Slashdot Mirror
Linux Worm Creating "Attack Network"
RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."
Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."
D'uh. Go on, mod me down if you must.
Slashdot? Oh, I just read it for the articles.
isn't this the same as http://apache.slashdot.org/apache/02/09/13/2315246 .shtml?tid=172
it could be a differnt worm but it doesn't seem likely
visioneers have been making analogies between networks and other systems for years, and lately, the internet has started to feel like an ecosystem, with predators, outbreaks, and the like.
I read about the SSL bug the other day and fixed it on the spot. (Good 'ol apt-get). Are there other ones that we should know about? Is there a way to check and see if a machine is still being impacted? I'd hate to be running anything mallicious, that's why I have a linux box. I can fix things quickly, most of the time...
Unfortunately as more IIS admins move into the "cheap" linux arena, their bad habits will come with them (not that there aren't linux admins with bad security habits, too). We are going to see more and more of this as linux becomes the norm. My shop is looking at using embedded or firmware based linux (or single system images in the clusters) to combat any modifications. It will be interesting on monday to see how much our honeypot-tarpit has caught.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Anyone who thinks that solely because they run open source they are immune to attack is an idiot. Look at how wide open a default RedHat 6.2 install is.
This new attack is easily avoided by upgrading your OpenSSL version to 0.9.6e, and this should have been done by now. The hole has been known and example exploit available for a while now, as anyone who follows the bugtraq list would know.
Security is an ongoing process. You have to stay on top of it if you run machines that are not turned off and locked in a basement. There is just no way around the fact that there will always be bugs in software, and these days that commonly means security holes as well.
Remember Lexington Green!
Nice to see some Linux Zealots getting to eat the ol' humble pie. Code Red what? Nimda who?
so much for "but with linux you dont have to worry about WORMS and things"
too funny
Am I the only one who feels like we're living in the Stone Age?
Shouldn't all these Operating systems be self healing?
What the fuck is a visioneer? You've been hanging around near too many pointy haired bosses. The word you're looking for is VISIONARY.
Didn't we see something about vulnerabilities in Apache just the other day? Patch your servers. Anyway, at least the bug reports are out in the open and I can have my server patched in a matter of minutes. Yes, we are ALL vulnerable, but some software is easier to patch than others.
There's a fairly detailed run down on what the worm does in this bugtraq post.
This includes such highlights as email scanning and at least three different flood attacks...
Meep meep
Once again, this proves nothing. Yes linux has security flaws and potentially destructive virii. This does not mean that security is black and white and it's only the responsibility of the system admins.
:-)
If you were going to sea and had a choice of two boats... One with a number of small leaks and one or two large ones OR a boat with a huge amount of small leaks and quite a bit of very large ones... you would still pick the boat with the least amount of leaks... It's just common sense people!
Cheers
Could I get some answers to these questions?
Does Apache come with it or do you have to install it seperately? Obviously I don't need a patch if I don't even have the module! Is there a quick, easy way to find out if OpenSSL is even installed on my system?
Is this related to the earlier Apache flaw or is it a seperate issue?
<tin hat>
"...(c) Microsoft Corporation."
</tin hat>
Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux.
I'd agree with that statement - the difference being that with the Windows patch you may need to restart your server (bad), and you may have to swallow a new EULA (could be VERY bad).
here
as well. Nice side effect of the P2P component: Looks like it tends to DDOS itself by chatting to peers.
When will someone build a pr0n distribution system based on this worm?
So smart people, someone tell me how to check if my Linux system is being attacked (or even already taken over)? Sure slashdot posts direct links to the exploits themselves, but no links to information .
Of course it is, this is a no-brainer. However, I believe the real issue here is the availability of available fixes for these issues. With Linux, BSD, etc. these issues have been fixed in an acceptable amount of time. Can the same be said for Windows?
-- Jim
You can get a current list of the top C networks which are participating in attacks of various sorts from dshield.org. Depending on your application, it may be advantageous to just add a cron job which grabs this and feeds it to your firewall rules, hosts.deny or access control lists.
Says the RIAA: When you EQ, you're stealing bass!
Today's software is too complex to be comprehended by the human mind in all its permutation of states. Add in network effects when this software runs alongside other software, and on multiple machines, and the following conversation will always be accurate:
Question: Does software package XYZ contain show-stopping security holes?
Answer: Yes.
Throw in clueless admins, and you've got a big barrel of fun. Open source can't help you here.
This doesn't mean that open-source software isn't better for other reasons, but I've always shied away from saying open-source is more secure because I don't believe any piece of software is truly secure these days. So what if IIS has ten root holes and Apache has one (hypothetically)? You're still insecure.
Anyway, why are they calling it a P2P attack network? Aren't ALL worms peer-to-peer??? I don't remember Code Red checking in to an "attack server" before connecting to other IP addresses.
Small difference in the numbers of infected servers no?
-- Many men would appreciate a woman's mind more if they could fondle it
A website known as Slashdot has created an army of Linux computers willing and able to launch a DDos attack at moments notice. Efforts to patch this worm have been as yet unsuccessful.
The security holes does seem to be less and be fixed faster when using open source/free software.
No matter what OS you are running, the level of security is directly related to the persistance and skill level of the Admin. This "worm" for Apache exploited a security hole that has been out for quite a while. If the Admins had done their jobs, this story would never have been published. The same can be said for the Nimda virus, Code Red, and the numerous others out there. The admins of the Windows boxes didn't patch them either.
Do you think that the reason most viruses affect MS products could be do the the fact that MS is has the largest distribution of product, and that the tools to create a virus are easier for the script kiddies to use. Let's face it, a Linux or UNIX virus takes a degree of skill that is not present in most of the people producing these worms.
With all the MS bashing that takes place here and other places, it seems that the Linux Admins are just as lazy as the MS Admins. A virus is only as good as a Sys Admin is bad.
ws. thank you slashdot for finally figuring out
something the rest of us figured out in the 8th grade
Don't say "free pot" if you don't mean it!
: (
You can't take the sky from me...
First of all this is kind of a repeat but anyway...
NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.
1. Update the virus definitions.
2. Run a full system scan, and delete all files that are detected as Linux.Slapper.Worm.
I wasn't aware there was a norton anti-virus program for linux. I could be wrong but I checked around their site and google and found nothing. Thats really not great removal tips. However I very much agree with their little 8 step or whatever program. About making people aware of attachments, running extra services, etc.
can't sleep slashdot will eat me
The first big worm ever (the morris worm) was for *NIX.
There have been worms for both *NIX and Windows for quite a while now. That doesn't mean they're equally secure. You need to consider the frequency and severity of security holes.
OpenBSD has only had "One remote hole in the default install, in nearly 6 years!" But it has had one, does this make it as insecure as unpatched win98? Of course not. If you don't keep your software up to date, I don't feel sorry for you if you get hacked. The difference between MS and linux is that this worm exploits a bug that already been fixed for quite a while, whereas MS security is nowhere near what I would call proactive.
Life is too short to proofread.
Don't go to the Slashdot site, unless.....
Woops, too late.
I dunno, but it would be cool if a virus posted the news of it's progression on Slashdot as it infects hosts.
Gotta get coding! (joke!)
How can you tell if your box has been hit with this?
If yes, how do you clean it up?
The ultimate network admin tool needs HELP!
Porn coming soon.
Does anyone know something about those companies?
Keeping up on patches is one thing. A very important thing. More important however is correctly configuring everything. Microsoft has a handy program called baseline that is free and automatically checks out your windows system for mis-configurations that cause security holes. For example having guest accounts or mis-configured sharing on certaint folders.
I know a lot of you people like to bash windows as being insecure or unstable. But I can't tell you how many times people have come to me and showed me problems with windows boxen that were simply misconfigurations. My win2k box (that I'm using right now) might be old and slow, but it's a rock. Configuration is key. Especially all the hidden options in deep down dialog boxes.
