacker community), it was only a matter of time until someone started exploiting security flaws that plague non-experienced user/administrators.

--
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
Hypocritical? by Ringwraith · 2001-01-17 02:10 · Score: 4

If this was a story about MS2000 or something, it would be full of comments about how crappy it is. Now it's a story on Linux, and all anyone can talk about is how "it really isn't that bad" and "worms happen." It "really isn't that bad" because it wasn't made to destroy anything--odds are, the next one will be.

--
-- Hobbits suck!
1. Re:Hypocritical? by Anonymous Coward · 2001-01-17 02:15 · Score: 3
  
  You're right, in a sense. If this was happening to win2000/nt systems, a lot more people would be claiming that it represents a problem with the OS, instead of correctly interpreting it as a problem with admins not knowing how to set up their own systems.
  
  Thing is, these are not new exploits. They're known, and easily patched. Anyone who gets hit by this worm shouldn't be operating a web server.
2. Re:Hypocritical? by Masem · 2001-01-17 02:45 · Score: 3
  
  It's being said that it isn't that bad because it doesn't destroy data itself, it merely unloads codes and tries to find more sites to unload more codes.
  But reading the advisories, it suggests that the unloaded code not only is a standard script kiddie root pack, but also emails to some sites, most likely the information on how the box reporting can be further hacked. It can tie up your internet connection since the portscanning that it appears to be doing is rapid. It also rewrites the default index page of the server (assuming you use default installs) with that "powered by raman noodles" page.
  Which means that if you have this on your system, the only precaution you can take is a full system reinstall least you be "0wn3d" in the future, because some script kiddie somewhere has a way into root on your box.
  So this is VERY dangerous as there's a potental for abuse, but that has to be initiated by a human contact, which downgrades this from a virus to a worm. As others have said, if the rootpack had a simple "rm -rf /" or similarly damaging command in it's script, it would be a virus.
  
  --
  "Pinky, you've left the lens cap of your mind on again." - P&TB
  "I can see my house from here!" - ST:
Distributed Worm Computing by Hard_Code · 2001-01-17 02:12 · Score: 3

Cracking All The Live Long Day & RH6/7 Worms

The title immediately conjured an image of internet worms, self-replicating, and using host machines to number crunch (in the distributed.net case, "crack"). Imagine a Seti@home or distributed.net worm.

Now *that* would be a decent worm. ;)

"Why are these processes eating up all the CPU! Why are they talking to setiathome.ssl.berkeley.edu!"

--

It's 10 PM. Do you know if you're un-American?
Off by default by e_n_d_o · 2001-01-17 03:45 · Score: 5

I still don't understand why every network service isn't turned off by default. If you need it, you better know how to keep it secure. If you know how to keep it secure, chances are you know how to turn it on.

AFAIK, any normal RH Linux box needs these system services:

crond
keytable
random
syslogd
xfs (if running X)

A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).

The only thing that MIGHT want to be turned on by default is SSH. But there's really no reason that the user shouldn't have to do event this themselves.

The problem is obviously the entry-level Unix/mid-level MS users who are starting to use Linux. They need their hands held. So put a $!@#$ memo in the installer that says to read "services.txt" or something to get your system services going. Or, perhaps RH should open a web browser with a "Configuring Services" FAQ when you login to X as root (most people do this, annoying enough).
---
1. Re:Off by default by Colitis · 2001-01-17 12:21 · Score: 3
  
  e_n_d_o said:
  
  A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).
  
  I say:
  
  You don't need to firewall 6000, if you add "-nolisten tcp" to the end of the line that starts the X server. On the Mandrake system I'm currently using, with gdm as the login manager, it's in the servers section of /etc/X11/gdm/gdm.conf. If using xdm (or kdm) its probably the last line in /etc/X11/xdm/Xservers. On FreeBSD, using xdm, its in /usr/X11R6/lib/X11/xdm/Xservers.
Not in RH7 by Fjord · 2001-01-17 06:02 · Score: 3

RedHat claims that the wu-ftp bug (RHSA-2000-039-02) only effects RH5.2 and RH6.2

--
-no broken link
Sloppy Red Hat? by JCCyC · 2001-01-17 02:13 · Score: 3

What scares me is that RH7 still ships with the vulnerable, unpatched version of wu-ftpd. Wasn't that hole fixed ages ago?
Hopping through CERT and eventually into Red Hat I found this. Fixes only for RH5 and RH6 (RH7 didn't exist at the time). I can't get to RH's FTP to check the status for wu-ftpd in RH7 right now, but their list of security advisories for RH7 does not mention wu-ftpd.
Sloppy sys admins by Rudeboy777 · 2001-01-17 02:29 · Score: 4

It's pretty sloppy for RH to leave security fixes for these holes out of 7.0, but anyone running a server on a high-bandwidth line should probably know enough to get security updates frequently. Nobody deserves to get hacked, but you need to expect the worse as a sys admin. Leaving the default install on a server is absolutely amateurish.

--
From hell's heart I fstab at /dev/hdc
Under the rug? by Speare · 2001-01-17 04:12 · Score: 5

I expect this'll get modded down, but...
It seems that the RedHat exploit is at least as big a story as the Honeypot project. While they're both 'cracker' related, one is an opt-in research project and one is an advisory news item.
Don't they deserve separate top-level stories to clear it up? This isn't some downgraded Slashback or quickies thing. Both deserve their own thread.
Or is it just negative news about a pet issue, getting swept into a little dark corner at the end of something else?

--
[ .sig file not found ]