Linux Worm Creating "Attack Network"

RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."

Is this talking about the SSL hole?

[thekernel32]

I read about the SSL bug the other day and fixed it on the spot. (Good 'ol apt-get). Are there other ones that we should know about? Is there a way to check and see if a machine is still being impacted? I'd hate to be running anything mallicious, that's why I have a linux box. I can fix things quickly, most of the time...

Re:Is this talking about the SSL hole?

I read about the SSL bug the other day and fixed it on the spot. (Good 'ol apt-get). Are there other ones that we should know about?

If you've got 0.9.6g or 0.9.6f you should be safe. Also, if you're not running any servers using SSL (remember that httpd is not the only thing that can use SSL: IMAP, POP, etc are also often run over SSL and can also be exploited in the same mamnner), then you're pretty immune to the OpenSSL bugs (most of the real bad ones affect only servers).

I won't be terribly suprised if more bugs like this are found in OpenSSL, so keep an eye out.

What we actually did on our web server was simply disable mod_ssl. It's not a big deal that SSL is not supported (the pages just lists news and whatever for our organization), and that obviously prevents the worm from working. :) I'll turn it back on in a couple of weeks if OpenSSL doesn't see any more nastiness.

Re:Is this talking about the SSL hole?

[maw]

I run RH7.2 (only one version behind, bub) and run Ximian Red Carpet and up2date regularly.

Red Hat 7.2 is still supported - had you applied updates to fix these problems, which were available through Red Carpet were available in late July or early August, you wouldn't have anything to worry about.

As for self-compiled software conflicting with stock RPMs - not necessarily so. I used that excuse myself for a long time, but recently decided it was time to learn how to build my own RPMs, to get the benefit of package management along with the benefit of a customised system. It's a shame that more people don't realise that they can do this - it isn't very hard to learn to do, and it's well worth the effort invested.

Attack filter list

[inkfox]

You can get a current list of the top C networks which are participating in attacks of various sorts from dshield.org. Depending on your application, it may be advantageous to just add a cron job which grabs this and feeds it to your firewall rules, hosts.deny or access control lists.

Re:Why is this topic here again?

[SuiteSisterMary]

Much like those of us who understand that there are no insecure systems, only insecure sysadmins had our Win2K boxes patched against Code Red a full MONTH before it hit the wild?

If anything, Linux makes a lot of people too damn complacent. "Oh, I'm running Linux, don't need to worry about all those Windoze viruses and script kiddies!"

Become an MCSE in 21 days!

You have to admit there are more incompetant windows admins than for other systems. The Windows sphere has the whole MSCE juggarnuat grinding healthy normal people into incompetant windows admins. Nothing comparible in the *nix world.

Re:Well Duh!

[FlyGirl]

Correct... And someone elsewehre posted a REAL simple "vaccination" until you can upgrade your server/ssl. Since it gets in through apache and creates a "/tmp/.bugtraq.c" that it then uses gcc to compile, just execute the following commands as root:

#touch /tmp/.bugtraq
#chmod 000 /tmp/.bugtraq

That should make it impossible for it to create the executable -- and the presence of the .c will show you if it has attacked your system.

(Note: This is a preventitive measure of this specific worm. All someone would have to do is change the filenames that it uses to get around this, so fix it properly asap)

Worms, viruses and intelligence.

[ressu]

it's interesting to follow the development of viruses. First came the plain old viruses that used warez to spread (yes, they infected other apps too.. but warez was the major distribution channel) there were all kinds of viruses, those that played songs at certain times or made your screen do funny things, most of them harmless in many ways.

Then came the time of harmful viruses, the ones that formatted your HD on certain event.

Now then, it came the time of internet, and worms came. Worms spread through different holes in machines, mostly e-mail readers. (everyone had them.. most of them had holes.. tsk tsk..)

The worms itself evolved in many ways, others became DDOS tools, others just spread. Most of them were a pain anyways, as they affected more than the people with buggy software.