Nothing, not even the best linux, is secure out of the box.
The GeekNights podcast is going strong. Listen!
reading slashdot over the years, the zealotry is of course high (im on slashdot, of course it is, and i understand that).
they have always been ravenous to attack ms and exault linux. well, its easy to cheer for the team when its doing well and everything is going pretty much to plan.
now you (the community) are faced with some of the problems that ms faces every day as the popular OS. will your solution be better than theirs, or will hundreds or thousands of the linux os go the way that windows does... to the screen of death?
ill tell you, your solution better be much better, but im going to guess that the people writing worms for linux might be a bit more into the scene than the windows virus writers are... and therefore a bit nastier.
will we hear the cheering stop and the work begin on a better solution? and no "people should know to patch" doesn't work. sadly, you are working with a population and real world corporate structures (not your personal single tower), so its just not feasible. hmm, we'll see what happens, but you might fail right about where ms does... at the part where the consumer must pick up the reigns.
There's nothing Intelligent about Intelligent Design.
This is not a Linux problem. It is an Apache/OpenSSL problem. The flaw lies anywhere the OpenSSL/Apache models are used.
... etc?
Exploit code was written for Linux. Is there a reason that it can't be written for OpenBSD, FreeBSD
In fact, everything using the OpenSSL code model should be susceptible. If my memory servers me well, there should be an analogous exploit for Apache running under Windoze NT/2000.
In latest developments, it was found that a combination of bad programming and bad security was the cause for the latest "Free Black Pot Worm"
:-
:-
Mrs. Lanky Pot-Legs was quoted as saying
"Rumours of my security breach are grossley exaggerated"
The so called "every server including Linux" worm was created by Walter.P.Teenager-geek-from-hell-Wallis.
Upon arrest, recently, he was quoted as saying
"You all suck, you are dumb, I want my fluffy teddy"
After further questioning by a government organistation, he mysteriously died.
A slashdotting - you get the stick first and then the carrot !
This must be sweet seet sounds for MS; Linux is "vulnerable", too. Big news, NOT.
Anyhow, I hope there are no connections with the cheap labor Bulgarian virus-producers and MS... Ok, so I'm paranoid.
I am very disappointed in the RedHat security and package update process. I wonder how much of an obstacle this is for others. Do other distros do this better?
For many years, I have always patched my Linux boxes by building packages myself. While this works, it gets tedious when you have a lot of boxes and is not a good use of my time. It shouldn't be necessary for non-bleeding edge hardware.
So I've been trying to stick with RedHat rpm upgrades on my newer boxes. Major pain! (These boxes expose no services to the internet, so my past exposure has been minimal.)
For my RedHat 7.3 systems (2), I downloaded all of the updates and did the recommended 'rpm -Uvh'.
Unfortunately, it failed time and again with lame conflicts - mailman, PHP, gaim. This happened on both of my 7.3 boxes. Just the prep for each attempted install takes many minutes (rpm scaling sucks *big time*! HELLO?) and the slightest hiccup will cause it to abort. My 458 Mhz Celeron takes 5 minutes just to get through the 'Preparing' phase.
If you already installed the apache RPMs but include them in the 'rpm -Uvh *.rpm'? Sorry! Start over - rpm won't ignore the already installed package. What ever happened to versioning?
Once installed, because of the way Red Hat back-ports patches, nessus still complains about apparent vulnerabilities due to the versions. So I then second guess whether the vulnerabilities are truly fixed (all the backporting, etc) and whether I should just be compiling everything myself.
Compiling everything myself? Why am I runnig RedHat? Which distributions do this better?
Is there a way to have a directory full of updates, some installed, some not, and just do an 'rpm someupdateargs *.rpm' and have it f'ing work?
Thanks!
I might be a Linux advocate, but this is the real question... Does it effect Apache for Windows and other platforms? Perhaps the media is immefiately associating Apache with Linux- something that it is not really even part of.
I would suspect that the worm would possibly effect the ports too. Does anyone have any info on that?
This is the second time in a matter of a week that this topic has made it into the /. headlines. Enough is enough already. The apache bug has been patched and was done so over 2 months ago. I upgraded my servers in less than 2 days after the bug was announced. Anyone else who has NOT upgraded his apache server by now is not in my opinion a "proficient" sysadim. But then again look how long it takes the windows admins to apply fixes to running bugged out IIS installations.
So dont go blaming this on the apache/ModSSL programmers. It's just lazy incompetent sysadmins who are causing this problem to exist.
sparkeyjames
so it's allegedly talking on UDP port 2002 with the other nodes.
so you do, of course, have a firewall that blocks everything but the few ports you need.
you don't? what the fuck are you doing on the 'net?
careless driving is illegal. careless server administration should probably be, too.
Assorted stuff I do sometimes: Lemuria.org
thanks debian for always being easily updatable! :-)
It's pretty obvious,
The kinda people who create virii/worms/trojans whatever are always going for the widest possible target market.
They are simply exploiting a sudden massive growth in market-space by Linux !
There are currently many thousands of Linux boxen spread out globally available for potential newsworthy attacks.
And the worst of it is, Linux is easy to attack if it has weak security settings.
A slashdotting - you get the stick first and then the carrot !
According to various reports, updating to 0.9.6e or 0.9.6g will prevent the exploit. The exploit has been reported on Bugtraq Friday (9/13).
RedHat still hasn't released updated RPMs.
Have they stopped working on weekends ?
I'm beginning to wonder why I'm paying the RHN subscription.
--f
Free Pot!!!??
Sure bugs are in all software. Its obvious that just like any other OS, Linux can have security bugs. However, a skeptic of Open Source should take note as to how quickly the patch was made available.
The SecurityResponse article mentions that for SuSE distributions, the following are affected:
Apache 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23
I just checked my version of Apache for SuSE 7.3, and it's 1.3.20-60.
I know that distributions tend to release their own versions of things with important patches included, but other than digging into the release notes for apache for a while till I can find the answer I need, is there any way to know whether the "-60" addresses this problem?
Or, as another option, might there be anything that accurately TESTS for this weakness and provides a result?
Keeping up with patches is good! Being able to accurately TEST the security of the compromised code after those patches are applied is better.
The worm exploits OpenSSL via http port 80. The exploit writes c source files to /tmp, I believe the program is named bugtraq.c. Then, the exploit compiles the program into a hidden binary /tmp/.bugtraq which is executed.
/tmp (if located on a separate partition) should be mounted noexec.
Once the program is running, it accepts commands on UDP port 2002.
Simple solution, so your bandwidth won't be exploited for a DDOS, block UDP port 2002.
The worm can be used for multiple purposes, including execution of arbitrary commands on your machine, various flood attacks, etc.
You need to patch your machine, before a more dangerous worm comes along. If you can't patch right away, at least block UDP port 2002.
Additionally, your
Skiers and Riders -- http://www.snowjournal.com
You have to admit there are more incompetant windows admins than for other systems. The Windows sphere has the whole MSCE juggarnuat grinding healthy normal people into incompetant windows admins. Nothing comparible in the *nix world.
anyone have the actual apache access_log line signature for this exploit? The symantec advisory only shows the first line.
(n/t)
it's interesting to follow the development of viruses. First came the plain old viruses that used warez to spread (yes, they infected other apps too.. but warez was the major distribution channel) there were all kinds of viruses, those that played songs at certain times or made your screen do funny things, most of them harmless in many ways.
Then came the time of harmful viruses, the ones that formatted your HD on certain event.
Now then, it came the time of internet, and worms came. Worms spread through different holes in machines, mostly e-mail readers. (everyone had them.. most of them had holes.. tsk tsk..)
The worms itself evolved in many ways, others became DDOS tools, others just spread. Most of them were a pain anyways, as they affected more than the people with buggy software.
