Slashdot Mirror
Linux Worm Creating "Attack Network"
RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."
visioneers have been making analogies between networks and other systems for years, and lately, the internet has started to feel like an ecosystem, with predators, outbreaks, and the like.
Unfortunately as more IIS admins move into the "cheap" linux arena, their bad habits will come with them (not that there aren't linux admins with bad security habits, too). We are going to see more and more of this as linux becomes the norm. My shop is looking at using embedded or firmware based linux (or single system images in the clusters) to combat any modifications. It will be interesting on monday to see how much our honeypot-tarpit has caught.
[RIAA] says its concern is artists. That's true, in just the sense that a cattle rancher is concerned about its cattle.
Anyone who thinks that solely because they run open source they are immune to attack is an idiot. Look at how wide open a default RedHat 6.2 install is.
This new attack is easily avoided by upgrading your OpenSSL version to 0.9.6e, and this should have been done by now. The hole has been known and example exploit available for a while now, as anyone who follows the bugtraq list would know.
Security is an ongoing process. You have to stay on top of it if you run machines that are not turned off and locked in a basement. There is just no way around the fact that there will always be bugs in software, and these days that commonly means security holes as well.
Remember Lexington Green!
Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux.
I'd agree with that statement - the difference being that with the Windows patch you may need to restart your server (bad), and you may have to swallow a new EULA (could be VERY bad).
The systems that are getting hit are the ones with lazy admins who don't promptly follow up on security patches.
Why do topics like this always have to degenerate into a holier-than-thou diatribe by a self-righteous few? I'm running a vulnerable system and it isn't because I'm "lazy" as you so kindly put it. I run Linux on my *desktop* and use it to play Quake, surf the web, and share out some HTML pages for my family. I run RH7.2 (only one version behind, bub) and run Ximian Red Carpet and up2date regularly. But no, I don't read bugtraq for the sheer joy and I usually wait for RPMs to come out before I install a patch. The unfortunate downside to RPMs is that if you compile your own software the RPM database starts to choke on its biscuits. So maybe, just maybe it's not that people who don't upgrade same day aren't lazy. Maybe we just don't have as much time or interest as you to troll bugtraq or more so, troll /. acting all high and mighty because of the stinking version of OpenSSL they run.
Let's face some facts, there are probably more "forgotten" Linux servers than Windows ones, simply because Linux can run unattended for months at a time and Windows cannot. Making the reasonable assumption that a sizable number of these neglected machines will not be fixed, suddenly Linux and OSS looks no better than the Windows machines that are still infected with Nimda or something similar because no one has been bothered to apply patches.
I await your wrath for being reasonable.
-
Inventor of the term 'pardon my French'.
You are full of shit. Distros roll patches and bugfixes back into the stable and tested version, and release a new -subversion. Try using a modern distro sometime. I can't believe you flamed that guy, out of your own ignorance.
/me puts the cluestick back in its holster.
openssl-0.9.6b-28 is the current red hat version, and it is fully fixed.
It even shows the old version if you run openssl version:
OpenSSL 0.9.6b [engine] 9 Jul 2001
It is, however completely patched, and came out in early August.
Modern distros value stability in current releases, and will not upgrade to the latest version just to get a bugfix. This is the value they add, you don't have to worry about a security patch breaking some critical functionality.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
This is *not* personal...but..."you should never have to ask that question" nicely sums up the problem with Linux.
While the "Duh" is true. I think the relavent questions are:
"How easily does a system lend itself to being upgraded out of the box, with no additional costs?"
"How quickly can a patch be developed and published"
"When I install the new patch am I going to have to accept some NEW BS license?"
I still choose Debian GNU/linux because I believe that apt-get being as easy as it is will keep newbie Linux people upgrading regularly. This alone could have significant impact.
This virus made several fatal errors in its execution--
/tmp directory.
1: It did not delete its source code file on execution.
2: It did not hide its binary very well.
If the worm did these things it would have been MUCH harder to detect and deal with. As it is my servers are secure (no SSL for now, and I have the latest version of OpenSSL for when I want to re-impliment it), but I would have been worried to some extent if I could not have actially looked for bugtraq.c in the
Many trojans I am aware of do these things, though.
