Linux Worm Creating "Attack Network"

RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."

D'uh.

[dsb3]

Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."

D'uh. Go on, mod me down if you must.

Re:D'uh.

[Sivar]

D'uh.
Agreed. But insightful?
"Duh" +5 insightful?

Re:D'uh.

[Em+Emalb]

Yes, but this is an historic day, since an editor pointed it out. I mean that without sarcasm too.

It's common sense right? The more people use it, the more hacks and cracks will occur. I've been preaching for years, the more people see your software, the more they will mess with it. Linux is becoming very much main-stream and a viable option. The black hats are adjusting accordingly.

Re:D'uh.

[LinuxHam]

That shows the last moderation. Click the message number to see all the moderations. He got 2 for Funny and 2 for Insightful. If the last moderation was "Funny", would you have said, "Duh, +5 Funny? Come on!"

Re:D'uh.

[Yohahn]

While the "Duh" is true. I think the relavent questions are:

"How easily does a system lend itself to being upgraded out of the box, with no additional costs?"

"How quickly can a patch be developed and published"

"When I install the new patch am I going to have to accept some NEW BS license?"

I still choose Debian GNU/linux because I believe that apt-get being as easy as it is will keep newbie Linux people upgrading regularly. This alone could have significant impact.

Re:D'uh.

[loply]

Ofcourse its common sense.
But I *REALLY* cant picture the poster saying anything that kind had it been Windows affected by this virus. I mean really - it WOULDNT happen. Just keeping an open mind. Check the history - every Windows virus is announced with "Im glad Im using a secure OS link to debian.org" or something similar...

Re:D'uh.

[RomSteady]

Sorry, but I'm not an editor. I read the article and submitted it, and while I was submitting it, a similar article appeared on the Apache sub-section.

I am glad that they used my submission without censorship, though.

One person farther down says that if something like this had been reported about Windows, it would have been Bill's fault, but when something happens on Linux, it's the sysadmin's fault. Personally, I think both are the sysadmin's fault. Nine times out of ten, patches are available for software shortly after the worm is first out there. If a sysadmin keeps up on his/her patches, the likelihood of infection/damage is very low.

Personally, I'd be very happy if /. would stop attacking Microsoft and start attacking the people who make the actual attacks. However, the likelihood of that happening is slim to nil, I'm afraid.

Re:D'uh.

[Jace+of+Fuse!]

I still choose Debian GNU/linux because I believe that apt-get being as easy as it is will keep newbie Linux people upgrading regularly. This alone could have significant impact.

While I actually agree with you -- I don't see how that is any easier than Windows popping up a requestor saying "YOUR CRITICAL UPDATES HAVE DOWNLOADED AND ARE READY TO INSTALL."

True, there is a good chance the new terms of usage might require you hand over your newborn, or give your soul to Billy, but the newbie doesn't care about this.

Linux users think they can topple the Windows empire because ethically, Free Software has a more solid foundation than Microsoft. But they seem to ignore the fact that this means nothing because most users have no ethics.

If Unix is going to shoehorn it's self moreso into the desktop market, it's going to have to appeal more to the laziness of the masses and spend less time touting the ethical reasons. Things like Apt-Get are major steps in the right direction, though.

Re:D'uh.

[subsolar2]

While I actually agree with you -- I don't see how that is any easier than Windows popping up a requestor saying "YOUR CRITICAL UPDATES HAVE DOWNLOADED AND ARE READY TO INSTALL."

That's what the little blue checkmark that shows on the gnomebar on RH 7.3 does. Of course there are a few issues with that:

1. Since your gonna be running linux as a server you probably won't be logged in GUI that often if at all. so you won't see the updates.
   
2. If you are running more than one system your gonna have to have at least a basic RHN subscription. But then you also get critical update notifications so #1 is not such an issue.
   
3. You can use AutoRPM to automatically check and download updates if you don't use RHN.
   

So it's not much harder keeping systems updated under RH Linux than windows. The one downside is if Redhat's Server gets compromised you may end up downloading trojaned programs. That should not be an issue since up2date checks the signatures on the RPMs to make sure they are official. I don't remember if autorpm can be configured to do this.

- subsolar

visioneers

[sstory]

visioneers have been making analogies between networks and other systems for years, and lately, the internet has started to feel like an ecosystem, with predators, outbreaks, and the like.

Re:visioneers

[00_NOP]

Not to mention bullshit.

Is this talking about the SSL hole?

[thekernel32]

I read about the SSL bug the other day and fixed it on the spot. (Good 'ol apt-get). Are there other ones that we should know about? Is there a way to check and see if a machine is still being impacted? I'd hate to be running anything mallicious, that's why I have a linux box. I can fix things quickly, most of the time...

Re:Is this talking about the SSL hole?

[alvieboy]

Yes.

Read the CERT Advisory CA-2002-27.

It's available here

Re:Is this talking about the SSL hole?

[grytpype]

This should have been made more clear in the CNET (and Slashdot) article! It's a known bug, and fixes have been available for some time now. The systems that are getting hit are the ones with lazy admins who don't promptly follow up on security patches.

Re:Is this talking about the SSL hole?

[RestiffBard]

slashdot needs a "true dat" moderation.

Re:Is this talking about the SSL hole?

[coupland]

The systems that are getting hit are the ones with lazy admins who don't promptly follow up on security patches.

Why do topics like this always have to degenerate into a holier-than-thou diatribe by a self-righteous few? I'm running a vulnerable system and it isn't because I'm "lazy" as you so kindly put it. I run Linux on my *desktop* and use it to play Quake, surf the web, and share out some HTML pages for my family. I run RH7.2 (only one version behind, bub) and run Ximian Red Carpet and up2date regularly. But no, I don't read bugtraq for the sheer joy and I usually wait for RPMs to come out before I install a patch. The unfortunate downside to RPMs is that if you compile your own software the RPM database starts to choke on its biscuits. So maybe, just maybe it's not that people who don't upgrade same day aren't lazy. Maybe we just don't have as much time or interest as you to troll bugtraq or more so, troll /. acting all high and mighty because of the stinking version of OpenSSL they run.

Re:Is this talking about the SSL hole?

[Lemmy+Caution]

When the so-called "lazy admin" is a grandpa running a supposedly plug-in-and-drop system in his little store, or someoone else who bought their hyperbolic nephew's line about how easy and wonderful Linux is, it really makes no sense to go about bashing them. For so many systems, the "admin" is just a regular schmoe. And attacking them for the vulnerability of their systems conveniently leaves the worm authors off the hook. Maybe we should blame geeks who got beaten up in high school for being too lazy to learn self-defense.

Re:Is this talking about the SSL hole?

[gimpboy]

perhaps you could bring your self down to my level. i dont hangout reading bugtraq either. however, i have subscribed to redhats email lists so that i can get security advisories. you know, the emails that say "hey there is a big fucking hole in your security. apply these packages to fix it".

there are several maling lists to choose from. the redhat watch list will help you out with vulnerabilities.

really though do you think this is self-righteous? i would say it is being responsable. i hate all of those self-righteous people in cars who use seatbealts. they just think they are all that and a bag of chips. grow up and be responsable.

-you get an email about a vunerability
-drop to a console and type the following:

$su -
$service httpd stop

-then upgrade when you have the time.

really now, how hard is that?

Re:Is this talking about the SSL hole?

[startled]

"I'm running a vulnerable system and it isn't because I'm "lazy" as you so kindly put it. I run Linux on my *desktop* and use it to play Quake, surf the web, and share out some HTML pages for my family."

I agree with you about the attitude, but there's no reason a system used for what you're mentioning would be vulnerable. I'm horrible about updating my box, but since I have so few ports open and so few services running, no one can get to my box. Forwarding the range for the Neverwinter Nights server doesn't open up a whole lot of exploits. Well, except for all the buffer overflows I'm sure are there in their NWN server code....

Re:Is this talking about the SSL hole?

[Chris+Hiner]

The openssl tarball already has a spec file in it. So just:
1) Download openssl-0.9.6g.tar.gz from a mirror.
2) rpm -tb openssl-0.9.6g.tar.gz
3) rpm -Uvh /usr/src/redhat/RPMS/i386/openssl*
Even easier.

Re:Is this talking about the SSL hole?

[maw]

I run RH7.2 (only one version behind, bub) and run Ximian Red Carpet and up2date regularly.

Red Hat 7.2 is still supported - had you applied updates to fix these problems, which were available through Red Carpet were available in late July or early August, you wouldn't have anything to worry about.

As for self-compiled software conflicting with stock RPMs - not necessarily so. I used that excuse myself for a long time, but recently decided it was time to learn how to build my own RPMs, to get the benefit of package management along with the benefit of a customised system. It's a shame that more people don't realise that they can do this - it isn't very hard to learn to do, and it's well worth the effort invested.

Re:Is this talking about the SSL hole?

[tarth]

It also needs a 'My Head Just Exploded from the Stupidity' option.

Unfortunately most of my posts would get this moderation.

Re:Is this talking about the SSL hole?

[coupland]

You are missing my point. I run RH7.2 and check up2date and Ximian Red Carpet daily. Were there a patch for my system I would have run it a LONG time ago, but there isn't. I shy away from installing from tarballs as it fucks up the RPM database. I have since thrown caution to the wind (heh, a bit contradictory) and installed from tarball regardless. But my point is still valid: if Ximian and RedHat release no RPMs for my platform when I'm only a single revision behind, who's really the lazy one?

Re:Is this talking about the SSL hole?

[gimpboy]

i dont use ssl, so i dont know about the ssl patch. there was a patch released for openssl packages on aug 6th. i doubt this fixes the current problem. if you are running an ecommerce site,or anything else that you want to keep secure, you should be ready to compile things from source or be willing to shut down the service until a fix is available.

if you think your system is vulnerable, then you have to choose between shutting down the service or run the risk of having your data compromised. i normally shut the service down when i get a notification of a vulnerability. i leave the service off until my mirror of updates refreshes. that is nightly.

this is not an elitest view, nor do i think i am being holier than thou. i think this is the responsable thing to do.

Re:Is this talking about the SSL hole?

[jc42]

In any case, something that I still don't see answered is: Am I vulnerable if my apache isn't using ssl?

Now, ssl is probably useful (if not mandatory) for most commercial web sites. But for a small site that's just making a few files available via http, is there any reason to upgrade something that you are probably not using? And if my server is using ssl without my knowledge, how would I know?

I find no answer to this, only dire warnings and insults to everyone who doesn't upgrade instantly. So am I being conned here?