Oh well, it's a challenge to write a worm/virus that can spread without anyone noticing it before it's too late. Believe me, we have thought it over and over.. tried to think of a method to spread, one without any way of backtracking the worm, allowing the worm to spread with different methods, through different holes and allowing the creator of the worm to update copies of the worm while it's spreading. Interesting thought to play around with.
What I want to know is if I need to worry about this worm if I'm running an Apache server on linux without SSL?
Thanks
And yes, keeping up with patches is good. You should try to practice it. Also, subscribe to BugTraq.
SIG: HUP
Let's face some facts, there are probably more "forgotten" Linux servers than Windows ones, simply because Linux can run unattended for months at a time and Windows cannot. Making the reasonable assumption that a sizable number of these neglected machines will not be fixed, suddenly Linux and OSS looks no better than the Windows machines that are still infected with Nimda or something similar because no one has been bothered to apply patches.
I await your wrath for being reasonable.
-
Inventor of the term 'pardon my French'.
Was overseas for several months, and no less than two weeks after I'd arrived at my home away from home, bugtraq had postings related to the wu-ftpd remote root vuln. Since I was on an insecure network (they were blocking port 22), I had to have a friend back home block the port on the router since he didn't know the root password on the ftp server.
;)
:P
However, pureftpd works great!
Seems to me that the really nasty vulns lie in wait while you get yourself into the worst situation possible for handling it.
Are servers running kernels with the grsecurity patch and stack execution disabled affected by this exploit?
How can you tell if your box has been hit with this?
You should never have to ask that question.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
Of course! Open source maybe more secure than closed source, but nothing is 100% secure other than when the box is turned off and locked in a vault.
I found a little file in my /tmp called .uubugtraq. It probably came from this worm, since I was running the old OpenSSL. I've since upgraded. So just creating that one file might not be a very good solution.
This is either the funniest post I've seen in a while, or you're a moron.
Remove the gcc compiler on web servers as the worm depends on the presence and availability of a c compiler to do its deeds. Simple fix really. What was that about Linux worms are like Windows worms again?
Dawn of the Dead
my circa 1995 performa 6360 (ppc) running apache is perfectly safe... and i am perfectly happy at my choice of arch.
transmission_err
Look, why has no one mentioned one very simple technique that would render any version of Apache invulnerable to this attack?:
If you don't need SSL, then you should have commented out the
Listen:443
line in the config file.
Why this is on by default is beyond me. 443 should be disabled by default and any admin who *needs* it should have to turn it on.
If that were standard practice, then the 3500 infected machines would probably be more like 350.
You are full of shit. Distros roll patches and bugfixes back into the stable and tested version, and release a new -subversion. Try using a modern distro sometime. I can't believe you flamed that guy, out of your own ignorance.
/me puts the cluestick back in its holster.
openssl-0.9.6b-28 is the current red hat version, and it is fully fixed.
It even shows the old version if you run openssl version:
OpenSSL 0.9.6b [engine] 9 Jul 2001
It is, however completely patched, and came out in early August.
Modern distros value stability in current releases, and will not upgrade to the latest version just to get a bugfix. This is the value they add, you don't have to worry about a security patch breaking some critical functionality.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
This is *not* personal...but..."you should never have to ask that question" nicely sums up the problem with Linux.
How can you tell if your box has been hit with this?
You will see a skull, with a pair of crossed bones below it, on your screen.
If yes, how do you clean it up?
You can't; unless you are the nemesis of all evil crackers.
- OpenSSL prior to 0.9.6e, up to and including pre-release 0.9.7-beta2
- OpenSSL pre-release 0.9.7-beta2 and prior with Kerberos enabled
- SSLeay library
From Eric Lubow: "The worm seems to pick its targets by server banners; for Apache, you can set the ServerTokens option to "ProductOnly" to keep it from reporting its operating system and version information."This should prevent the worm in it's current form from recognising your apache server, even if you are running a vulnerable OpenSSL implementation, but the best solution is to upgrade your OpenSSL. Of course, most of us have done that already...
See CERT® Advisory CA-2002-27 Apache/mod_ssl Worm for full details, including how to recognise probes from an infected system.
-D
I know you're just trying to troll here.... But just for the record, my biggest concern/headache/worry with my own Apache server running on Linux is the Microsoft code I have to run on it.
I need the FrontPage server extensions on it, and MS did a notoriously poor job of development on those for Unix. A perfectly secure Apache server can be rendered "full of security holes" by using their add-in.
In fact, I've found at least two different independent projects to rewrite the mod_frontpage module to make it more secure. One such project's results seem to have problems of their own. (I saw bugtrak reports of it having a buffer overflow exploit in it - and it looks like its author never bothered to work on the project again since that time.) The other (newer) project on Sourceforge looks more promising - but I was unable to get it working properly on my particular RedHat 7.3 server.
I'm not a "zealot" proclaiming Linux is inherently "better" than anything Microsoft has done or will do. IMHO, Linux certainly doesn't have the workstation desktop solution of choice yet. On the other hand, Microsoft's track record speaks volumes about their ability to provide secure sever products. They can't! When you hear about the latest worm or virus attacking Windows, you say "Oh boy, here we go again!" When it happens for Linux, it's big news. There's a reason for that....
This virus made several fatal errors in its execution--
/tmp directory.
1: It did not delete its source code file on execution.
2: It did not hide its binary very well.
If the worm did these things it would have been MUCH harder to detect and deal with. As it is my servers are secure (no SSL for now, and I have the latest version of OpenSSL for when I want to re-impliment it), but I would have been worried to some extent if I could not have actially looked for bugtraq.c in the
Many trojans I am aware of do these things, though.
LedgerSMB: Open source Accounting/ERP
Guess I'll have to migrate AGAIN, back to IIS!
pr0n - keeping monitor glass spotless since 1981.
...If I have "Include mod_ssl.conf" commented out of my httpd.conf?
Just wondering, since I have no interest in serving up any encrypted content on my webserver anyways.
If you could be told what you can see or read, then it follows that you could be told what to say or think - BoC
He got a score of 0, flamebait, but I swear if you replace windows with linux and linux with windows in his post, it would get +5 insightful. I guess that's just what I get for reading slashdot.
OMG LOL! LINUZ IS THE GHEY # Important Stuff: Please try to keep posts on topic. # Try to reply to other people comments instead of starting new threads. # Read other people's messages before posting your own to avoid simply duplicating what has already been said. # Use a clear subject that describes what your message is about. # Offtopic, Inflammatory, Inappropriate, Illegal, or Offensive comments might be moderated. (You can read everything, even moderated posts, by adjusting your threshold on the User Preferences Page) Problems regarding accounts or comment posting should be sent to CowboyNeal.
This is *not* personal...but..."you should never have to ask that question" nicely sums up the problem with Linux.
What I mean is that you should have taken action months ago regarding this problem, not now. Really, I have no sympathy for anyone who was hit with this. How hard is to to type apt-get upgrade, or up2date -u? Maybe it will scare off some people from Linux that have no business running it in the first place.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
i love free pot.. i dont know about you guys, but if i can get high and dont have to pay for it, i love it..
Right now, almost all (non-script language) viruses are for X86. Most root exploits are for X86, with a few more for SPARC.
I had two boxes get rooted last year thanks to bugs in SSH, but I doubt it will happen again after I replace them with Macs running OS X. But I am glad I never got around to installing OpenSSL with Apache.
--
"Open source is good." - Steve Jobs
"Open source is evil." - Microsoft
Why is it that Code Red and Nimda are viruses, but an Apache worm "create[s] a P2P attack network"?
And why is P2P even being used in this context? It's a worm, just like those before it. Are ignorant readers to infer that this is why P2P networks are bad (because they can be turned into "attack network[s]")?
moto411.com
Understand what you say about "should have take action months ago"...that makes good sense. Thanks for the clarification. If one is going to run a web server, then one should be responsible for keeping it and the OS secure and up to date.
However, I think we want to encourage people to use Linux, right?