Oh well, it's a challenge to write a worm/virus that can spread without anyone noticing it before it's too late. Believe me, we have thought it over and over.. tried to think of a method to spread, one without any way of backtracking the worm, allowing the worm to spread with different methods, through different holes and allowing the creator of the worm to update copies of the worm while it's spreading. Interesting thought to play around with.

Re:Where are the RHN Updates ?

[frx]

> This tends to confuse people, because RH's
> current 0.9.6b isn't vulnerable even though
> stock 0.9.6b is.

Yeah. Confusing it is. I don't see anything in the RedHat RPM indicating that it is different from stock 0.9.6b.
The only indicator is that the package release number is currently 28... 28 releases for the same package, no track of what the releases are about.
Call me a whiner, but I say it's sloppy.

Re:zealots in a panic now?

[GigsVT]

i dont pretend to know that solution, but surely the linux people will come up with a better way than ms does, so that they stop failing as precisely the same place ms does.

I don't know if there is a magic bullet. I mean there is no substitute for competent users that keep their system up with security patches. "This ain't your daddy's Internet no more." I think a lot of it stems from false authority syndrome, people think they know what they are doing when in reality they have no clue. This just comes from making it easier and easier to use software. When there was a barrier to entry that involved actually having computer skills, things weren't so bad overall.

Recent versions of red hat have a little update utility similar to windows update that sits in the Gnome panel, which tells you if you need to update, and they also have the Red Hat Network, which can be put on "automatic", which is supposed to push out patches (I don't trust it myself), but running up2date -u every week or two is a safe bet for staying up on patches.

So, yeah, your point is somewhat valid, but only against the most ignorant Linux zealots. MS still has major security problems,

I pointed them out in a recent post to the other article about this worm, but to sum up, very slow turnaround on patches, lack of attention to security bugs they consider "minor" that can quickly escalate to "major" by combination of multiple bugs, a general lack of seperation between user and administrator rights in the OS and in apps developed for windows, the aggressive EOL cycles, patches that are vague in nature so much that the administrators don't know exactly what they are patching, patches that undo other patches, and the combination of IIS into one big "superservice".

Self Destruct

[devnullkac]

Another evil plan with a big red Self Destruct button: one of the supported remote instructions for the network is "run a command" (0x24). All you have to do is find an entry point and command it to killall -9 .bugtraq and the command will propagate through the network, killing itself. Doesn't keep it from regenerating on the original https vulnerability vector, but we could perhaps slow down the DDoS attacks.

Re:Self Destruct

[mossmann]

echo killall -9 .bugtraq | at now + 5 min

How Come?

[hooded1]

How come when there is a worm or virus on Windows it is because Microsoft is grossley negligent and has no understanding of security, yet when there is a linux worm it is because of no fault of the developers but instead the fault of the 'lazy' sys admins whos machines became infected. This is flamebait, but it would be nice to have some standards on slashdot.

One other small difference

[twitter]

The other small difference between Windows and Linux as operating systems: The one hundred billions other exploits that all M$ boxes have in software that should not be running on a server, can't be removed from the server, and show up as headlines every freaking month. Why, pray tell, should a server run a GUI or a browser ALL THE TIME? I know, it's a small difference that the average user might not notice in terms of privacy, stability and security. That would be because the average user does not run a stable secure and privacy protecting operating system and has no idea of what it would be like to not be asked by tech support, "have you tried rebooting your computer?"

By the way, who says this attack won't affect Apache on Windows, Sun, True Unix, etc?

"You looked at your network settings, you should reboot your computer now."

Had to laugh..

Someone posted a message up somewhere that their NetBSD VAX system has been serving pages from a DMZ outside their firewall for years... he keeps seeing various hacks tried on it, but everyone *expects* that its apache on linux on a x86 machine. Just goes to show that while "security through obscurity" doesn't *always* work, running on old hardware just *might* have certain advantages. :-)

Re:Here's how to stop _this_ one.

[sunset]

If there is anything in your /tmp directory named .bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...

I didn't see this described as a root exploit. Did I miss something?