Re:Is this talking about the SSL hole?

[startled]

You misunderstood what I said. I don't patch my system all the time, because I don't need to-- I don't open unnecessary ports, and I don't run unnecessary programs. Currently, the only thing my box runs is a NWN server. So I just need to watch for security updates to the NWN server.

Of course, after I posted this, I realized he did mention using his box to serve up a few pages for his family. I missed that the first time around, which is why I was puzzled his box was vulnerable. If I were running SSL, then unfortunately, I'd have to check two pages frequently for updates, instead of just one. :)

Re:Is this talking about the SSL hole?

[Travoltus]

I disagree.

You see, this problem is far more widespread than just the issue of vulnerable web servers.

Too many people drive on our roads in cars they know too little about. They don't even install Low Jack or engine kill switches on these things. Heck, they rely on JIFFY LUBE to change their oil!

Some people know as much about their web server as others know about their cars - that is, not much.

When a smart and clever hacker succumbs to the understandable urge to break into your machine and cause mischief, I feel it is the fault of the admin. This is no different than when the law holds the original car owner to be at fault when the owner does not install Lowjack or an engine kill switch, a thief breaks in, steals the vehicle, and causes destruction, injury and death with that car.

Oh waitaminute... ...this just in... ...I just found out that the law now holds the THIEF to be responsible for all that damage, and not the owner.

Nevermind! Forget everything I said above! :)

Re:Is this talking about the SSL hole?

[JimPooley]

-you get an email about a vunerability
-drop to a console and type the following:

$su -
$service httpd stop

-then upgrade when you have the time.

really now, how hard is that?

And in the meantime, what do I do when our customers start screaming at us that they're unable to update their datafile or use their service with on-line data delivery, hmmm?

Idiot!

Expect more of this...

[charnov]

Unfortunately as more IIS admins move into the "cheap" linux arena, their bad habits will come with them (not that there aren't linux admins with bad security habits, too). We are going to see more and more of this as linux becomes the norm. My shop is looking at using embedded or firmware based linux (or single system images in the clusters) to combat any modifications. It will be interesting on monday to see how much our honeypot-tarpit has caught.

Re:Expect more of this...

[BinBoy]

Now that's some spin!

Re:Expect more of this...

[N3WBI3]

Sorry but it is true. You can get an MCSE with the purchase of most boxes of captain crunch. Now I will say a good windows sysadmin is as good as a good Unix sysadmin, the thing is a poor unix sysadmin wont last in the field.

I replaced a moron with an mcse (I have no certs) because he could not do anything (and I do mean anything) right, he got the job because he had an MCSE, he lost the job because he was a nitwit but sure enough withing a week he had another sysadmin job.

The problem is that managers think an MCSE means something! the interview standards are much harder on a *nix person because you really have to know what youre doing to make a *nix network useable by everyone and in the process you know how to make it secure. You can set up a useable MS netowrk out of the box but (even if you know little) but its not secure.

Re:Expect more of this...

[sg_oneill]

Sorry but it is true. You can get an MCSE with the purchase of most boxes of captain crunch. Now I will say a good windows sysadmin is as good as a good Unix sysadmin, the thing is a poor unix sysadmin wont last in the field.

Hmm... Dunno. I looked at the MSCE requirements, and it seemed pretty hard to me. Not my style of computing perhaps. Gimme critical thinking & a fat mathematical horror algorithm over remembering ten billion dialogue boxes anyday. But for what it's worth while alot of the MSCE guys are indeed as tarded as the rep suggests, you occasionally get the good uni-educated thinker that makes the horror that is NT much more bearable.

Now linux on the other hand.. Yeeeahhhh.

Well Duh!

[libertynews]

Anyone who thinks that solely because they run open source they are immune to attack is an idiot. Look at how wide open a default RedHat 6.2 install is.

This new attack is easily avoided by upgrading your OpenSSL version to 0.9.6e, and this should have been done by now. The hole has been known and example exploit available for a while now, as anyone who follows the bugtraq list would know.

Security is an ongoing process. You have to stay on top of it if you run machines that are not turned off and locked in a basement. There is just no way around the fact that there will always be bugs in software, and these days that commonly means security holes as well.

Re:Well Duh!

[libertynews]

And FYI, it communicates with its bretheren on UDP port 2002, and leaves itself running as a program alled 'bugtraq' with its source in /tmp/.bugtraq

Or at least the version of it recently discussed on bugtraq had this behavior.

Re:Well Duh!

[FlyGirl]

Correct... And someone elsewehre posted a REAL simple "vaccination" until you can upgrade your server/ssl. Since it gets in through apache and creates a "/tmp/.bugtraq.c" that it then uses gcc to compile, just execute the following commands as root:

#touch /tmp/.bugtraq
#chmod 000 /tmp/.bugtraq

That should make it impossible for it to create the executable -- and the presence of the .c will show you if it has attacked your system.

(Note: This is a preventitive measure of this specific worm. All someone would have to do is change the filenames that it uses to get around this, so fix it properly asap)

Re:Well Duh!

[libertynews]

Hey dipshit! I get scanned daily by RH 6.2 boxes looking for rpc holes to exploit. The systems are still out there, whether or not you or I know better than to run them.

Also, you need to learn to read before posting. I didn't give any indication that I was running RH 6.2, did I? It was an example of how Linux distributions can be as susceptible to worms/exploits/etc. as any other computer system.

The Diierence....

[the+eric+conspiracy]

Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux.

I'd agree with that statement - the difference being that with the Windows patch you may need to restart your server (bad), and you may have to swallow a new EULA (could be VERY bad).

Re:The Diierence....

[Enonu]

That's some poor logic. Windows nor Linux implies anything bouncing the server or the EULA that comes with it.

Example:

Please apply the attached patch to /usr/local/bin/webserver and restart it.

Second, you must now send your second born within a week or suffer a "rm -rf /" as dictated by the new EULA.

Re:The Diierence....

[the+eric+conspiracy]

That's some poor logic. Windows nor Linux implies anything bouncing the server or the EULA that comes with it.

Empirical evidence and actual fact show otherwise.

On a Linux box the ONLY reason you ever need to bounce the server for software maintenance is a kernel upgrade.I have never had to bounce a production Linux server to fix a security problem.

As far as EULA changes, I have NEVER seen a patch from a Linux or GNU project that has required you to accept a EULA, let alone a EULA change, while I routinely see it with MS products.

More fundamentally, without source code you are forced to accept your patch and the EULA that comes with it. With source code you are free to fix the offending program yourself if you object to a EULA change.

As far as bouncing the server, Microsoft embeds http services in the kernel. If they patch their http services, it means bouncing the entire server . This is not the case in a Linux environment. In addition in the Linux environment it is much easier to keep the old software version around in case the patch has problems.

Re:No, one worm can't rival Microsoft's history.

[Astrorunner]

Or you stand up and say neither are acceptable choices.

Attack filter list

[inkfox]

You can get a current list of the top C networks which are participating in attacks of various sorts from dshield.org. Depending on your application, it may be advantageous to just add a cron job which grabs this and feeds it to your firewall rules, hosts.deny or access control lists.

Re:Attack filter list

[theCoder]

Or you could patch your HTTPS server. Or, if you're not using HTTPS, you could turn it off and/or block port 443. Wouldn't either of those be easier?

complexity breeds insecurity

[Dr.+Awktagon]

Today's software is too complex to be comprehended by the human mind in all its permutation of states. Add in network effects when this software runs alongside other software, and on multiple machines, and the following conversation will always be accurate:

Question: Does software package XYZ contain show-stopping security holes?

Answer: Yes.

Throw in clueless admins, and you've got a big barrel of fun. Open source can't help you here.

This doesn't mean that open-source software isn't better for other reasons, but I've always shied away from saying open-source is more secure because I don't believe any piece of software is truly secure these days. So what if IIS has ten root holes and Apache has one (hypothetically)? You're still insecure.

Anyway, why are they calling it a P2P attack network? Aren't ALL worms peer-to-peer??? I don't remember Code Red checking in to an "attack server" before connecting to other IP addresses.

Re:Not everyone is a Linux expert

[semaj]

Is there a quick, easy way to find out if OpenSSL is even installed on my system?

Do "telnet your.www.host 80" then type "HEAD / HTTP/1.0" and hit enter. Take a look at the "Server:" line, it'll tell you if OpenSSL is installed and enabled. If it is, and the version is less than 0.9.6e, you should upgrade.

Stoner's lament

[Scrameustache]

Don't say "free pot" if you don't mean it!

: (

Re:Stoner's lament

[cscx]

Don't tell me Ellen Feiss has a slashdot account...

Umm...

[powerlinekid]

First of all this is kind of a repeat but anyway...
NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

1. Update the virus definitions.
2. Run a full system scan, and delete all files that are detected as Linux.Slapper.Worm.

I wasn't aware there was a norton anti-virus program for linux. I could be wrong but I checked around their site and google and found nothing. Thats really not great removal tips. However I very much agree with their little 8 step or whatever program. About making people aware of attachments, running extra services, etc.

Re:Umm...

[Pasc]

Symantec AntiVirus Command Line Scanner 1.0

How can ya tell? What do you do?

[rosewood]

How can you tell if your box has been hit with this?

If yes, how do you clean it up?

It's not just patches

[Apreche]

Keeping up on patches is one thing. A very important thing. More important however is correctly configuring everything. Microsoft has a handy program called baseline that is free and automatically checks out your windows system for mis-configurations that cause security holes. For example having guest accounts or mis-configured sharing on certaint folders.
I know a lot of you people like to bash windows as being insecure or unstable. But I can't tell you how many times people have come to me and showed me problems with windows boxen that were simply misconfigurations. My win2k box (that I'm using right now) might be old and slow, but it's a rock. Configuration is key. Especially all the hidden options in deep down dialog boxes.

Nothing, not even the best linux, is secure out of the box.

The real question.

[13Echo]

I might be a Linux advocate, but this is the real question... Does it effect Apache for Windows and other platforms? Perhaps the media is immefiately associating Apache with Linux- something that it is not really even part of.

I would suspect that the worm would possibly effect the ports too. Does anyone have any info on that?

Re:The real question.

[actiondan]

The advisory mentions that the worm compiles code on the infected machine. Since the executable will need to be a Linux one, I would guess that the worm can only infect linux machines.

Re:The real question.

[jonadab]

> I might be a Linux advocate,

Hello. I'm a cross-platform advocate. Now that we've got _that_
settled...