Why do topics like this always have to degenerate into a holier-than-thou diatribe by a self-righteous few?
Shouldn't that be holey-er than thou? After all we are talking about holes here, right?
LedgerSMB: Open source Accounting/ERP
...is obviously the secret phrase to get modded +5.
Then you probably already patched your system! Slashdot had the news of the Openssl fix back in July! So I don't understand why this is news on Slashdot!
...and it looks like the apache team might be staging a comeback. Why that IIS team is really scrambling on the sidelines. And to think, after all these IIS bugs, Apache may actually catch up. I don't think we've ever seen a comeback story like this. Why, in another couple decades, Apache will achieve the 5000 security hole mark.
YOu're right Brent, wow, that open source team sure is rallying now.
Pfffttttt..... It's still "IIS Bad - Apache good".
# apt-get -u update
# apt-get -u dist-upgrade
Debian (or one of the other distros using apt) end the chore of hunting for up to date rpm's and their dependancies.
I am assuming you didn't install a web server, NFS Server, etc. if you never thought you's use them, right? Or if you did, you would turn them off, or at least use Red-Hat's built-in firewall rules to keep other people out.
;)
If you did any of these things, you are not directly vulnerable, and don't classify as lazy. But if you were running a production server and did not want to do a security patch because "there are no rpm's yet" then you would be lazy and I would berate you for it
So my point is-- you can't compare apples and oranges here, and security is important to everyone, but there are different ways of
handling this security as appropriate for environment. If you think security doesn't matter, you are not lazy so much as clueless, but if you think that there is only one path to security, you are missing the point too.
I did support for Windows for a while and I was amazed at how many compromized systems I found because home users thought "I don't need security." It is all fun and games until people start uploading illegal content (such as kiddie porn) onto your system of your account gets terminated with your ISP because someone used your system to attack another computer, etc.
I don't care who you are-- security is important.
LedgerSMB: Open source Accounting/ERP
EE-MAGINE a booboowolf CLAUSTER UF THAM
Let me elaborate a bit here:
You are running a computer that is connected to the Internet. For the sake of this argument it doesn't matter which system you favour. You are the admin of this machine.
Like it or not, you have responsibility towards ALL other network peers (i.e. the whole Internet) to make your system as secure as possible. Consider malicious software that can start DoS attacks on other remote boxes. Your insecure machine is now causing trouble to others as well as yourself (degrading connectivity).
Would you like this? Your answer could be: I don't care.
Imagine someone else has a similarly unpatched/insecure system and is directing DoS attacks on your IP. Do you care now? I guess you would.
The problem is that advertising and far too many teachers in "Internet for dummies" courses do not emphasize the fact that anyone with admin privileges on any computer (that is connected to the Internet) is effectively an administrator and has to act accordingly on issues like security. Point'n'Click installation doesn't make it any easier: You want to run a web server? Here you go.
How many install software without knowing about the security implications of the stuff they are going to run? I guess far too many. If you had to read about a certain program BEFORE you install it, the manual or How-To can give you an idea of the security implications you are probably going to run into, thus alerting the admin (on a home system that means you) and increasing awareness.
This could be a reason why Linux/Unix installations often seem to be more secure: You have to read a lot more before you can actually do something. This advantage, of course is slowly going away with point and click installations on Linux systems as distro installation programs become more user-friendly and everything gets installed via a graphical system. This might be ok for an advanced user, but could be dangerous in the hands of a novice (i.e. most home users).
I guess you could compare it to driving a car, where you have to get a license in order to participate in public traffic, because you need to know about the rules and dangers beforehand. The impact your mistakes might have on others can be very serious.
I don't want to lecture you, but I think it is important to increase awareness of security ramifications on boxes that are connected to others.
I feel so sig.
Please mod parent up. (at least as high as it's parent) There's no need for users of the major distributions to think that their updated systems are insecure.
It is this kind of useless and holier-than-thou answer that turns the average user off to the Linux crowd. So in fact, Linux needs to succeed *inspite of* this attitude.
did someone say something about free pot?
the irony of you pointing out that they usually say "I'm using a secure OS link to debian.org" is that if you've apt-get update/upgrade'd in the past month or so, you're fine. Debian seems to have been patched the day after/of the vulnerability announcement.
:)
Considering how many of the major distros have some sort of update tool, I'm really suprised this is as much of a problem as it is.
So, I'm glad I'm using a secure OS.
Another evil plan with a big red Self Destruct button: one of the supported remote instructions for the network is "run a command" (0x24). All you have to do is find an entry point and command it to killall -9 .bugtraq and the command will propagate through the network, killing itself. Doesn't keep it from regenerating on the original https vulnerability vector, but we could perhaps slow down the DDoS attacks.
What do you mean they cut the power? How can they cut the power, man? They're animals!
It seems to me that one weakness of open source is in "automatic" exploit detection tools. McAfee and Norton (and their more expensive sounding parent companies) aren't exactly shining lights, but neither was Microsoft. So far, Linux users have relied on the experience of its admins, the relative security and obscurity of the OS, and several very good, but less intuitive tools. Sure, Linux *is* more secure, and sure there are lots of tools (like snort) for experienced admins to run, but I think there's room for a thriving root-kit detector community and open database that the less technically sophisticated users who have recently begun flocking to Linux can use. A rootkit isn't any harder than a VBA macro to detect on a properly set up system. I know I'd pay for the distribution that has a workstation install that has been properly bastilled and tripwired to start with, and has pretty (or even ugly, but easy to use) GUIs for a range of tools for firewalling, port monitoring, and exploit checking. Gnome-lokkit, nmap, snort, and tripwire almost meet this need. If there were an integrated GUI with an biff-style icon (ala zonealarm) that kept me security aware. The exception is the bug database, and I think the community has already shown its ability to distribute knowledge that has been traditionally thought to expesive to maintain without proprietary lock in and expensive subscriptions.
But, in the long run, you really need to upgrade OpenSSL.
/tmp .bugtraq*
/tmp directory named .bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...
/tmp/.bugtraq.c /tmp/.bugtraq.c /tmp/.bugtraq.c
Anyway:
su -
cd
ls -a
If there is anything in your
If you haven't been compromised yet:
touch
chmod 000
chown root.root
then...
which gcc
and, chmod 700 that file.
This means that normal users will not be able to compile c code. If this is unacceptable, you can undo it after you get OpenSSL up to date.
We should start referring to processes which run in the background by their correct technical name... paenguins.
When Slashdot sees a Windows worm, it seems to be Bill Gates' fault.
When Slashdot sees a Linux worm, it seems to be the sysadmin's fault.
Anyone else see a horribly forgiving bias here?
That is fucking stupid
What if I have to check other people's boxen? What if I was out of town for 3 mo and had no computer access?
God damn, nice attitude
The ultimate network admin tool needs HELP!
I sent that reply to the wrong thread
and I run up2date regularly but as I see I am still on 0.9.6b-28, even though up2date says I have nothing to update
The ultimate network admin tool needs HELP!
Anyone else find it somewhat ironic that the url for this article about a linux worm is msn-cnet.com? Dont get me wrong, I love linux more than windows....I just found that kinda funny...heh
In college, really poor, need a flatscreen.
This has hit 3,500 computers! That's nothing, Nimda probably hit that many within a 20 mile radius of me.
This worm might not do much damage. Nimda and Code Red shut down entire networks, this one only hit webservers. Its like comparing a firecracker to an atomic bomb. Yes it is significant because its a Linux worm, but consider how much damage its really done, probably not very much. This may be just a warning sign, but it also might be as big as they come for Linux, which is great news.
Additionally, your/tmp (if located on a separate partition) should be mounted noexec
that's not a good idea
___
If you think big enough, you'll never have to do it.
LOL, well said. I did the same thing last week to my aplpha :) The question is now, do the Linux zealots who spent so much time laughing at IIs admins actually keep up on THEIR patches. One of the places the Linux world seemed so far advanced was virus protection. If that goes away what will be the incentive to get of the M$'s of the world ?
errr....umm...*whooosh* *whoosh* Is this thing on ?
