Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Worm Creating "Attack Network"

Posted by CmdrTaco on from the no-excuse-for-a-bad-admin dept.

RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."

13 of 465 comments (clear)

  1. Re:Is this talking about the SSL hole? by alvieboy · · Score: 5, Informative

    Yes.

    Read the CERT Advisory CA-2002-27.

    It's available here

  2. Re:Not everyone is a Linux expert by semaj · · Score: 5, Informative

    Is there a quick, easy way to find out if OpenSSL is even installed on my system?

    Do "telnet your.www.host 80" then type "HEAD / HTTP/1.0" and hit enter. Take a look at the "Server:" line, it'll tell you if OpenSSL is installed and enabled. If it is, and the version is less than 0.9.6e, you should upgrade.

    --
    Meep meep
  3. Further Info by cr@ckwhore · · Score: 5, Informative

    The worm exploits OpenSSL via http port 80. The exploit writes c source files to /tmp, I believe the program is named bugtraq.c. Then, the exploit compiles the program into a hidden binary /tmp/.bugtraq which is executed.

    Once the program is running, it accepts commands on UDP port 2002.

    Simple solution, so your bandwidth won't be exploited for a DDOS, block UDP port 2002.

    The worm can be used for multiple purposes, including execution of arbitrary commands on your machine, various flood attacks, etc.

    You need to patch your machine, before a more dangerous worm comes along. If you can't patch right away, at least block UDP port 2002.

    Additionally, your /tmp (if located on a separate partition) should be mounted noexec.

    --
    Skiers and Riders -- http://www.snowjournal.com
  4. Re:Distributions, sub-version #'s, & straight by autocracy · · Score: 2, Informative
    You're running a version of Apache that has had a known hole for months now. 1.3.26 is the version you should be up to right now. The -60 afterwards is just a packaging number in case they release a different build of that software (there were 59 other ones built by them before they got to one they liked). To test vulnerability, go get the exploit (almost always a proof-of-concept exists) and attack yourself with it. Be sure to check your SSL version if you're running SSL on there as well.

    And yes, keeping up with patches is good. You should try to practice it. Also, subscribe to BugTraq.

    --
    SIG: HUP
  5. That happened to me, too, but with wu-ftpd by StupidKatz · · Score: 2, Informative

    Was overseas for several months, and no less than two weeks after I'd arrived at my home away from home, bugtraq had postings related to the wu-ftpd remote root vuln. Since I was on an insecure network (they were blocking port 22), I had to have a friend back home block the port on the router since he didn't know the root password on the ftp server.

    However, pureftpd works great! ;)

    Seems to me that the really nasty vulns lie in wait while you get yourself into the worst situation possible for handling it. :P

  6. Re:actual apache log lines by tubabeat · · Score: 5, Informative

    The CERT Advisory has information on what to look for in your logs.

    --
    "Linux is a serious competitor"
    - Steve Ballmer, Chief Executive Microsoft Corp.
  7. Re:Umm... by Pasc · · Score: 2, Informative

    Symantec AntiVirus Command Line Scanner 1.0

  8. Re:Is this talking about the SSL hole? by gimpboy · · Score: 2, Informative

    perhaps you could bring your self down to my level. i dont hangout reading bugtraq either. however, i have subscribed to redhats email lists so that i can get security advisories. you know, the emails that say "hey there is a big fucking hole in your security. apply these packages to fix it".

    there are several maling lists to choose from. the redhat watch list will help you out with vulnerabilities.

    really though do you think this is self-righteous? i would say it is being responsable. i hate all of those self-righteous people in cars who use seatbealts. they just think they are all that and a bag of chips. grow up and be responsable.

    -you get an email about a vunerability
    -drop to a console and type the following:

    $su -
    $service httpd stop

    -then upgrade when you have the time.

    really now, how hard is that?

    --
    -- john
  9. Re:Is this talking about the SSL hole? by Chris+Hiner · · Score: 5, Informative

    The openssl tarball already has a spec file in it. So just:
    1) Download openssl-0.9.6g.tar.gz from a mirror.
    2) rpm -tb openssl-0.9.6g.tar.gz
    3) rpm -Uvh /usr/src/redhat/RPMS/i386/openssl*
    Even easier.

  10. Here's how to stop _this_ one. by paenguin · · Score: 2, Informative

    But, in the long run, you really need to upgrade OpenSSL.

    Anyway:

    su -
    cd /tmp
    ls -a .bugtraq*

    If there is anything in your /tmp directory named .bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...

    If you haven't been compromised yet:

    touch /tmp/.bugtraq.c
    chmod 000 /tmp/.bugtraq.c
    chown root.root /tmp/.bugtraq.c

    then...

    which gcc
    and, chmod 700 that file.

    This means that normal users will not be able to compile c code. If this is unacceptable, you can undo it after you get OpenSSL up to date.

    --
    We should start referring to processes which run in the background by their correct technical name... paenguins.
  11. Re:Where are the RHN Updates ? by Rick_T · · Score: 3, Informative

    > Yeah. Confusing it is. I don't see anything in
    > the RedHat RPM indicating that it is different
    > from stock 0.9.6b.

    You could try looking at the changelog ...

    rpm -q --changelog openssl
    (or rpm -qi --changelog openssl if you prefer.)

    --
    -- Rick
  12. Re:How Come? by rindeee · · Score: 2, Informative

    Because (since you obviously don't read or can't read) the admins are at fault in this situation. The vuln is ancient, the patch has been around for ever (in computer time) the only reason that this NEW worm can take advantage of this OLD vuln is becuase ADMINS have not patched. In the Windows world you have vulns discovered at a much higher rate, typically with more serious repurcussions and with a greater average time to patch realease. It's not that MS is only to blame, for even when they release a patch, a good number of admins don't bother applying it. Then there's the whole issue of occasionally requiring acceptance of new tidbits of license with some patches, but that's for another day.

  13. Re:Self Destruct by epsalon · · Score: 3, Informative

    Actually, it will work even better making the command a script that will notify the admin and then kill the server at a given time, e.g.

    echo 'See http://whatever' |mail -s 'YOUR SYSTEM IS HACKED' root; echo killall -9 .bugtraq | at 00:00 GMT

    --

    Make even shorter URLs - 8LN.org