> but this is the real question... Does it effect Apache for
> Windows and other platforms? Perhaps the media is immefiately
> associating Apache with Linux- something that it is not really
> even part of.

The slapper worm appears to specifically look for Linux systems
running Apache, or so the article seems to indicate, but the
vulnerability (which was covered on /. a while back IIRC) is in
OpenSSL, if I understand correctly. So it does affect other
systems than just Linux, but not most Windows systems. (With
Cygwin, it is possible to run an OpenSSL server on Windows, but
that's another can of worms.)

> I would suspect that the worm would possibly effect the ports
> too. Does anyone have any info on that?

Whether Slapper does or (more likely) doesn't, the vulnerability
that makes the worm _possible_ is an issue for any system that
uses OpenSSL. Therefore, if you use OpenSSL on a system that
has secure ports open to the internet, you should either patch
it or upgrade it. Known vulnerabilities should be fixed, whether
or not there's an exploit in the wild. That's basic security
practice, right up there with turning off unused services.

Didn't Apple release a security update for 10.1.5 that fixes
the OpenSSL issue? Or was that the OpenSSH issue? Or was it
the same issue? I'm confused now...

Re:The real question.

[grytpype]

I was thinking the same thing. It made me wonder whether my chroot jail (in which my thttpd server runs) has gcc or any other unnecessary binaries... so I went in with aptitude and deleted a few things that didn't need to be in there. I think that would be a good exercise for any web admin. That is, your web server does not have to run in an environment where there are lots of extraneous goodies for black hats to wield against you.

udp network

[Tom]

so it's allegedly talking on UDP port 2002 with the other nodes.

so you do, of course, have a firewall that blocks everything but the few ports you need.

you don't? what the fuck are you doing on the 'net?
careless driving is illegal. careless server administration should probably be, too.

Re:udp network

[King_TJ]

Umm... doesn't this depend on how the communication is initiated? EG. My firewall prevents me from hosting UT games, unless I open up specific ports for it - but I can play UT over the net with anyone without opening up anything special.

If the worm talks on UDP port 2002 only after doing some sort of initial setup through a commonly open port (like port 80), wouldn't that be possible with most people's firewall config?

Re:Why is this topic here again?

[SuiteSisterMary]

Much like those of us who understand that there are no insecure systems, only insecure sysadmins had our Win2K boxes patched against Code Red a full MONTH before it hit the wild?

If anything, Linux makes a lot of people too damn complacent. "Oh, I'm running Linux, don't need to worry about all those Windoze viruses and script kiddies!"

Did some one say.....

Free Pot!!!??

Distributions, sub-version #'s, & straight ans

[AgTiger]

The SecurityResponse article mentions that for SuSE distributions, the following are affected:

Apache 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23

I just checked my version of Apache for SuSE 7.3, and it's 1.3.20-60.

I know that distributions tend to release their own versions of things with important patches included, but other than digging into the release notes for apache for a while till I can find the answer I need, is there any way to know whether the "-60" addresses this problem?

Or, as another option, might there be anything that accurately TESTS for this weakness and provides a result?

Keeping up with patches is good! Being able to accurately TEST the security of the compromised code after those patches are applied is better.

Further Info

[cr@ckwhore]

The worm exploits OpenSSL via http port 80. The exploit writes c source files to /tmp, I believe the program is named bugtraq.c. Then, the exploit compiles the program into a hidden binary /tmp/.bugtraq which is executed.

Once the program is running, it accepts commands on UDP port 2002.

Simple solution, so your bandwidth won't be exploited for a DDOS, block UDP port 2002.

The worm can be used for multiple purposes, including execution of arbitrary commands on your machine, various flood attacks, etc.

You need to patch your machine, before a more dangerous worm comes along. If you can't patch right away, at least block UDP port 2002.

Additionally, your /tmp (if located on a separate partition) should be mounted noexec.

Re:Further Info

[JamieF]

Simpler solution: don't install a C compiler on your public-facing production servers. It makes it a lot harder to build a rootkit or other such post-shellcode payload on the target machine.

This may not be reasonable for all servers (and my guess is, most folks running a Linux box aren't going to buy a second one to build stuff on just so that the first one can be stripped down) but it's worth mentioning anwyay.

Worms, viruses and intelligence.

[ressu]

it's interesting to follow the development of viruses. First came the plain old viruses that used warez to spread (yes, they infected other apps too.. but warez was the major distribution channel) there were all kinds of viruses, those that played songs at certain times or made your screen do funny things, most of them harmless in many ways.

Then came the time of harmful viruses, the ones that formatted your HD on certain event.

Now then, it came the time of internet, and worms came. Worms spread through different holes in machines, mostly e-mail readers. (everyone had them.. most of them had holes.. tsk tsk..)

The worms itself evolved in many ways, others became DDOS tools, others just spread. Most of them were a pain anyways, as they affected more than the people with buggy software.

Oh well, it's a challenge to write a worm/virus that can spread without anyone noticing it before it's too late. Believe me, we have thought it over and over.. tried to think of a method to spread, one without any way of backtracking the worm, allowing the worm to spread with different methods, through different holes and allowing the creator of the worm to update copies of the worm while it's spreading. Interesting thought to play around with.

Re:Distributions, sub-version #'s, & straight

[autocracy]

You're running a version of Apache that has had a known hole for months now. 1.3.26 is the version you should be up to right now. The -60 afterwards is just a packaging number in case they release a different build of that software (there were 59 other ones built by them before they got to one they liked). To test vulnerability, go get the exploit (almost always a proof-of-concept exists) and attack yourself with it. Be sure to check your SSL version if you're running SSL on there as well.

And yes, keeping up with patches is good. You should try to practice it. Also, subscribe to BugTraq.

Is Linux now a POS?

[Oliver+Defacszio]

Should we immediately start referring to Linux (et al) as an easy touch for these worms? This is now two serious vulnerabilities in the last three days. Sure, there are fixes available, but there are also fixes quickly available for similar Windows holes and, yet, when "sysadmins" don't apply them, everyone blames Microsoft. So, that means Linux sucks too, right?

Let's face some facts, there are probably more "forgotten" Linux servers than Windows ones, simply because Linux can run unattended for months at a time and Windows cannot. Making the reasonable assumption that a sizable number of these neglected machines will not be fixed, suddenly Linux and OSS looks no better than the Windows machines that are still infected with Nimda or something similar because no one has been bothered to apply patches.

I await your wrath for being reasonable.

Re:Is Linux now a POS?

[shepd]

>So, that means Linux sucks too, right?

No, Linus didn't make Apache or the OpenSSL library (the real problem).

If anyone deserves the blame for this, its the OpenSSL team themselves (and I would hedge a bet more of them work for BSD rather than Linux, just by the license). They caused the vulnerability. One would think that a team of programmers who are trying to create a set of high-security tools wouldn't _ever_ have a buffer overflow. That's the kind of mistake a green programmer like myself would make.

The fact is people blame Microsoft for Nimda because Microsoft made the vulnerable IIS webserver. Blame went where blame was due.

So, anyways, blame the right people. Microsoft for IIS, OpenSSL team for OpenSSL.

Re:Is Linux now a POS?

[JFMulder]

I don't agree with the part that says the Windows machines can't run a few months without attendance, since I once ran my WinXP professional box where I do development and play games for a month.

I had to reboot once because I wanted to install the new Detonators, but it was rock stable and it obviously didn't leak any memory or ressources since it would be slow after a month of use if it did.

Even tought you could say that I wouldn't have to reboot under Linux to make the change, keep in mind that you rarely need to upgrade the video on your server and most drivers can be installed under XP without a reboot. (this bit added to avoid linux zealots)

Re:Is Linux now a POS?

[jon_c]

You say that now, but when people talk about the merits of 'Linux', you'll talk about apache and openssh like it was all the same thing.

-Jon

Re:Is Linux now a POS?

[shepd]

>You say that now, but when people talk about the merits of 'Linux', you'll talk about apache and openssh like it was all the same thing.

Maybe so, it depends on the context. Either way, when you are applying praise, its customary to use a broad brush. You don't damage the reputation of people or software with misplaced praise.

However, when you are going to complain about someone or something, you don't want to tar the uninvolved with a broad brush.

It's all really just a matter of courtesy. I once said MS-DOS wasn't so bad once Norton Utilities was released, even though they're only somewhat related, too.

Re:Is Linux now a POS?

[NonSequor]

One would think that a team of programmers who are trying to create a set of high-security tools wouldn't _ever_ have a buffer overflow.

It seems to me that it has been thoroughly proven that programmers are incapable of handling memory management on their own. The number of problaems that buffer overflows, memory leaks, and other such problems have caused is staggering. I don't care how great you think you are, you shouldn't be doing your own memory management. Given enough time you'll fuck something up.

Re:Is Linux now a POS?

[Some+Dumbass...]

Should we immediately start referring to Linux (et al) as an easy touch for these worms? This is now two serious vulnerabilities in the last three days. Sure, there are fixes available, but there are also fixes quickly available for similar Windows holes and, yet, when "sysadmins" don't apply them, everyone blames Microsoft. So, that means Linux sucks too, right?

First of all, this is the same worm as a few days ago. It's called Linux.Slapper.Worm.

Second, OpenSSL release 0.9.6e fixed this problem. It was released on July 30th. People should have already upgraded to fix the .htaccess vulnerability that was reported at that time and which was also fixed by 0.9.6e. This means that the only people who are hit by this worm are ones who didn't bother to protect their servers from the .htaccess bug more than a month ago.

Re:Is Linux now a POS?

[nathanh]

Should we immediately start referring to Linux (et al) as an easy touch for these worms? This is now two serious vulnerabilities in the last three days.

This is an Apache exploit, not a Linux exploit.

Apache ships with Solaris, Oracle, MacOS X, J2EE systems, etc.

Blaming Linux for an Apache exploit is as sensible as blaming Windows for a ColdFusion exploit, or blaming Solaris for an Oracle exploit. In other words, not sensible at all.

Re:Is Linux now a POS?

[Doc+Hopper]

Although you are factually correct, you unintentionally mislead users by the fact you omit. This is an Apache exploit which only occurs on GNU/Linux x86 systems. The code, IIRC, just doesn't compile anywhere else. If the one devising the exploit was a more competent programmer, it could have been a cross-platform Apache exploit, but the reality is that right now, you have to be running a specific GNU/Linux-Apache-mod_ssl setup in order to be infected. In that sense, then, it's a "Linux worm", because no other platforms will get nailed by it.