However, I think we want to encourage people to use Linux, right?
Not at any cost. If it means that people are going to be running servers with no idea how to keep them up, then I am against it. There is no substitute for knowing at least the basics about using a computer if you are going to put it on the Internet. We don't dump people behind the wheel of a car with no training, so why should computers, which a much more complex devices be different?
I've had enough abrasive sigs. Kittens are cute and fuzzy.
That answers my question
I run up2date regularly but it was not showing up as an update to run and I saw I was still in 6b and was a bit worried
but it seems its all good
thanks
When you take into account the miniscule market share of linux its nearly the same.
Only the State obtains its revenue by coercion. - Murray Rothbard
Look for /tmp/.bugtraq
When the major trade press gets ad dollars to compare to MS ad dollars, then expect to see more even-handed reporting.
Face it. Servers don't run themselves. Linux does a better job than MS of not annoying the shit out of the admin. That's why in this case it's going to be a bigger pain in the ass. Any bets on how many more "I lost my root password, how do I get it back" posts on the Linux lists?
My favorite question from a customer:"How to I get to root from the # sign?"
Answer:"Fastest way is to tell me what you need to do."
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
How come when there is a worm or virus on Windows it is because Microsoft is grossley negligent and has no understanding of security, yet when there is a linux worm it is because of no fault of the developers but instead the fault of the 'lazy' sys admins whos machines became infected. This is flamebait, but it would be nice to have some standards on slashdot.
A rabbit in the hand is worth 4 in the cage
People should cut the crap about "well, all operating systems are just as vulnerable if you don't patch regularly.." This is not a Linux issue, nor even an Apache issue. It's a flaw in OpenSSL which, using Apache and Linux as a vehicle, exploits systems with poor basic security. If this worm actually causes any significant impact on your machines / network, you haven't done a good job configuring them to begin with. Lets start with the "duh" issues:
- The firewall should not generically allow outbound connections originating from the web server.
- The user/group that Apache runs as should not have sufficient permissions to access stuff like the compiler, unneeded utilities, shells, etc. that make a worm even possible.
The reason why viruses/worms are not common in *nix is that these environments are very controlled and hostile compared to say.. IIS exploits that tend to root the whole machine, whereby anything goes. So even if there's a major flaw in Apache or related software, it shouldn't get beyond the attacked machine. This also makes it much easier to find the attacking party since there's a one to one relationship.
Linux doesn't have a miniscule market share in the server market.
Because an unsecure computer on the internet isn't going to kill anyone? The only reason the internet has grown the way it has is because there is no intelligence test required to 'get on'. If you try to make it an exclusive playground for the computer-saavy, you'll start losing those things that don't appeal to computer-saavy, like the banner ads that support (eg) slashdot.
Let me know when they start requiring an intelligence test to operate a cell phone.
Apart from the advantage of being a minority OS, OS X also enjoys automated updates for security. The latest patches are just a matter of saying yes when the reminder comes up, and letting the installer run. Seems like this is something that could be emulated by other OS vendors, and the free software community could also set something like this up for Linux, couldn't it? Might be a good money making service for some enterprising soul to offer to one and all.
ThosEM
People should cut the crap about "well, all operating systems are just as vulnerable if you don't patch regularly.." This is not a Linux issue, nor even an Apache issue. It's a flaw in OpenSSL which, using Apache and Linux as a vehicle, exploits systems with poor basic security. If this worm actually causes any significant impact on your machines / network, you haven't done a good job configuring them to begin with. Lets start with the "duh" issues:
- The firewall should not generically allow outbound connections originating from the web server.
- The user/group that Apache runs as should not have sufficient permissions to access stuff like the compiler, unneeded utilities, shells, etc. that make a worm even possible.
My recent work with Linux has been with source code built systems do to my disdain with the way distributions are made (differening standards [an oxymoron?], custom branded tools). Out of according habit, I typically roll-up versions rather than patching them unless the newer version will break something. As a result of that, I didn't take into consideration the patching of an older version when a newer one was in use.
SIG: HUP
Why is there this big lie that Linux users go around saying "Ooooh, Linux is the best thing ever, you absolutely should run it, and if you don't you are really sad.", and Windows users go around saying, "Ooooh, you GNU people are smelly and have no girlfriends, so you must be really sad.".
I run Linux - infact, I earn a living by writing PHP and MySQL based applications on Linux, and doing *nix consultancy. I rarely even see a Windows machine, and use Linux on my desktop for just about everything.
BUT, I don't whine on at everybody how good Linux is unless they ask. Infact, most people I know, who are not people for whom I am working, don't know I run Linux, unless they check out my E-Mail headers, and look at which E-Mail application I am using.
If I am asked to help out with a Windows problem, I just politely tell people that I am the wrong person to ask. I don't use Windows, so don't ask me how to fix a problem with it, because I don't know.
If I am asked to recommend an operating system, I generally tell people to try and find an open source, GNU/Linux alternative to their proprietary applications. If they cannot, then I tell them to go out and buy a licensed copy of Windows, but if they do that, I will not be able to help them any further.
I don't go around telling people that they should run Linux instead of Windows. Infact, I have heard a lot of defending of Windows, by Windows users, when they know I use Linux. Why, I do not know, because I am not in the least bit interested. I use Linux, because I want to.
So, anybody who says, "You should run Linux", or "You should run Windows", is posting flamebait.
If you run Linux, just be content with the knowledge that you are running a superior operating system. If you are a Windows user, and don't like that comment, then either:
* Mod my post down
* Reply, with sensible comments
* Ignore this post
Anything else is a waste of bandwidth.
ALot of distros backport the patches to the version that shipped with the distro. This usually means there is less likely hood of a change breaking something else on the system. If up2date says there isn't any updates, its >probably ok.
.02
my
-=Mongr=-
By the way, who says this attack won't affect Apache on Windows, Sun, True Unix, etc?
"You looked at your network settings, you should reboot your computer now."
Friends don't help friends install M$ junk.
You should ALREADY be blocking ALL unknown incoming ports. ESPECIALLY UDP.
Microsoft Baseline Security Analyzer
!#@%*)anks for hanging up the phone, dear.
*pffft*!!! HA ha ha ha ha ha!!!
Funniest thing I've read all day!
I say Windows is a POS because you can't run it unattened.
You say: I await your wrath for being reasonable.
I'm still waiting for you to be reasonable. Until then, I'll just have to be helpful.
If you define suck for me, I'll be able to tell you which OS sucks more. If suck is defined as requiring constant maintenance, periodic expensive "upgrades", monthly email viruses, worms and other dirty critters due to less than best security practices, hiding and denying exlpoit information, months between exploits and "patches", well Windows is the winner. All that sucks jagged rocks.
Friends don't help friends install M$ junk.
why on earth do all distribs get all the modules installed and enabled by default? most people do not need SSL, and those who need it should be able to change the httpd.conf to load the module accordingly?
i think it is questionnable to have apache running by default. users who want a server should know enough to turn it on by hand. but turning SSL on
by default is just plain wrong.
i would not blame the openSSL team either. there is a reason why they do not ship as 1.0...
L
Dev elpizw tipota, dev phoboumai tipota eimai lephteros http://euclidian.org
Not just servers .... Its just like leaving a loaded gun lying around ... after a while something bad is bound to happen.
Of course linux has bugs. But still how many exploits have you encounter on windows and how on linux. Its like comparing whether you have or you don't have alarm in your home. Are you more secure with alarm. Sure. But are you protected from being robbed? No.
If the server only listens using ssl on port 443, is it also vulnerable. The worm description only describes port 80.
And what if everything on the https://server/ is password-protected using http basic authentication, is that vulnerable?