LedgerSMB: Open source Accounting/ERP
Surely it is newsworthy when a vulnerability is actually exploited 'in the wild' like this, even if only to remind people aboutt he importance of patching.
Are you suggesting that Code Red should not have been reported on Slashdot, as the patch was out a month before the infections took place? Or is it only Linux exploits that should be blacked out once a patch is available?
I don't think anyone is blaming the programmers - the story seemed pretty clear that it is admins that fail to patch that are at fault here.
I am assuming you didn't install a web server, NFS Server, etc. if you never thought you's use them, right? Or if you did, you would turn them off, or at least use Red-Hat's built-in firewall rules to keep other people out.
;)
If you did any of these things, you are not directly vulnerable, and don't classify as lazy. But if you were running a production server and did not want to do a security patch because "there are no rpm's yet" then you would be lazy and I would berate you for it
So my point is-- you can't compare apples and oranges here, and security is important to everyone, but there are different ways of
handling this security as appropriate for environment. If you think security doesn't matter, you are not lazy so much as clueless, but if you think that there is only one path to security, you are missing the point too.
I did support for Windows for a while and I was amazed at how many compromized systems I found because home users thought "I don't need security." It is all fun and games until people start uploading illegal content (such as kiddie porn) onto your system of your account gets terminated with your ISP because someone used your system to attack another computer, etc.
I don't care who you are-- security is important.
LedgerSMB: Open source Accounting/ERP
Let me elaborate a bit here:
You are running a computer that is connected to the Internet. For the sake of this argument it doesn't matter which system you favour. You are the admin of this machine.
Like it or not, you have responsibility towards ALL other network peers (i.e. the whole Internet) to make your system as secure as possible. Consider malicious software that can start DoS attacks on other remote boxes. Your insecure machine is now causing trouble to others as well as yourself (degrading connectivity).
Would you like this? Your answer could be: I don't care.
Imagine someone else has a similarly unpatched/insecure system and is directing DoS attacks on your IP. Do you care now? I guess you would.
The problem is that advertising and far too many teachers in "Internet for dummies" courses do not emphasize the fact that anyone with admin privileges on any computer (that is connected to the Internet) is effectively an administrator and has to act accordingly on issues like security. Point'n'Click installation doesn't make it any easier: You want to run a web server? Here you go.
How many install software without knowing about the security implications of the stuff they are going to run? I guess far too many. If you had to read about a certain program BEFORE you install it, the manual or How-To can give you an idea of the security implications you are probably going to run into, thus alerting the admin (on a home system that means you) and increasing awareness.
This could be a reason why Linux/Unix installations often seem to be more secure: You have to read a lot more before you can actually do something. This advantage, of course is slowly going away with point and click installations on Linux systems as distro installation programs become more user-friendly and everything gets installed via a graphical system. This might be ok for an advanced user, but could be dangerous in the hands of a novice (i.e. most home users).
I guess you could compare it to driving a car, where you have to get a license in order to participate in public traffic, because you need to know about the rules and dangers beforehand. The impact your mistakes might have on others can be very serious.
I don't want to lecture you, but I think it is important to increase awareness of security ramifications on boxes that are connected to others.
I feel so sig.
the irony of you pointing out that they usually say "I'm using a secure OS link to debian.org" is that if you've apt-get update/upgrade'd in the past month or so, you're fine. Debian seems to have been patched the day after/of the vulnerability announcement.
:)
Considering how many of the major distros have some sort of update tool, I'm really suprised this is as much of a problem as it is.
So, I'm glad I'm using a secure OS.
I am glad that they used my submission without censorship, though.
One person farther down says that if something like this had been reported about Windows, it would have been Bill's fault, but when something happens on Linux, it's the sysadmin's fault. Personally, I think both are the sysadmin's fault. Nine times out of ten, patches are available for software shortly after the worm is first out there. If a sysadmin keeps up on his/her patches, the likelihood of infection/damage is very low.