Caveat: Attach "at the moment" to the end of that last sentence. I fully expect someone to grab the source and modify it to run cross-platform within a few weeks.

Re:Is Linux now a POS?

[TheAwfulTruth]

Gee, maybe we shouldn't be allowed to drive cars either?

Or MAYBE we shouldn't be allowed to post in an open forum. Given enough time, you're sure to say something stupid!

Re:Where are the RHN Updates ?

[Todd+Knarr]

RedHat fixed this and released the OpenSSL RPMs back at the end of July. However, you won't see a version-number change in OpenSSL because of the fix. RH took the fix, ported it to the 0.9.6b codebase they use for their package and released it as an 0.9.6b update RPM. This tends to confuse people, because RH's current 0.9.6b isn't vulnerable even though stock 0.9.6b is.

That happened to me, too, but with wu-ftpd

[StupidKatz]

Was overseas for several months, and no less than two weeks after I'd arrived at my home away from home, bugtraq had postings related to the wu-ftpd remote root vuln. Since I was on an insecure network (they were blocking port 22), I had to have a friend back home block the port on the router since he didn't know the root password on the ftp server.

However, pureftpd works great! ;)

Seems to me that the really nasty vulns lie in wait while you get yourself into the worst situation possible for handling it. :P

Re:actual apache log lines

[tubabeat]

The CERT Advisory has information on what to look for in your logs.

Re:No, one worm can't rival Microsoft's history.

[manyoso]

True. But if there are _no_ boats without holes and to make the analogy correct, no boat can be guaranteed to be bulletproof, then you accept the safest boat. Remember the Titanic was supposedly indestructable.

Re:visioneers?!

[david+duncan+scott]

Yeah, but if you join the Visioneers there's a cool decoder ring and a shoulder patch!

Re:zealots in a panic now?

[deft]

so your solution is exactly what other os's would do.

i said a better solution. that means more people patching somehow.

i dont pretend to know that solution, but surely the linux people will come up with a better way than ms does, so that they stop failing as precisely the same place ms does.

Re:Distributions, sub-version #'s, & straight

[GigsVT]

You are full of shit. Distros roll patches and bugfixes back into the stable and tested version, and release a new -subversion. Try using a modern distro sometime. I can't believe you flamed that guy, out of your own ignorance.

openssl-0.9.6b-28 is the current red hat version, and it is fully fixed.

It even shows the old version if you run openssl version:
OpenSSL 0.9.6b [engine] 9 Jul 2001

It is, however completely patched, and came out in early August.

Modern distros value stability in current releases, and will not upgrade to the latest version just to get a bugfix. This is the value they add, you don't have to worry about a security patch breaking some critical functionality. /me puts the cluestick back in its holster.

Re:How can ya tell? What do you do?

[estes_grover]

This is *not* personal...but..."you should never have to ask that question" nicely sums up the problem with Linux.

Re: My biggest Linux web server headache is MS!

[King_TJ]

I know you're just trying to troll here.... But just for the record, my biggest concern/headache/worry with my own Apache server running on Linux is the Microsoft code I have to run on it.

I need the FrontPage server extensions on it, and MS did a notoriously poor job of development on those for Unix. A perfectly secure Apache server can be rendered "full of security holes" by using their add-in.

In fact, I've found at least two different independent projects to rewrite the mod_frontpage module to make it more secure. One such project's results seem to have problems of their own. (I saw bugtrak reports of it having a buffer overflow exploit in it - and it looks like its author never bothered to work on the project again since that time.) The other (newer) project on Sourceforge looks more promising - but I was unable to get it working properly on my particular RedHat 7.3 server.

I'm not a "zealot" proclaiming Linux is inherently "better" than anything Microsoft has done or will do. IMHO, Linux certainly doesn't have the workstation desktop solution of choice yet. On the other hand, Microsoft's track record speaks volumes about their ability to provide secure sever products. They can't! When you hear about the latest worm or virus attacking Windows, you say "Oh boy, here we go again!" When it happens for Linux, it's big news. There's a reason for that....

Acutally what I am afraid of is this---

[einhverfr]

This virus made several fatal errors in its execution--
1: It did not delete its source code file on execution.
2: It did not hide its binary very well.

If the worm did these things it would have been MUCH harder to detect and deal with. As it is my servers are secure (no SSL for now, and I have the latest version of OpenSSL for when I want to re-impliment it), but I would have been worried to some extent if I could not have actially looked for bugtraq.c in the /tmp directory.

Many trojans I am aware of do these things, though.

Dammit!

[flacco]

Guess I'll have to migrate AGAIN, back to IIS!

Re:Hmm...

[actiondan]

I seem to remember code red running around for a good 2 weeks after I heard about it before anything was able to be done about it.

I think you must remember wrongly.

The Cert advisory for the exploit that let Code Red in was published in June. It references the update that will fix the vulnerability, also published in June.

The Code Red advsisory didn't come out until a month later, in July.

Unless CERT were unusually slow in publishing their advisory on Code Red, your version of events seems strange. I can also remember IIS admins that had installed the patch having little sympathy for admins hit by Code Red.

Criticise MS where they get things wrong by all means, but please make sure the facts are right or posts like yours are just as much FUD as Bill saying that the GPL is viral.

Re:Where are the RHN Updates ?

[frx]

> This tends to confuse people, because RH's
> current 0.9.6b isn't vulnerable even though
> stock 0.9.6b is.

Yeah. Confusing it is. I don't see anything in the RedHat RPM indicating that it is different from stock 0.9.6b.
The only indicator is that the package release number is currently 28... 28 releases for the same package, no track of what the releases are about.
Call me a whiner, but I say it's sloppy.

Re:zealots in a panic now?

[GigsVT]

i dont pretend to know that solution, but surely the linux people will come up with a better way than ms does, so that they stop failing as precisely the same place ms does.

I don't know if there is a magic bullet. I mean there is no substitute for competent users that keep their system up with security patches. "This ain't your daddy's Internet no more." I think a lot of it stems from false authority syndrome, people think they know what they are doing when in reality they have no clue. This just comes from making it easier and easier to use software. When there was a barrier to entry that involved actually having computer skills, things weren't so bad overall.

Recent versions of red hat have a little update utility similar to windows update that sits in the Gnome panel, which tells you if you need to update, and they also have the Red Hat Network, which can be put on "automatic", which is supposed to push out patches (I don't trust it myself), but running up2date -u every week or two is a safe bet for staying up on patches.

So, yeah, your point is somewhat valid, but only against the most ignorant Linux zealots. MS still has major security problems,

I pointed them out in a recent post to the other article about this worm, but to sum up, very slow turnaround on patches, lack of attention to security bugs they consider "minor" that can quickly escalate to "major" by combination of multiple bugs, a general lack of seperation between user and administrator rights in the OS and in apps developed for windows, the aggressive EOL cycles, patches that are vague in nature so much that the administrators don't know exactly what they are patching, patches that undo other patches, and the combination of IIS into one big "superservice".

Re:Why is this topic here again?

[actiondan]

Surely it is newsworthy when a vulnerability is actually exploited 'in the wild' like this, even if only to remind people aboutt he importance of patching.

Are you suggesting that Code Red should not have been reported on Slashdot, as the patch was out a month before the infections took place? Or is it only Linux exploits that should be blacked out once a patch is available?

I don't think anyone is blaming the programmers - the story seemed pretty clear that it is admins that fail to patch that are at fault here.

X86

[b1t+r0t]

I think it should be important to mention if this is an X86-only exploit. Open source software isn't the answer to this kind of problem. CPU diversity is at least as important. If you were a script kiddie, would you rather write shellcode for one heavily used CPU architecture, or half a dozen CPU architectures?

Right now, almost all (non-script language) viruses are for X86. Most root exploits are for X86, with a few more for SPARC.

I had two boxes get rooted last year thanks to bugs in SSH, but I doubt it will happen again after I replace them with Macs running OS X. But I am glad I never got around to installing OpenSSL with Apache.

Re:X86

[b1t+r0t]

This worm copies itself as c source code, then compiles itself with the host computer's gcc.

Gee, that's nice. And how does it get in there to run the C compiler? That's right. Through an exploit. X86 shellcode.

Point taken but

[einhverfr]

I am assuming you didn't install a web server, NFS Server, etc. if you never thought you's use them, right? Or if you did, you would turn them off, or at least use Red-Hat's built-in firewall rules to keep other people out.

If you did any of these things, you are not directly vulnerable, and don't classify as lazy. But if you were running a production server and did not want to do a security patch because "there are no rpm's yet" then you would be lazy and I would berate you for it ;)

So my point is-- you can't compare apples and oranges here, and security is important to everyone, but there are different ways of
handling this security as appropriate for environment. If you think security doesn't matter, you are not lazy so much as clueless, but if you think that there is only one path to security, you are missing the point too.

I did support for Windows for a while and I was amazed at how many compromized systems I found because home users thought "I don't need security." It is all fun and games until people start uploading illegal content (such as kiddie porn) onto your system of your account gets terminated with your ISP because someone used your system to attack another computer, etc.

I don't care who you are-- security is important.

Interesting, but dangerous approach that is

[bankman]

Let me elaborate a bit here:

You are running a computer that is connected to the Internet. For the sake of this argument it doesn't matter which system you favour. You are the admin of this machine.

Like it or not, you have responsibility towards ALL other network peers (i.e. the whole Internet) to make your system as secure as possible. Consider malicious software that can start DoS attacks on other remote boxes. Your insecure machine is now causing trouble to others as well as yourself (degrading connectivity).

Would you like this? Your answer could be: I don't care.

Imagine someone else has a similarly unpatched/insecure system and is directing DoS attacks on your IP. Do you care now? I guess you would.

The problem is that advertising and far too many teachers in "Internet for dummies" courses do not emphasize the fact that anyone with admin privileges on any computer (that is connected to the Internet) is effectively an administrator and has to act accordingly on issues like security. Point'n'Click installation doesn't make it any easier: You want to run a web server? Here you go.

How many install software without knowing about the security implications of the stuff they are going to run? I guess far too many. If you had to read about a certain program BEFORE you install it, the manual or How-To can give you an idea of the security implications you are probably going to run into, thus alerting the admin (on a home system that means you) and increasing awareness.

This could be a reason why Linux/Unix installations often seem to be more secure: You have to read a lot more before you can actually do something. This advantage, of course is slowly going away with point and click installations on Linux systems as distro installation programs become more user-friendly and everything gets installed via a graphical system. This might be ok for an advanced user, but could be dangerous in the hands of a novice (i.e. most home users).