Someone posted a message up somewhere that their NetBSD VAX system has been serving pages from a DMZ outside their firewall for years... he keeps seeing various hacks tried on it, but everyone *expects* that its apache on linux on a x86 machine. Just goes to show that while "security through obscurity" doesn't *always* work, running on old hardware just *might* have certain advantages. :-)
It even shows the old version if you run openssl version: OpenSSL 0.9.6b [engine] 9 Jul 2001
Oh now that's poor. Asking for the version doesn't give you the correct version? Poor. Version commands should be dependent on source control tags, not programmers having to remember to edit that particular bit of source.
Cheers,
Ian
...sales of Red Hat's up2date service agreements have doubled.
May we never see th
It is the correct version. It's OpenSSL 0.9.6b, with security patches. Maybe RedHat should have updated the date string, but the version number is right.
The ocean parts and the meteors come down
Laid out in amber, baby.
*Ziip!*
(Clicks DVD player to a certain looped scene):
Old Guy: "Ass to Ass! Ass to Ass!!"
(Crowd): *HUMP!* *HUMP!* *HUMP!* *HUMP!* *HUMP!* *HUMP!*--"
(Me) *FAP* *FAP* *FAP* *FAP* *FAP* *FAP* *FAP* *FAP* *FAP* *FAP* *FAP* *FAP* *FAP* *SPL000000000000000000RRRRRRT!!*
*Click!* *Ziip!*
Now, where were we?
If you don't care about other people, maybe you would care about the legal implications of your machine performing a DOS attack against someone else?
Life is too short to proofread.
Well, so I'm wrong. Please don't attribute the FUD to me as I am just going off of what I understood from before. I do recall that my apache logs were filled with worm requests for 2 weeks before my traffic started dropping. Besides, this is just one more case as to why I'm ditching the computer industry as of last month. I've got to be financially independant and working for a company that's paying me as little as they can that may go under next month anyway isn't for me. Besides, I have more to worry about than having my apache hacked. People are trying to take my guns away. People are trying to take my right of religion away. Last of all, people are trying to hinder my right to life, liberty, and the pursuit of happiness. One of the biggest reasons I support free software is because it doesn't seem to accelerate the present social decline as much as other development models. Greed, not capitalism is what is causing us to have so much trouble. Both in poorly written software and in our corrupted political systems.
Yeah, that would be insane- but the question to ask is, do they have the lobbying and PR muscle to pull it off? Microsoft's style of winning is not wholly restricted to utter Forrest Gump truthfulness. I see this as a sort of Xmas present for them, and I see them trying to figure out just this: whether they can launch a lobbying effort to attack Linux based on this situation.
Sort of a "Linux Worm Creates Attack Network! You must legislate against the danger of this- did you know Linux installations often have compilers and linkers installed right alongside *spit* Netscape? An evil hacker's toybox it is! Why, on these Linux PCs, a worm could compile ANYTHING AT ALL it wanted to, with the support of the operating system! At least make sure there aren't any of these insecure Unix devices in the armed forces. Do you care about America or are you a Linux supporting terrorist?"
OK, I ran with that a bit- but what do you think these armies of MS lobbyists actually SAY? "Buy our stuff, it's okay and not too expensive really?"
...boyeeeeeeeeeeeeeee!
I love it!
To sue this 'rogue P2P system' out of existance! Problem solved. I'm emailing Hillary Rosen as we speak....
it uses port 80 to detect apache and 443 to do the real infection. If port 443 is closed off, no problem
Gotta work on Sundays and Holidays or the thing goes down on a workday, pissing off the salesmen!
There are no new lessons here. This is not the first worm for Linux. It is not the first DDoS architecture for Linux. Nor does CNET's estimation of 3,500 infected machines match its Code Red estimations that have floated from "...more than 15,000..." to "...more than 350,000...".
It would seem anybody who is finding something insightful in this story are either a Linux or Windows zealot, brand new to the argument, or very poor students of recent history. Granted - "recent" becomes is somewhat subjective. So let's take a brief look at past DDoS applications and Linux worms.
Distributed Denial of Service (DDoS) architectures began hitting the Industry consciousness late 1999. At that time it was trin00 and TFN. Shortly afterward, new versions showed up in the wild including TFN2K and Stacheldraht. All can be run on Linux. Although they are not, themselves, worms.
Linux worms are not new... nor are they ancient history. There are some excellent examples from a little over a year ago. One of the first worms from 2001 was the Ramen Worm and was reported by CNET January 17, 2001. Of course, CNET's article didn't have impressive numbers to report but it did liken it to the infamous 1998 Morris Worm. The Ramen Worm was followed by a less-famous variation called Adore and it also garnered CNET coverage April 4, 2001. But it wasn't too interesting a worm. It had been overshadowed by a worm reported the previous month dubed Lion. The Lion worm also got its own CNET coverage.
In each case, the worm in question used well-known security flaws with existing patches.
If one wants to point out that any OS is vulnerable if it is not properly maintained, then this latest worm is simply one of a series of worms that have proved this point. And worms have made object lessons of Linux, Windows, and other popular OS variants such as Solaris (sadmind/IIS being my favorite as it propagates on Solaris machines and then attacks and defaces IIS web sites).
now correct me if I'm wrong but most of the remote exploits and vulnerabilities that we see in un*x boxes nowdays are based on buffer overflows more or less. This practically means that somewhere inside the program there is a difference between the sizes of certain memeory areas that have been pre-allocated, or that the programmer made certain assumptions during writing that can be exploited to make the program behave in a way that the latter has never intended. Now if someone used a language like say, Ada, that restricts many of these *unsafe* assumptions, wouldn't that make the programs a lot less vulnerable. I have tried ada in the past and I can tell you that all these unsafe tricks that everyone does to get out of "tricky" situations simply aren't allowed. This would probably have serious implications in speed and probably in developement time but the whole essence of the open source movement is that you make it just for fun mainly. No timetables or silly demands from the boss right? :-) mod this down if you must, I am just curius about what the other /.ers think about moving to "safer" languages.
This is not an Ada troll
Perhaps you are a regurgioneer. Put it on your business cards.
My Linux system filters incoming traffic on most ports (including 80 and 443). Looking through the log files, I noticed an increase in the amount of request on port 80 since a few days.
I am not saying that this is necessarily coming from the apache worm, it could also be a spam spider or something else.
But what is more interesting is that I just (10 min ago) had the first requests on port 443.
Could this be the evolution of the first version ?
Here is a user-friendly description of what should be
done to prevent the worm getting to your site and how to minimize the impact on huge network.
Trouble is, if you take a bit too long to spurt your load, you end up seeing some old bird getting electrocuted.
Did someone say free pot? *toke*
Assuming that, say, 5% of Linux boxes are configured to have an HTTPS web server enabled and are also running the exploitable SSL (how many linux or unix/apache webservers do you know are setup to do https using OpenSSL?? - most https apache setups use Stronghold which costs extra and which one purchases because of bundled security services). Now, given that these same boxes are set up to be secure and to encrypt web communications what idiot would *also* install a *compiler* on such a system? Assume 50% of admins are that stupid (remember, everyone argues that Unix/Linux requries massive skill just to set up correctly so 50% stupidity rate may be high).
Just as an aside I personally have access to 8 machines. None of them are set up to have SSL enabled. None of the machines in production in publically accessible server roles have a COMPILER installed. A quick survey of friends (all told about 50 production boxes in total) reveals that *none* (out of 50) have SSL enabled in Apache. For personal machines most use web servers as "Intranet" systems for LAN's or as a convenient "file server" substitute on workstations/laptops.
If all the above conditions do exist on a small subset of linux machines, then 3500 = just what % of all linux machines I wonder? (Someone should sample and project and use C|Net figures to establish how many Linux systems there are out there). It sounds like about
BTW if you are worried you might be affected here's how to fix it on Red Hat - Mandrake and SuSE will be similar
[10/Sep/2002:11:06:42 -0400] "GET
(damn idjits)
computer> telnet A.B.C.D 80
y ><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></html>
Trying A.B.C.D...