Personally, I'd be very happy if /. would stop attacking Microsoft and start attacking the people who make the actual attacks. However, the likelihood of that happening is slim to nil, I'm afraid.
RomSteady - I came, I saw, I tested. GamerTag: RomSteady / http://www.romsteady.net
You should ALREADY be blocking ALL unknown incoming ports. ESPECIALLY UDP.
I still choose Debian GNU/linux because I believe that apt-get being as easy as it is will keep newbie Linux people upgrading regularly. This alone could have significant impact.
While I actually agree with you -- I don't see how that is any easier than Windows popping up a requestor saying "YOUR CRITICAL UPDATES HAVE DOWNLOADED AND ARE READY TO INSTALL."
True, there is a good chance the new terms of usage might require you hand over your newborn, or give your soul to Billy, but the newbie doesn't care about this.
Linux users think they can topple the Windows empire because ethically, Free Software has a more solid foundation than Microsoft. But they seem to ignore the fact that this means nothing because most users have no ethics.
If Unix is going to shoehorn it's self moreso into the desktop market, it's going to have to appeal more to the laziness of the masses and spend less time touting the ethical reasons. Things like Apt-Get are major steps in the right direction, though.
"Everything you know is wrong. (And stupid.)"
Moderation Totals: Wrong=2, Stupid=3, Total=5.
The problem with this attitude is that although you don't care about securing your system, that's not going to stop someone from using your system to attack other systems.
Security is Everyone's ressponsibility... even though you may not care about your OWN system's security, your inactions to not patch your system can cause someone else problems when your system is used to attack others...
Just my thoughts...
The hole Nimda exploited was also fixed before the worm began to spread, so that was also a fault of a lazy admin.. right.. ? Right ?
People are trying, and in this case it isn't the OS itsself at fault--the problem lies with Apache's OpenSSL module. The OS can't do anything about that module, no matter how secure it is. But the software like OpenSSL keeps improving and getting more secure. It really is hard to make truly secure software, but people are trying, and we're getting there.
I can't count the number of times I tried to convince someone to apply updates, but they always say "My system isn't important, nobody will want to crack it."
But of course, that type of system is a prime candidate for cracking, because often the owner wont even notice that they have been compromised and they can usually be used to launch more attacks for a long period of time.
All of Microsoft's recent products now do automatic updating by default. Yes, automatic updates annoys power users and Administrators due to the risks and loss of control, but unfortunately this is exactly what the ignorant masses want, it is taken care for them so they don't care. (Effort is a rare thing to most end-users.)
On the flip side, none of the Linux distributions do automatic updating by default, nor do they saliently annoy the Administrator with pop-ups saying "You need to update!"
It is good that Mandake 8.2 and higher give you the option to download updates in the installer, but after you have booted you aren't ever told "Updates are available" or "Please update."
I ask this question, would Automatic Updating be a good thing as an install option of popular end-user distributions? Say the installer had a screen saying "Automatic Updating is on by default. Uncheck this box to disable it." This will of course annoy knowledgable users, but unchecking a box isn't hard! Simpy uncheck and enjoy the control that you expect. You haven't lost anything!
This idea is mainly to protect the uneducated end-users who probably will never apply updates. These people don't care about control, and they wouldn't be installing conflicting custom operating system components that may potentially screw up automatic updates.
I just worry about a future where Microsoft end-user machines are always fully patched, while many Linux end-user machines are not due to ignorance. That will NOT be good PR if more of these Linux worms occur while they no longer occur to Microsoft.
Bad analogy. Better one: If someone steals your car because you don't have a car alarm and then crashes and kills someone, are you to blame?
No! You are the victim of grand theft auto.
If your computer is insecure and it gets broken into and is used for a malicious act, you are the victim of being hacked. It's not your responsibility to protect your computer from hackers anymore than it is your responsibility to secure your car from theft.
If you are the computer security adviser to a large company then you are in trouble. Otherwise, it's the police's fault for not stopping it.
Note: I have secured my box (to the best of my ability) but I am reasonably computer literate. I don't think my Grandmother should have to do it.