I guess you could compare it to driving a car, where you have to get a license in order to participate in public traffic, because you need to know about the rules and dangers beforehand. The impact your mistakes might have on others can be very serious.

I don't want to lecture you, but I think it is important to increase awareness of security ramifications on boxes that are connected to others.

Re:Interesting, but dangerous approach that is

[coupland]

Like it or not, you have responsibility towards ALL other network peers (i.e. the whole Internet) to make your system as secure as possible.

Sorry but I'm gagging uncontrollably at the thought of your saccharine love-fest. I am not here to protect *other* people's PCs from compromise, should I hold hands with other sysadmins and pray for the health of their machines while I'm at it? No. My machine isn't as secure as some but I try my best and check Red Carpet daily.

Your argument is that as a user with a public IP address it's my responsibility to have every package on my system updated on a daily basis. Hence by your logic, if I'm not doing so then I don't have a right to be on the net. It's precisely this kind of jaded self-righteousness that people hate about a small handful of Linux geeks. When even Linux geeks are telling you to get a life, maybe you should consider it!

Re:Interesting, but dangerous approach that is

[sg_oneill]

Sorry but I'm gagging uncontrollably at the thought of your saccharine love-fest. I am not here to protect *other* people's PCs from compromise, should I hold hands with other sysadmins and pray for the health of their machines while I'm at it? No. My machine isn't as secure as some but I try my best and check Red Carpet daily.

Hmmm.... Here folks is the problem at hand. (Ok.. good stuff checking for updates). *but* If you knowingly allow yourself to become part of an attack , then you DO have a responsibility for your own actions. I mean really, wasnt the idea of freedom always limited to 'up till anothers nose'(paraphrase).

If your email program goes bezerker and emails 10000 virus mails, it is YOUR fault if you don't stop it. If your unpached apache server causes 100 other guys unpached apache servers to become infected., it's YOUR fault for not stopping it. If your car kills someone because you don't give a fuck about your actions, it's also YOUR fault.

It incumbent upon everyone to do that little bit for security, because by the same token that you can fuck someone up from inaction, someone can fuck YOU up by there inaction. Think social contract. Rights REQUIRE responsibilities!

Re:Interesting, but dangerous approach that is

[pjrc]

.... anyone with admin privileges on any computer (that is connected to the Internet) is effectively an administrator and has to act accordingly on issues like security.

While you pine for utopia, you could perhaps add quality assurance, use of automated code checking tools, extensive testing, and just more attention to eliminating bugs on the part of software vendors. When you think of social responsibility, you could wish that all default settings would avoid running servers, and when servers are activated their defaults would lean towards security. You could even wish for security in the overall design, such as operating systems that don't set the execute bits on virtual memory pages that contain data, and by default don't allow programs to modify their code at run-time.

That's how other industries work, you know. Manufactures are responsible to make their products safe when used in a reasonable manner. Consumers aren't expected to review the design of cars, appliances, toys or other products to make sure they are mechanically safe.

It's just unreasonable to expect ordinary consumers to understand network security. You can say "you have responsibility ... to make your system as secure as possible", but it just ain't gonna happen any sooner than every driver carefully inspecting every part under the hood of their car to make sure their car is as safe as possible and thereby making the world a safer place for everybody.

Re:D'uh. (with irony)

[Penis_Envy]

the irony of you pointing out that they usually say "I'm using a secure OS link to debian.org" is that if you've apt-get update/upgrade'd in the past month or so, you're fine. Debian seems to have been patched the day after/of the vulnerability announcement.

Considering how many of the major distros have some sort of update tool, I'm really suprised this is as much of a problem as it is.

So, I'm glad I'm using a secure OS. :)

Self Destruct

[devnullkac]

Another evil plan with a big red Self Destruct button: one of the supported remote instructions for the network is "run a command" (0x24). All you have to do is find an entry point and command it to killall -9 .bugtraq and the command will propagate through the network, killing itself. Doesn't keep it from regenerating on the original https vulnerability vector, but we could perhaps slow down the DDoS attacks.

Re:Self Destruct

[mossmann]

echo killall -9 .bugtraq | at now + 5 min

Re:Self Destruct

[epsalon]

Actually, it will work even better making the command a script that will notify the admin and then kill the server at a given time, e.g.

echo 'See http://whatever' |mail -s 'YOUR SYSTEM IS HACKED' root; echo killall -9 .bugtraq | at 00:00 GMT

Here's how to stop _this_ one.

[paenguin]

But, in the long run, you really need to upgrade OpenSSL.

Anyway:

su -
cd /tmp
ls -a .bugtraq*

If there is anything in your /tmp directory named .bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...

If you haven't been compromised yet:

touch /tmp/.bugtraq.c
chmod 000 /tmp/.bugtraq.c
chown root.root /tmp/.bugtraq.c

then...

which gcc
and, chmod 700 that file.

This means that normal users will not be able to compile c code. If this is unacceptable, you can undo it after you get OpenSSL up to date.

Re:Here's how to stop _this_ one.

[sunset]

If there is anything in your /tmp directory named .bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...

I didn't see this described as a root exploit. Did I miss something?

Re:Where are the RHN Updates ?

[Rick_T]

> Yeah. Confusing it is. I don't see anything in
> the RedHat RPM indicating that it is different
> from stock 0.9.6b.

You could try looking at the changelog ...

rpm -q --changelog openssl
(or rpm -qi --changelog openssl if you prefer.)

Re:How can ya tell? What do you do?

[rosewood]

That is fucking stupid

What if I have to check other people's boxen? What if I was out of town for 3 mo and had no computer access?

God damn, nice attitude

Re:How can ya tell? What do you do?

[rosewood]

I sent that reply to the wrong thread

and I run up2date regularly but as I see I am still on 0.9.6b-28, even though up2date says I have nothing to update

Irony

[sheepab]

Anyone else find it somewhat ironic that the url for this article about a linux worm is msn-cnet.com? Dont get me wrong, I love linux more than windows....I just found that kinda funny...heh

is this a root exploit?

[RelliK]

also:

Additionally, your/tmp (if located on a separate partition) should be mounted noexec

that's not a good idea

Re:D'uh. (with irony)

[Archfeld]

LOL, well said. I did the same thing last week to my aplpha :) The question is now, do the Linux zealots who spent so much time laughing at IIs admins actually keep up on THEIR patches. One of the places the Linux world seemed so far advanced was virus protection. If that goes away what will be the incentive to get of the M$'s of the world ?

Low bar

[buss_error]

If all it takes to make Linux look like a POS is 3,500 infected servers, then IIS must look like a POS from a POS POS.

When the major trade press gets ad dollars to compare to MS ad dollars, then expect to see more even-handed reporting.

Face it. Servers don't run themselves. Linux does a better job than MS of not annoying the shit out of the admin. That's why in this case it's going to be a bigger pain in the ass. Any bets on how many more "I lost my root password, how do I get it back" posts on the Linux lists?

My favorite question from a customer:"How to I get to root from the # sign?"
Answer:"Fastest way is to tell me what you need to do."

Re:Not everyone is a Linux expert

[Frank+of+Earth]

*gasp* You mean I just can't click on an utility called "Linux Update" that will check my system and recommend patches for me to install.. and if I want, install automatically and reboot?

Hrm...

How Come?

[hooded1]

How come when there is a worm or virus on Windows it is because Microsoft is grossley negligent and has no understanding of security, yet when there is a linux worm it is because of no fault of the developers but instead the fault of the 'lazy' sys admins whos machines became infected. This is flamebait, but it would be nice to have some standards on slashdot.

Re:How Come?

[rindeee]

Because (since you obviously don't read or can't read) the admins are at fault in this situation. The vuln is ancient, the patch has been around for ever (in computer time) the only reason that this NEW worm can take advantage of this OLD vuln is becuase ADMINS have not patched. In the Windows world you have vulns discovered at a much higher rate, typically with more serious repurcussions and with a greater average time to patch realease. It's not that MS is only to blame, for even when they release a patch, a good number of admins don't bother applying it. Then there's the whole issue of occasionally requiring acceptance of new tidbits of license with some patches, but that's for another day.

Re:How Come?

[nathanh]

Yes, it was. I remember the Slashdot comments at the time were saying that Microsoft had released patches for the Nimda exploit and the fault lies with lazy & incompetent administrators.

There is no double standard here, no matter how hard you try and look for one.

This should be trivial.

[Ogerman]

People should cut the crap about "well, all operating systems are just as vulnerable if you don't patch regularly.." This is not a Linux issue, nor even an Apache issue. It's a flaw in OpenSSL which, using Apache and Linux as a vehicle, exploits systems with poor basic security. If this worm actually causes any significant impact on your machines / network, you haven't done a good job configuring them to begin with. Lets start with the "duh" issues:

- The firewall should not generically allow outbound connections originating from the web server.

- The user/group that Apache runs as should not have sufficient permissions to access stuff like the compiler, unneeded utilities, shells, etc. that make a worm even possible.

Re:Distributions, sub-version #'s, & straight

[autocracy]

In response to another reply to this comment's parent, I offer my apology for a mistake made. Though my answer was correct, I neglected to mention that different releases of the same package are made public.

My recent work with Linux has been with source code built systems do to my disdain with the way distributions are made (differening standards [an oxymoron?], custom branded tools). Out of according habit, I typically roll-up versions rather than patching them unless the newer version will break something. As a result of that, I didn't take into consideration the patching of an older version when a newer one was in use.

One other small difference

[twitter]

The other small difference between Windows and Linux as operating systems: The one hundred billions other exploits that all M$ boxes have in software that should not be running on a server, can't be removed from the server, and show up as headlines every freaking month. Why, pray tell, should a server run a GUI or a browser ALL THE TIME? I know, it's a small difference that the average user might not notice in terms of privacy, stability and security. That would be because the average user does not run a stable secure and privacy protecting operating system and has no idea of what it would be like to not be asked by tech support, "have you tried rebooting your computer?"

By the way, who says this attack won't affect Apache on Windows, Sun, True Unix, etc?

"You looked at your network settings, you should reboot your computer now."

Re:One other small difference

[drinkypoo]

The reason NT is so popular today is that the desktop and the server run the same shit, they're easier to administer. Lots of apps depend on IE for various functionality so the GUI needs to run all the time. Big deal, ram is cheap. What I'm worried about is the bugs, not the amount of stuff that's running.

Re:One other small difference

[LarsG]

The reason NT is so popular today is that the desktop and the server run the same shit, they're easier to administer.

True, and also the source of the problem.