Connected to A.B.C.D.
Escape character is '^]'.
HEAD / HTTP/1.0
<html><head><meta http-equiv="Content-Type" content="text/html; charset=english"><title>HELLO!</title></head><bad
Connecti on closed by foreign host.
If the issue were as simple as counting vulnerabilities and counting exploits and comparing numbers... then it might be easy to say "yes". Or "no". Whatever the numbers end up being. And, in fact, that seems to be the entire argument some like to make when comparing the "security" of two different platforms. But the issue is not that simple. It is not about numbers.
This is not the first time Linux vulnerabilities and worms have been the subject on Slashdot, as well as featured stories in the press. While it is a humbling reminder that no OS is invulnerable, it is also often used as a kind of red herring to deflect criticisms of Microsoft and its own offerings.
Microsoft does not have a very positive history when it comes to security of their products. Although it would be wrong to ignore that they have made steps to improve - faster releases of patches and security tools have helped improve a dismal repuatation. However, Microsoft still continues to ignore some vulnerabilities, attempt to cover up issues, and otherwise imply that it is those who discover and publish flaws that are to blame for vulnerability - not their own products. But (bad) attitude is not everything. It is the Microsoft product itself that is at the heart of the issue.
Sure - one can administer a fairly secure Windows environment. But it is no easy task.
Patches (or service packs) have had a history of being dangerous - which leads to a standard policy of waiting before deploying what could be critical security fixes. Furthermore, it is now an apparent policy of Microsoft to change the legal framework of their license through the use of security patches / service packs. Installing a patch is not a simple matter for the smart Windows admin.
Deciding to install a service pack is only the first step. Once the admin has accomblished this, they must then audit their configuration to ensure that the service pack has not replaced insecure services or configurations that the admin has removed with security in mind. Service packs tend to do this - especially if the admin has gone through the process of hardening their Windows server.
Hardening is not a simple process either. Unix/Linux systems are very modular and allow for the removal of almost any component. Not so with Windows. Removal of unused components tends to not be suported by Microsoft and often involves following a checklist created by someone else who has already discovered what can or can not be safely removed (the dependancies of various components are not always logical). Once again, this entire process must be repeated after installation of any new system components or service packs.
While Linux does share the dubious honor with Windows of having both vulnerabilities and worms designed to take advantage of those vulnerabilities... it does not share all the same issues. And that keeps the line between the two fairly distinct.
Even if this worm does bust your webserver then compiles itself and starts listening on udp port 2002 a default deny policy for incomming and outgoing traffic would curb connections to this obscure port. Patching your server should be the first thing you do but if you don't get to it in time your server won't be DOSing other servers.
The difference between most free products and most microsoft products is, that when a problem arises with a free products (ie. Apache / OpenSSL), the vendors of these products rarely say "Oh, thats only exploitable in these situations..." rate it a minnimal threat and then dont patch it until someone releases a worm. Also, things like apache have huge problems once every few years or so. Take a look at security focus and check the IIS exploits, there are bad ones every year or so. And at least running UNIX I don't have to worry about some user exploiting a Win32 hole when I log on breifly as root to admin things. Yes, you have to patch your systems, thinking any operating system is invulnerable to attack is ludicrous. What counts is, the total number of hours that your system is exposed to vulnerability. Maintaining a secure system isn't rocket science (designing secure systems may be). You just have to follow a few simple rules. Subscribe to applicable vuln lists, disable or uninstall programs that are not used, and patch religiously. Generally these few steps will solve most of your problems. Unless your a security nut, a directed attack will probably get thru anyways, but how many of us are facing directed attacks? Most of the shit i pick off my firewall is just standard port scanning for signs of stupidity.
So, is there a free, easy to use software package that will lock up my computer's ports and services for me? I have a cheap box that's serving music, but have pretty much stuck with the stock redhat 8.2 install.
A better analogy would be that a whole crowd of kids come, mixed in with the normal wanting icecream kids so you can't tell the difference, only when these kids get up to the counter they move very slowly, argue, take napkins one at a time, change their request of which flavor, so that soon you are serving 1 kid every two minutes instead of 1 kid every ten seconds.
Mandrake Linux 8.2 (the latest).
/usr/bin/openssl version
After running 'urpmi.update -a' I ran 'urpmi --auto-select' and got:
To satisfy dependencies, the following packages are going to be installed (44 MB):
kdelibs-2.2.2-48.1mdk.i586 telnet-client-krb5-1.2.2-17.1mdk.i586 arts-2.2.2-48.1mdk.i586 krb5-libs-1.2.2-17.1mdk.i586 kdelibs-sound-2.2.2-48.1mdk.i586 kdelibs-devel-2.2.2-48.1mdk.i586 libarts2-2.2.2-48.1mdk.i586 ftp-client-krb5-1.2.2-17.1mdk.i586
Is it OK? (Y/n) y
After installing the "latest" patches (I did an update just last week too), openssl is still the old, vulnerable version:
-[jeff@turing]---
-(0:~)-:
OpenSSL 0.9.6c 21 dec 2001
I thought the whole 'urpmi.update -a' and 'urpmi --auto-select' things were supposed to always keep you patched and safe?
For a while now, IIS has been the h4X0r child because it is ubiquitous and easy to break. Mal-ware activity is a good indicator of the popularity of a platform (at least partially).
Fewer people did Linux mal-ware before this because there were relatively few machines and they were generally owned by clueful people. Now we have a far larger base of ignorant users/operators and far wider deployment, including high profile deployments. How many clueless people had 24/7 broadband connections even 3 years ago?
Expect to see greater interest in Linux Mal-ware as the popularity of Linux increases. With increased H4X0r attention, the delivery of security to the ignorant will determine how often we see headlines about Linux hosted exploits[1].
Xix.
[1] OK, maybe OpenSSL screwed up, but surely the OS has *some* responsibility for looking after its own integrity? Imagine a distro that keeps your firewall, ppp connection, web server and stuff in seperate, minimal user-mode Linux virtual boxes.
"Everything is adjustable, provided you have the right tools"
rm -rf /usr/sbin/up2date ; ln -s /bin/true /usr/sbin/up2date
You have answered your own questions... except... "Everything slashdot knows is wrong. (And stupid.)"
They said that linux or unix in general does not have to worry about viruses.
You have nice manners. I appreciate that.
Jeeze... Just went to check my Apache logs to see if there was any indication of this worm on my servers (all clean), and I'm STILL getting plugged by a couple dozen freaking Code Red hits a day! Is there any way to get these cleaned up, or are we going to be putting up with winnt/system32/cmd.exe requests until the end of time?
Your Servant, B. Baggins
you would look at the comments after many windows worm incidents and see that many people have said that that wouldnt happen on linux
Let's talk about how open Windows 95 is ...
I can't count the number of times I tried to convince someone to apply updates, but they always say "My system isn't important, nobody will want to crack it."
But of course, that type of system is a prime candidate for cracking, because often the owner wont even notice that they have been compromised and they can usually be used to launch more attacks for a long period of time.
All of Microsoft's recent products now do automatic updating by default. Yes, automatic updates annoys power users and Administrators due to the risks and loss of control, but unfortunately this is exactly what the ignorant masses want, it is taken care for them so they don't care. (Effort is a rare thing to most end-users.)
On the flip side, none of the Linux distributions do automatic updating by default, nor do they saliently annoy the Administrator with pop-ups saying "You need to update!"
It is good that Mandake 8.2 and higher give you the option to download updates in the installer, but after you have booted you aren't ever told "Updates are available" or "Please update."
I ask this question, would Automatic Updating be a good thing as an install option of popular end-user distributions? Say the installer had a screen saying "Automatic Updating is on by default. Uncheck this box to disable it." This will of course annoy knowledgable users, but unchecking a box isn't hard! Simpy uncheck and enjoy the control that you expect. You haven't lost anything!
