Slashdot Mirror
Linux Worm Spreading, Many Systems Vulnerable
sverrehu writes "A GNU/Linux worm exploiting a bug in OpenSSL spreads through vulnerable Apache web servers, according to Symantec. The worm, which was first reported in Europe, targets several popular Linux distributions. See also the SecurityFocus vulnerability listing for the OpenSSL bug." sionide also writes: "Netcraft recently published a report which explains that a large portion of Apache systems are still unpatched (halfway down). To protect yourself please upgrade to OpenSSL 0.9.6g."
...non-Linux systems running Apache/OpenSSL?
I realize the binary may not run on FreeBSD/OSX/etc., but the vulnerability itself is not Linux-specific, right? Could the virus be ported?
Sorry, I'd RTFA but it's slashdotted.
This power costs money. The administrator would have to download the sources, apply the patch, and - most importantly - configure the build so that the proper things get built and other bits get left out. Getting a live server back takes more than just typing ./configure. IOW, you need a smarter and
therefore more expensive administrator to
actually enjoy this power.
That's what makes open source software overall more secure -- the turnaround time with patches is a lot faster.
I am very grateful for all the open source software I've ever used, but I must point out that this turnaround time usually doesn't include what a responsible commercial outfit would call QA.
To be technical, Apache is perfect, OpenSSL isn't
How many webserver administrators have the skills to look at the Apache sourcecode (or in this case, the OpenSSL sourcecode), find the bug, and fix it? If they had such skills they probably wouldn't be working as webserver administrators to begin with. The often tauted ability to "go in and fix things" or even to simply "contribute" is highly overrated. Who found and fixed this bug? Was it some random user, or one of the original developers?
You might save yourself from *this* worm, but how long until someone 0wn3z you with some other 37331 worm that uses port 2003? or 2004? or 37331? or some other number? Hmmmmm?
While you could nuke GCC from your machine (ouch!) why not just patch the hole and get on with life?
--JoeProgram Intellivision!
The whole concept of 'root' is dangerous and a major security flaw. There should be ACL restrictions on any modern secure operating system. Security should be segmented. There's no reason for an antiquated 'god account' concept on a modern server.
Sadly, many people are still bogged down in the concepts of 70's era Time Sharing systems.
And why are you telling me this? Red Hat only has apache 1.3 in their distribution as an rpm. And an old one, .22 I think.
/usr/local/apache2 and /usr/local/ssl. Done. None of that bs of spreading configs and logs and binaries all over the system.
I do not care anything about rpms. If I want apache 2.0 with ssl, I download the source, and compile it in
You are correct, but it's just a matter of time until MS's glacial turn around time, and outright refusal to fix certain bugs, combined with a "windows update" that often doesn't apply all the needed fixes, or installs patches that undo other patches.... I could go on...
Anyway, it's going to bite them, in a big way. Recently some "combination attacks" have formed, i.e. a series of non-critical security flaws that can be combined to gain total system access.
This is combined with their aggressive end-of-life program which EOLs software that is still in widespread use, completely dropping even critical security bugfix support for said software. As Windows 2000 nears EOL in a couple years, that is when we will really see the shit hit the fan. Hell, my girlfriend got a contract job to migrate systems from NT4 to 2000 last week. With no compelling reasons to upgrade, a lot of people are going to be running unpatchable systems in a couple years. Of course this is MS's whole strategy, to force people to upgrade their software just to get critical bugfixes.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I've found that most software, open and closed, has become so complicated that fixing problems has become a task better left to the writers. Sure you can fix it yourself, but open source stuff tends to get fixed pretty fast anyway.
I believe that the real advantange to open-source is that programmers (like me) can't get away with crap designs. When I design open source software, I know I can't get away with hard coded keys or fixed length buffers. Closed source tends to be safe from this kind of sloppiness and is unfortunately acceptable practice.
Ofcourse, my open-source mindset has helped make my closed-source designs much more secure. I can't speak for anyone else.
Ozwald
That's a good philosophy if you know you'll never need to compile anything on them and the machines are purely dedicated to being webservers.
Ahem, did you READ what you're replying to?
Many Linux boxes though run more than just Apache and many people need gcc
Again, try READING the post, then attempt to understand what he's saying.
Here, I'll summarize for you:
PROPERLY CONFIGURED PRODUCTION MACHINES SHOULD NEVER HAVE COMPILERS ON THEM
YOU COMPILE STUFF ON NON-PRODUCTION MACHINES, AND INSTALL WITH A PACKAGE MANAGER
many people need gcc
Not on production boxes they don't.
if they've gained access to your box, what stops them from pulling down a GCC package for your architecture
This is a good question; simply put, because it would be lots and lots of work, that can be undone very easily.
It's not a big deal for a hacker to root a box and do something like that, but it's a HUGE deal for a worm to do it - according to the bugtraq discussion, this current version of the worm frequently gets the attack wrong, because it misidentifies the Apache version and platform, and gets the injection vector wrong. Now imagine if it had to identify not just the Apache version, and the archetecture, but the whole machine environment so that it can come up with a working build environment?
Imagine coming up with a way to identify every possible platform out there, and then obtaining or compiling a version of GCC for each one, and then storing it, so that the worm can automatically retrieve it. (GCC - with all of the includes, libraries, etc. is quite large.)
Then you have to make the worm available to download the correct version of GCC - which means that you either have to identify yourself (you put it on your own server), or you have to put it on a compromised server, and hope that the admin doesn't notice the gigabytes of tarballs now being served by his machine.
And regardless of which way you choose, you've just made it ridiculously simple to negate all the hard work you've just done: once the white hats find out where the data is coming from, they just notify that server's upstream connection, and your work is for naught.