Lots of apps depend on IE for various functionality so the GUI needs to run all the time.

Perhaps I'm an old-schooler, but desktop and server are two entirely different tasks.

The desktop is supposed to be easy to use. Ease of use and security are, in many situations, mutually exclusive.

A server is that remotely administrated box sitting in the air-cooled server-room. After the initial install, you should not have to touch the box unless you are doing a hardware upgrade or replacing a disk in the RAID.

A GUI running on the server makes it too damn easy for a programmer to forget that he is writing server software.

What I'm worried about is the bugs, not the amount of stuff that's running.

The more lines of code running on the server, the more lines of code that can contain a bug.

Re:One other small difference

[drinkypoo]

The fact that it's easy to forget you're writing something for use on a server (Ex: CA Unicenter-TNG, the enterprise management package which requires OpenGL acceleration) does not imply a problem with the operating system. It implies a problem with the programmer.

The more lines of code running on the server, the more I can do at once.

It's the quality of programming and the basic mindset (for example, did I fuck up my bounds checking, and if I did, do I actually go back and fix it all) that I'm worried about.

One hopes that one day something like some flavor of CORBA or (god forbid) .NET will become successful enough to where computers all look the same to one another, and they can use components of each other for storage, input, output, and so on. Until then any time you mix environments you create places of disturbance. Sometimes it's worth it, sometimes it isn't. Most people will find that NT (of some sort) is their best option because the apps they really want to run are cheapest on Windows/x86. This won't be so bad what with Hammer coming, it's long past time for x86 to go 64 bit.

Re:One other small difference

[mrogers]

This exploit requires a C compiler to be installed on the infected machine (it creates C files in /tmp and then compiles them). How many IIS servers have a C compiler installed?

Re:One other small difference

[LarsG]

Yes, it is a problem with the programmer. Programmers don't live in a vacuum, though. If you write stuff for Windows, you tend to be surrounded by the MicroSoft mindset - that everything should be easy, that server and client both have a GUI, that the default should be convenience instead of security, etc. MS is finally making noise indicating that they might start to change, with their "trustworthy computing" and whatnot.

The more lines of code running on the server, the more I can do at once.

Only if those lines of code implement services that you need.

It's the quality of programming and the basic mindset

You also have to consider the design and mindset of the operating system the software is running on.

MS unfortunately has to break backwards compatibility to fix some of their design problems, so I'm not holding my breath with regards to Windows.

There is also the danger that Linux might repeat MS' mistakes by not thinking enough about security with regards to kparts, bonobo, et.al.

any time you mix environments you create places of disturbance.

Yes, you do. But why is that? If everything was able to speak the same protocols and file formats, there would be no disturbance. There are certain major players that decided quite early on that it would not be in their own best interest to describe file formats and protocols - why spend time and money to ensure interoperability when they make more money on vendor lock-in.

In addition, a homogenous environment has its own dangers. Think of it in the terms of biology - a monoculture is more vulnerable to external changes than a heteroculture. A server farm of only NT or only RH7.3 is way more vulnerable to the next worm than a mixed environment. In a mixed environment, there is a higher probability that a few of your servers will catch the next Internet plague, but there is close to no probability that the plague will take down your entire server park.

One hopes that one day something like some flavor of CORBA or (god forbid) .NET will become successful enough to where computers all look the same to one another, and they can use components of each other for storage, input, output, and so on.

Do we really need all that remote function call capability? Can't we get by with a secure file transfer protocol with authentication capability and a decent set of documented file formats? Add SOAP, XML-RPC and wireless devices like PDAs and cell phones to your list above and you have just described my security nightmare. Heaps of devices with heaps of entry points with potential security holes available. cgi-bin on steroids.

Most people will find that NT (of some sort) is their best option

Also true, but mostly because of economies of scale and the network effect. For many tasks NT/2000 is, all things considered, a smart choice. But does that mean that it is illegal to point out the problems with Windows? :-)

This won't be so bad what with Hammer coming, it's long past time for x86 to go 64 bit.

Crystal ball time - will IA-64 or X86-64 win the next platform battle? MS is still the major software force in the x86 market, so they can make or break Hammer.

Re:One other small difference

[drinkypoo]

Do we really need all that remote function call capability? Can't we get by with a secure file transfer protocol with authentication capability and a decent set of documented file formats? Add SOAP, XML-RPC and wireless devices like PDAs and cell phones to your list above and you have just described my security nightmare. Heaps of devices with heaps of entry points with potential security holes available. cgi-bin on steroids.

Well I think the trick is (and will continue to be, as interoperability becomes more and more common) to design for security before all else. You want to be able to make sure that people are who they say they are, so cryptography is an absolute must. Really, all communications should carry some kind of cryptographic signature, at least those between nodes. I'm not so worried about encryption, some data will need to be encrypted, some won't. As processors speed up, though, and gain larger word sizes, doing encryption will become easier anyway.

But ultimately yes, I think we need a massive RPC-style system for integration. It doesn't have to do everything that .NET or CORBA does, but it needs to be authenticated, optionally encrypted, and always signed. I think for the kind of functionality we want we need to be able to pass arbitrary messages, and data, and I'd personally like to see some kind of sandboxed system for accepting a java (or similar) binary (or script) to do file type conversions. I know you're going to scream security nightmare, but the idea is that you can set perms on who's allowed to send you what, and if your sandbox is good enough it's not a problem anyway. I know that my last sentence is both a "duh" and an "as if" but I firmly believe that it is possible. :P

Crystal ball time - will IA-64 or X86-64 win the next platform battle? MS is still the major software force in the x86 market, so they can make or break Hammer.

I think there's room for both itanium and hammer. Of course, if hammer doesn't do everything it says it does, many of us will be mighty disappointed. So it has to have more memory bandwidth than god's dreams and support, what was it? 31 CPUs or something? Without any more trouble (in terms of the hardware) than supporting two. The bus is supposed to allow for a whole mess of chips, and I want to see that.

It does look like AMD is playing ball with Microsoft just the way they want them too -- Ditto for nVidia, of course. I wonder if nVidia will turn out to be too big for Microsoft to swallow? I think AMD is today, but you never know what Microsoft will pull tomorrow.

Re:One other small difference

[LarsG]

Well I think the trick is [..] to design for security before all else.

Do you see any signs of that happening at the protocol level today? One of the big selling points of SOAP is "we'll tunnel this over HTTP so those inconvenient firewalls can't stop us".

Some of this is, as you correctly point out, a mindset problem.

A lot of the Internet protocols were designed at a time when noone really cared that much about security - and this worked ok because most of the users obeyed normal netiquette, and the few who didn't received a stern warning from the university admin. SPAM could have been a smaller problem today if SMTP had been designed with authentication from day one.

(A different issue is that a heavy crypto/authenticated version of SMTP could have been rejected by the general users/admins at the time - one of the issues with protocol design is that it doesn't matter how good or sane or technically correct the protocol is if people are unwilling to use it.)

You want to be able to make sure that people are who they say they are, so cryptography is an absolute must. Really, all communications should carry some kind of cryptographic signature, at least those between nodes.

I don't really know what I feel about mandatory signatures, because there are good arguments both for and against it.

First of all, do we want to make it impossible to be anonymous? There are a lot of good reasons for why it should be possible - government whistle blowers, chinese freedom fighters, tips to amnesty international, people dealing with the after effects of sex abuse/battering/whatever on support groups, etc. If we make traceable signatures a requirement for new protocols, we have a major problem there. On the other hand, police and national security have a legitimate interest in being able to track down lawbreakers and fundamentalist nutcases.

Secondly - how do I know that a message signed by drinkypoo really is from drinkypoo? You need a trusted third party or some other system that allows you to match a signature to a person, otherwise I could just create a new signature for each and every message I send. There are, AFAIK, two general ways of doing this - the PGP "web of trust" or PKI. I don't think a web of trust will work on a large scale, which leaves us with PKI. With PKI you get the sticky question of who will control the CA. Should the US government run it? Verisign? Microsoft? Who does the entire world trust enough to allow that entity to control the root of identity in this new set of secure protocols?

I'm not so worried about encryption, some data will need to be encrypted, some won't.

I think end-to-end encryption in general is a good thing, and many current protocols should be upgraded to support opportunistic encryption (see for example opportunistic IPSEC and SMTP STARTTLS).

There is one interesting issue, though - it makes it kind of hard for your firewall and network intrusion detection system to see what is happening. If/when end-to-end encryption becomes the norm, the intrusion detection and firewall must become a part of the endpoint instead of a centralised server. How can you know that the endpoint is telling the truth when it reports 'all is well'? :)

some kind of sandboxed system for accepting a java (or similar) binary (or script) to do file type conversions

Why not tell the sender which file types you support and let him do the translation instead?

[...] if your sandbox is good enough it's not a problem anyway. I know that my last sentence is both a "duh" and an "as if" but I firmly believe that it is possible. :P

I believe that it is perfectly possible to create an unbreakable sandbox. VmWare, Java or any decent emulator out there implement virtual machines that are - at least in theory - unbreakable by software running inside the sandbox. The question is whether people are willing to use the sandbox because it is going to trade convenience for security. You will want the nifty Java word processor to get access to the data from your Java calendar and Java spreadsheet so you can print bills to your clients automatically at the end of each week. To do anything useful, you need to punch some holes in the sandbox.

I'm screaming security problem not so much because it is impossible to create secure systems (it is possible), but because noone out there is going to want to use truly secure systems and because ubiquous wireless and powerful handheld devices will make it even easier for our imaginary black hat to discover vulnerable systems.

I'd recommend Bruce Schneier's "Secrets and Lies" if you are interested in this.

I think there's room for both itanium and hammer.

Dunno. The desktop market in particular has a very powerful network effect. Unless all desktop software is shipped in both Itanium and Hammer versions one of the platforms is eventually going to get the upper hand, and 60%/40% quickly becomes 95%/5%.

So it has to have more memory bandwidth than god's dreams

If AMD stays with (DDR/DDR II) SDRAM, it seems like Intel is going to win on the bandwidth front. While RDRAM was too expensive compared to the performance you got out of it 1-2 years ago, it seems like Intel was right when they claimed that Rambus would scale better than SDRAM in the future.

31 CPUs or something? Without any more trouble (in terms of the hardware) than supporting two. The bus is supposed to allow for a whole mess of chips, and I want to see that.