This idea is mainly to protect the uneducated end-users who probably will never apply updates. These people don't care about control, and they wouldn't be installing conflicting custom operating system components that may potentially screw up automatic updates.
I just worry about a future where Microsoft end-user machines are always fully patched, while many Linux end-user machines are not due to ignorance. That will NOT be good PR if more of these Linux worms occur while they no longer occur to Microsoft.
The problem is not with the language being used... It is with the novice programmers that are using the language. (You can FU*k-up in just about any development language out there.)
Programmers hardcode things like string-buffer lengths all the time. And that is fine, as long as you take the necessary precautions to ensure that the buffer length is not exceeded; that is the reason functions like strncpy(...), and snprintf(...) exist. However, most programmers do not do "the right thing", and these crashes and other related problems still occur.
Getting programmers to "do the right thing" (or do things the right way) is how to fix the problem, not by limiting what they can do (which is the approach that Java takes).
Sadly, IME, many "experienced" programmers have been doing things in a less than perfect way for so long, that they do not realize that "it works" is not the same as "it works well" (or "it is correct"). And they are continually trusted to write more code that contains the same old problems.
That is not going to change until people start to realize that the difference between an "Expert" and a "Novice" is not how long they have been doing something... It is how long they have been doing something the right way.
-=- James.
This superworm for Linux is just a first attempt at an entire genre of zero-day exploit worms which create ad-hoc peer-to-peer networks as they spread.
Does having the server behind a Cable/DSL router help protect it?
.bugtraq.c and it was not in my /tmp directory.
If I am not allowing 443 and 2002 (or what ever those to port numbers were) pass through my firewall doesn't that prevent it from transmitting itself to my machine?
Just curious. I looked for
Security is good, but you can only take the point of view you're espousing just so far.
For instance, the security hole that this particular worm exploits was obviously present before the worm began exploiting it. In a similar vein, there are almost undoubtably other exploitable security holes on your system right now. They just haven't been discovered yet.
So. Given that we know there is a high probability that your system has security holes which you don't know about, and given that you think no one with unpatched security holes should be hooked up to the net, I guess we can expect you to unplug your system after reading this message?
After all, if your system infects even just one other system which goes on to infect thousands more, then you're at fault for every bad thing on the Internet and you'll go to hell when you die, where you'll have to french kiss Hitler for all eternity.
Bad analogy. Better one: If someone steals your car because you don't have a car alarm and then crashes and kills someone, are you to blame?
No! You are the victim of grand theft auto.
If your computer is insecure and it gets broken into and is used for a malicious act, you are the victim of being hacked. It's not your responsibility to protect your computer from hackers anymore than it is your responsibility to secure your car from theft.
If you are the computer security adviser to a large company then you are in trouble. Otherwise, it's the police's fault for not stopping it.
Note: I have secured my box (to the best of my ability) but I am reasonably computer literate. I don't think my Grandmother should have to do it.
Looking at my server logs, there are a FUCKLOAD more than 3500 servers infected. This is worse than NIMDA or Code Red. You fucking Linux dweebs better fix your goddamn boxed or this is gonna be a bigger mess than those two IIS worms put together. Apache is a piece of shit, and Linux admins are fucking morons.
Well, I sort of agree but mostly don't. If patches have been applied, then it isn't the same as a vanilla 0.9.6b. Essentially, they've created a fork off the 0.9.6b trunk. The version number should reflect that - maybe 0.9.6b-sc1 (for security patch 1) for example.
As an aside, what is that open source people have got against making a version 1.0 of anything? It's just a number, nothing to be scared of...
Cheers,
Ian
Maybe the FUD came from somewhere else but passing on facts that you don't know to be true contributes to the FUD problem.
It doesn't take much effort to have a glance at the CERT advisories and verify the sequence of events surrounding Code Red.
The reason FUD spreads so easily at the moment is because people don't check facts before passing them on.
I agree with your last sentiment completely though - greed is the cause of most of the worlds problems.
James Tait, Programmer and Free Software Advocate
JID: jayteeuk@wyrddreams.org
Hmm, maybe. I mostly rely on the package system versioning and changelogs to see what the version/status of a program is.
On the other hand, many packages have patches applied by the distributor, even for non-security problems. It's kind of a given that they'll modify the package some. They also have to be careful not to break scripts that parse the version number and expect it to match a certain string. Conversely, Mozilla actually requires distributors to change the version string if they patch it.
In conclusion, I'll concede that changed version numbers wouldn't be a bad thing for security updates, but they probably shouldn't be used for much else, given that most patches are bugfixes and don't change the program's behavior much.
As for version 1.0, I couldn't claim to guess. Some of the more mature projects have made their way to versions 3 (gcc) or 6 (Vim), but most are still not happy to call it a release yet I guess. Just for fun, I tabulated the version numbers on my home firewall (mostly utility programs, not many GUI apps):
0: 51
1: 73
2: 52
3: 22
4: 32
5: 10
Other: 17 (mostly date stamps and integer version numbers)
So it seems pretty well distributed to me.
The ocean parts and the meteors come down
Laid out in amber, baby.
FYI, the major ISP in the article that had their DNS servers attacked was Exodus/Cable&Wireless. They got hit Thursday morning I believe. The company responded reasonably well from what I heard, deploying a response team and countermeasures quickly. The attack didn't last too long, however; again, this is all based on second hand info.
We got over it.
For the record, my logs are still being filled with attempt to grab root.exe and all sort of other nastiness from IP addresses that look like they are on the local cable modem network. I have to purge the hard drive on my email server from the 200 MB of viruses that try to leak through to my Windows based users. Every 6 weeks or so NIMBA and Klez sneak back through and infect a bunch of workstations.
We should be honored that it is newsworthy to report problems in Linux. With Windows it is just assumed!
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
If you run any services that use OpenSSL (such as ssh), your system can still be compromised (although not with the current worm).
The applications at fault are Apache webserver and openSSL.
Read the article. Microsoft WindowsXP computers with Apache and openSSL installed also were vulnerable to the worm.
Apache is the sprocket that starts squeeking, not the Linux kernel.
Microsoft WindowsXP looks quite stable and I was granted the opportunity to fix two Pentium4 Sony VAIO laptops which had some Microsoft WindowsXP user-account-administration errors. I don't like Microsoft's approach to a multi-user operating system using MMC and I noticed generaly slow bootup and user login upon within WindowsXP. Overall, it appears to be an operating system with the same features of Linux.
I choose Linux because spyware is less-likely installed due to the opensource nature of Linux-based operating systems, Linux-based operating systems tend to be lean and perform greater than Microsoft WindowsXP, many necessary commercial applications are available on Linux as well as free applications, user-level security is excellent on Linux-based operating systems, and problems in the supportive applications of Linux-based operating systems are often fixed when a problem arises. Apache and openSSL are not specific to Linux, but 99.99999998% of all Linux distributions install them both. How long does it take for Microsoft to detect and repair a vulnerability in their Kernel and their Internet Information Services (IIS)? Apache and openSSL were evaluated and fixed within a couple days. Many of Microsoft's IIS flaws went non-noticed for months and years until corporations and individuals computer data was stolen by thieves.
*BOOM*
*thud*
*snap*woooshhhhhhhhhhhhhhhhh*
(50 minutes later)
*honey, the roast duck is ready. leg, wing, or breast? salt and pepper?
*smooch*smooch*
If I understand RHN and up2date correctly, you need to log into RHN and tell it that your system needs the update then up2date will pick up the patch. Yes? No?
This space intentionally left blank
The problem is that rh patched openssl and called it 0.9.6b-28 instead of just going to 6e or whatever
so when I did rpm -q and saw I was still in 6b land I was kinda worried
I have OpenSSL installed cause I was trying to do SSL Certs for Freeswan
The ultimate network admin tool needs HELP!