That sounds more like a nerd's idea of a centerfold than something you're going to see on an desktop anytime soon. ;-)

Anyway, when you're talking more than a couple of CPUs you have to radically change the memory interface. A few CPUs can share the same memory bus (UMA - Uniform Memory Architecture), but with more than that you have to use something like a star topology or let each processor have some local memory and a bus/mesh/link to the others. I think AMD is shooting for an 800MHz HyperTransport mesh, but don't quote me on it.

It does look like AMD is playing ball with Microsoft just the way they want them too.

I think MS is using AMD to control Intel. That is, if Intel does something MS doesn't like then Windows will somehow magically support Hammer better than Itanium.

It seems like Intel is starting to run away in performance on the 32bit side again, so Hammer is a make or break for AMD. That does put Microsoft in a strong position.

I wonder if nVidia will turn out to be too big for Microsoft to swallow?

Just a few random thoughts:

I don't think MS is interested in swallowing nVidia. After they gained the upper hand on the desktop, MS' game plan has always been to control and protect the software platform. They've never been interested in owning the hardware side as long as they have sufficient power to keep the hardware companies in line. As long as there are more than one manufacturer of the hardware platform(s), the Windows software platform is the point of control.

Think of it as a puzzle, if you are the only manufacturer of a critical piece of the IT puzzle you control the entire board. It is in MS' interest to make sure that there are at least two manufacturers of each of the other pieces, and that they are the only manufacturer of the software platform piece. (That's exactly why MS fought Netscape and Java and why Linux is so scary to them.)

Besides, if MS gets too cozy with one of the combattants in the fiercely(sp?) competitive 3D graphics card market they might find themselves in a new antitrust lawsuit.

MS wants to be able to keep selling new versions of Windows and Office, so they have to provide some new features that people will be willing to pay for - such as a new 3D user interface in Longhorn.

MS and nVidia have to march in lock-step with regards to new versions of DirectX and new features in next generation graphics hardware. It won't harm MS much if they break the lock step and the next version of DirectX turns out to be closer to next generation ATI hardware, but it can harm nVidia a lot.

As long as ATI and other video chip manufacturers can keep up somewhat with nVidia, MS won't feel any particular threat.

The graphics card market is an open market - anyone is free to make a graphics card (as opposed to, say, the Intel/AMD processor slot/socket situation). The only requirement for making a graphics card is to support AGP and VESA and write a DirectX driver - none of which are jealously protected/patented.

I don't know how cozy MS and nVidia are on DirectX. nVidia might try to pull a stunt by putting some features in DirectX that is hard to implement without violating an nVidia hardware patent. Could easily become a PR nightmare, though.

nVidia is the current (well, once the NV30 comes out) performance king, but remember that the high-end market is only a small part of the entire market. Other companies are making decent amounts of money on the lower end and in the OEM market, and any one of them might do a high-end come-back.

Unless I'm missing something, I think nVidia is the weaker party in this relationship. At the same time, it doesn't seem like MS would gain much by trying to control nVidia.

Re:One other small difference

[LarsG]

How many IIS servers have a C compiler installed?

Only the ones where the admin is *nix enough to install cygwin to get bash and MCSE enough to do a full install of cygwin instead of only installing the pieces he needs. ;-)

Re:One other small difference

[drinkypoo]

First of all, do we want to make it impossible to be anonymous?

I basically picture some system which will grant you a unique cert. You can then attach your personal information to it, or not.

There are, AFAIK, two general ways of doing this - the PGP "web of trust" or PKI. I don't think a web of trust will work on a large scale, which leaves us with PKI. With PKI you get the sticky question of who will control the CA. Should the US government run it? Verisign? Microsoft? Who does the entire world trust enough to allow that entity to control the root of identity in this new set of secure protocols?

That really is the sticky point, isn't it? I think the problem is more or less solved by being able to get anonymous certs. Of course where you use them from will tag them forever in some government database somewhere, so you do have to be careful about that still. But I'd like them to be cheap enough to get by spare-changing... say, a buck? No more than five dollars, though.

As for who I'd trust, it can only be some sort of global consortium of top technology companies, with all data mirrored in all countries, and a key server picked via a genuinely random method. Or at least the best we can get. That way all the various companies and nations can keep tabs on each other.

I believe that it is perfectly possible to create an unbreakable sandbox. VmWare, Java or any decent emulator out there implement virtual machines that are - at least in theory - unbreakable by software running inside the sandbox. The question is whether people are willing to use the sandbox because it is going to trade convenience for security.

I'm really talking about this as a very special purpose thing solely for the translation of file types. This thought came out of the revelation a while back that in AmigaDOS the filesystem driver was actually written to the partition. There's no reason whatsoever that everything can't be like that, though. For smaller transfers you wouldn't do this but it would be nice if you could send your data along with a translator to make sense of it. On one hand this will get abused, and people will attach handlers bigger than streams, though you won't have to load everything obviously. Still, if you provide a severe enough limitation on what they can do it starts to look pretty reasonable, and you can still get quite a bit done that way. I'd probably use either Java or Perl to accomplish something like this today because of the run-anywhere aspects, which probably weights things in perl's favor. It has been alleged that large perl projects are hard to write, and supposedly Perl 6 will address that issue. I don't really know either way there, I've never written anything large with any language.

Again, this only works with a system featuring anonymous (but consistent) certs. At the barest minimum I would be happy with a system which would let me know that someone was the same person for the duration of a session.

Anyway, when you're talking more than a couple of CPUs you have to radically change the memory interface. A few CPUs can share the same memory bus (UMA - Uniform Memory Architecture), but with more than that you have to use something like a star topology or let each processor have some local memory and a bus/mesh/link to the others. I think AMD is shooting for an 800MHz HyperTransport mesh, but don't quote me on it.

I guess I was mostly envisioning something with a whole boatload of cache per CPU... But then that's what you're saying, right? Some local memory, etc.

4mb of L3 per CPU ought to do, whatever's cheap in the SRAM department will be fast enough. Barring that, I'll accept 8 or 16 MB of SDRAM in place of L3 :)

After all, each CPU has its own memory controller, right?

I don't know how cozy MS and nVidia are on DirectX. nVidia might try to pull a stunt by putting some features in DirectX that is hard to implement without violating an nVidia hardware patent. Could easily become a PR nightmare, though.

The first big extension I can remember going into DirectX from outside (or at least, publicly from outside) was S3TC. S3 came up with it, it mostly worked, it became part of Direct3D. Then we got like a zillion things from nVidia.

Recently it's seemed like nVidia defined Direct3D, what with all the crap they've brought to the table ahead of anyone else. A lot of it is only particularly useful for gaming, though they do have a pro chip. I despise the unnecessary price distinction between models but people continue to pay, and they continue to sell.

Re:One other small difference

[LarsG]

I basically picture some system which will grant you a unique cert. You can then attach your personal information to it, or not.

I think the problem is more or less solved by being able to get anonymous certs. Of course where you use them from will tag them forever in some government database somewhere, so you do have to be careful about that still. But I'd like them to be cheap enough to get by spare-changing... say, a buck? No more than five dollars, though.

As for who I'd trust, it can only be some sort of global consortium of top technology companies, with all data mirrored in all countries, and a key server picked via a genuinely random method. Or at least the best we can get. That way all the various companies and nations can keep tabs on each other.

Then what's the point? Then all I know when I receive a message signed by someone is that this someone has spent 5$ for the privilege to claim that he is the one that he claims to be.

The only thing I can know (apart from the fact that someone paid 5$ for something that is the equivalent of a non-signed PGP key) is that if I receive several messages signed by the same key then the sender(s) have access to this key.

So we have this megagovernmentcorp-thingy with loads of checks and balances whose only mission in life is to give out blank signed signature keys at 5$ a pop.

*scratch head*

Now try to sell this to the people that screamed bloody murder when Intel decided that it was a good idea to put a unique serial number in each processor.

I'm really talking about this as a very special purpose thing solely for the translation of file types. This thought came out of the revelation a while back that in AmigaDOS the filesystem driver was actually written to the partition.

Translate to what? How does the binary that is bundled with the data know how to represent the data in a format that is intelligible for the target system? Perhaps you are thinking about a data displayer instead of a data translator. What if you are sending a picture to a device with a text display only. I think it is a lot better to have a few properly defined data formats instead of turning data and executable into an opaque blob.

With the file system handlers in AmigaOS, the operating system knows that the handler is a special case of a library which contains functions for open, close, write, etc. That is, it knows how to use the binary to turn the data into something that is meaningful. (Where are my RKRMs when I need them?)

At the barest minimum I would be happy with a system which would let me know that someone was the same person for the duration of a session.

There are several ways for doing that without creating a full-blown CA/PKI system.

A unique session cookie over HTTPS, for example.

Or a self-signed SSL certificate.

Or a self-signed PGP key.

Or if the session can be implemented as a single TCP session, you can cross your fingers and hope that the TCP/IP stack is intelligent enough to implement properly unguessable ISNs.

I guess I was mostly envisioning something with a whole boatload of cache per CPU... But then that's what you're saying, right? Some local memory, etc.

4mb of L3 per CPU ought to do, whatever's cheap in the SRAM department will be fast enough. Barring that, I'll accept 8 or 16 MB of SDRAM in place of L3 :)

Mno, local memory and local cache must be handled differently. A cache is a copy, while memory is the real thing. In a garden variety UMA/SMP system all memory is shared by all processors. If one processor writes to memory, all processors see the change immediately.

Now, what happens in a 31 CPU system with 31 sets of L1, L2 and L3 cache if one of them writes to memory? If a copy of that memory location is cached in some of the other CPUs' L1/2/3 cache, it must be updated (or the cache line invalidated) before any instruction executed on those CPUs read from that memory location. For every write to memory you have to check that no other processor is caching that memory.

Even worse - what if we are using a write cache? That is, a write is not written directly to ram but is stored in the CPU's cache for a while hoping that more writes will happen to memory locations in the same area so that you can burst a larger chunk of data back to RAM in one operation. Then you must have a system that makes sure that every write to a cache line in one of the processors is reported to all the other processors also caching that area of memory.

Making sure that this works correctly is called cache coherency. And from what little I know about big iron, it sounds like it is a Nasty Problem to make this scale to more than a few processors if you insist on a UMA architecture.

You also have to think about stuff like motherboard layout and total memory bandwith. The longer wires, the harder to run the bus at high speed and even with deep caches you still need to read and write to memory and in a UMA all processors are sharing the total memory bandwidth.

That is why big iron tends to have memory architectures that seem quite exotic if you are used to think of RAM as one big chunk of storage space shared by all processors in the box.

After all, each CPU has its own memory controller, right?

Yup. I don't claim to know how the memory architecture of a huge Hammer box will look like, but I know that you will run into scaling problems somewhere between 8 and 64 processors if you insist on using a UMA model.

Then we got like a zillion things from nVidia.

I kind of expected that, but wasn't sure.

I despise the unnecessary price distinction between models but people continue to pay, and they continue to sell.

The computer business has always been like that, and as long as there is a segment of the market that is willing to pay a premium for the top of the line model that won't change.

This is already standard practice

[tweakt]

You should ALREADY be blocking ALL unknown incoming ports. ESPECIALLY UDP.

A link to the baseline tool:

[PhxBlue]

Microsoft Baseline Security Analyzer

Keep waiting

[twitter]

You say: Let's face some facts, there are probably more "forgotten" Linux servers than Windows ones, simply because Linux can run unattended for months at a time and Windows cannot

I say Windows is a POS because you can't run it unattened.

You say: I await your wrath for being reasonable.

I'm still waiting for you to be reasonable. Until then, I'll just have to be helpful.

If you define suck for me, I'll be able to tell you which OS sucks more. If suck is defined as requiring constant maintenance, periodic expensive "upgrades", monthly email viruses, worms and other dirty critters due to less than best security practices, hiding and denying exlpoit information, months between exploits and "patches", well Windows is the winner. All that sucks jagged rocks.

Had to laugh..

Someone posted a message up somewhere that their NetBSD VAX system has been serving pages from a DMZ outside their firewall for years... he keeps seeing various hacks tried on it, but everyone *expects* that its apache on linux on a x86 machine. Just goes to show that while "security through obscurity" doesn't *always* work, running on old hardware just *might* have certain advantages. :-)

Re:Not everyone is a Linux expert

[Salsaman]

Many modern distributions do indeed have this facility. For example, Mandrake has Mandrake Update which is a GUI app that'll install all known security updates (or you can select from a list). Red Hat has a similar thing (Red Carpet, I think).

You don't even need to reboot for the SSL patch. At most you may have to restart the sshd and httpd services, though the RPM would probably do it for you.

Oh, and the patch has been available in Mandrake since 16th August.

Re:Distributions, sub-version #'s, & straight

[mccalli]

openssl-0.9.6b-28 is the current red hat version, and it is fully fixed.

It even shows the old version if you run openssl version: OpenSSL 0.9.6b [engine] 9 Jul 2001

Oh now that's poor. Asking for the version doesn't give you the correct version? Poor. Version commands should be dependent on source control tags, not programmers having to remember to edit that particular bit of source.

Cheers,
Ian

On other news...

[0x0d0a]

...sales of Red Hat's up2date service agreements have doubled.

Heads-up

[Chris+Johnson]

I think it would be a good idea to watch out for attempts by Microsoft to lobby on behalf of making Linux illegal (or perhaps forbidden for government work?)... on grounds of it being a security risk.

Yeah, that would be insane- but the question to ask is, do they have the lobbying and PR muscle to pull it off? Microsoft's style of winning is not wholly restricted to utter Forrest Gump truthfulness. I see this as a sort of Xmas present for them, and I see them trying to figure out just this: whether they can launch a lobbying effort to attack Linux based on this situation.

Sort of a "Linux Worm Creates Attack Network! You must legislate against the danger of this- did you know Linux installations often have compilers and linkers installed right alongside *spit* Netscape? An evil hacker's toybox it is! Why, on these Linux PCs, a worm could compile ANYTHING AT ALL it wanted to, with the support of the operating system! At least make sure there aren't any of these insecure Unix devices in the armed forces. Do you care about America or are you a Linux supporting terrorist?"

OK, I ran with that a bit- but what do you think these armies of MS lobbyists actually SAY? "Buy our stuff, it's okay and not too expensive really?"

Re:So, how do I know I'm being invaded?

[Alex+Belits]

Never try to check if you are being attacked by anything other than trivial DoS -- the attack that will succeed is unlikely to be seen.

As for being taken over, just read the bug description. Or, better, patch the system before the exploit comes out.

Re:well....

[coupland]

If you don't care about other people, maybe you would care about the legal implications of your machine performing a DOS attack against someone else?

Good read. I don't care about that either.

Just get the RIAA and MPAA...

[Newer+Guy]

To sue this 'rogue P2P system' out of existance! Problem solved. I'm emailing Hillary Rosen as we speak....

Re:Not everyone is a Linux expert

[pjrc]

I did the update today, and it turned out my system has two copies of SSL... both old. One was installed from source, the other from RPM.

It's also possible that mod_ssl and openssl may be build statically into your apache.

You should upgrade apache too, since you're at 1.3.23, which is before the chunked encoding bug. You generally need to updade apache and mod_ssl together, so plan on upgrading both of them.

No New Lesson

[_Sprocket_]

There are no new lessons here. This is not the first worm for Linux. It is not the first DDoS architecture for Linux. Nor does CNET's estimation of 3,500 infected machines match its Code Red estimations that have floated from "...more than 15,000..." to "...more than 350,000...".

It would seem anybody who is finding something insightful in this story are either a Linux or Windows zealot, brand new to the argument, or very poor students of recent history. Granted - "recent" becomes is somewhat subjective. So let's take a brief look at past DDoS applications and Linux worms.

Distributed Denial of Service (DDoS) architectures began hitting the Industry consciousness late 1999. At that time it was trin00 and TFN. Shortly afterward, new versions showed up in the wild including TFN2K and Stacheldraht. All can be run on Linux. Although they are not, themselves, worms.

Linux worms are not new... nor are they ancient history. There are some excellent examples from a little over a year ago. One of the first worms from 2001 was the Ramen Worm and was reported by CNET January 17, 2001. Of course, CNET's article didn't have impressive numbers to report but it did liken it to the infamous 1998 Morris Worm. The Ramen Worm was followed by a less-famous variation called Adore and it also garnered CNET coverage April 4, 2001. But it wasn't too interesting a worm. It had been overshadowed by a worm reported the previous month dubed Lion. The Lion worm also got its own CNET coverage.

In each case, the worm in question used well-known security flaws with existing patches.

If one wants to point out that any OS is vulnerable if it is not properly maintained, then this latest worm is simply one of a series of worms that have proved this point. And worms have made object lessons of Linux, Windows, and other popular OS variants such as Solaris (sadmind/IIS being my favorite as it propagates on Solaris machines and then attacks and defaces IIS web sites).

*eers

[crucini]

He probably works in marketing, where one has an obligation to invent new words like "visioneer" (most of which make me reach for the barf bag).

Perhaps you are a regurgioneer. Put it on your business cards.

Re:OH FOR GODS SAKE !

[_Sprocket_]

The kinda people who create virii/worms/trojans whatever are always going for the widest possible target market.

Linux has been fairly well deployed as a server for years. Of course, various Unix flavors such as Solaris are even better represented. Yet when worms hit these platforms (and they do hit - and have hit numerous times before) they fail to generate the kinds of numbers Windows worm varients generate... nor do they stick around.

This worm is likely to go the same direction as its predecessors. It will be "news" if it doesn't. And then we'll be back to debating over what these numbers really mean.

If anything.

3500 servers ... but who's counting? Pure FUD

[konmaskisin]

So, let's see ... linux is not that important but a worm that infects a small proportion of a niche bit player OS has already infected 3500 or more servers.

Assuming that, say, 5% of Linux boxes are configured to have an HTTPS web server enabled and are also running the exploitable SSL (how many linux or unix/apache webservers do you know are setup to do https using OpenSSL?? - most https apache setups use Stronghold which costs extra and which one purchases because of bundled security services). Now, given that these same boxes are set up to be secure and to encrypt web communications what idiot would *also* install a *compiler* on such a system? Assume 50% of admins are that stupid (remember, everyone argues that Unix/Linux requries massive skill just to set up correctly so 50% stupidity rate may be high).

Just as an aside I personally have access to 8 machines. None of them are set up to have SSL enabled. None of the machines in production in publically accessible server roles have a COMPILER installed. A quick survey of friends (all told about 50 production boxes in total) reveals that *none* (out of 50) have SSL enabled in Apache. For personal machines most use web servers as "Intranet" systems for LAN's or as a convenient "file server" substitute on workstations/laptops.

If all the above conditions do exist on a small subset of linux machines, then 3500 = just what % of all linux machines I wonder? (Someone should sample and project and use C|Net figures to establish how many Linux systems there are out there). It sounds like about .5% of Linux machines are effected and that there exist several 10's of millions of Linux servers. Actually it sounds like FUD rubbish ...

BTW if you are worried you might be affected here's how to fix it on Red Hat - Mandrake and SuSE will be similar ... with Debian and Gentoo it's even easier. And then of course theres apt-get for RPM's now too so ...

mv /var/www/html_docs /var/www/html_docs.hold

rpm -Fvh ftp://updates.redhat.com/7.2/en/os/i386/apache*

rpm -Fvh ftp://updates.redhat.com/7.2/en/os/i386/mod_perl*

rpm -Fvh ftp://updates.redhat.com/7.2/en/os/i386/mod_php*

rpm -Fvh ftp://updates.redhat.com/7.2/en/os/i386/openssl*

mv /var/www/html_docs.hold /var/www/html_docs

service httpd restart

All told takes about 30-45 seconds to fix. Given that I am **STILL* getting the following probes on my systems every day thanks to a bug in IIS:

[10/Sep/2002:11:06:42 -0400] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/syst em32/cmd.exe?/c+dir HTTP/1.0" 302 263

(damn idjits) .... I will take Apache *any day*. On the security front the utter shoddiness of IIS in comparison to Apache makes it obvious where the "threat" lies.

Numbers and Issues - Linux vs Windows

[_Sprocket_]

Should we immediately start referring to Linux (et al) as an easy touch for these worms? This is now two serious vulnerabilities in the last three days. Sure, there are fixes available, but there are also fixes quickly available for similar Windows holes and, yet, when "sysadmins" don't apply them, everyone blames Microsoft. So, that means Linux sucks too, right?

If the issue were as simple as counting vulnerabilities and counting exploits and comparing numbers... then it might be easy to say "yes". Or "no". Whatever the numbers end up being. And, in fact, that seems to be the entire argument some like to make when comparing the "security" of two different platforms. But the issue is not that simple. It is not about numbers.

This is not the first time Linux vulnerabilities and worms have been the subject on Slashdot, as well as featured stories in the press. While it is a humbling reminder that no OS is invulnerable, it is also often used as a kind of red herring to deflect criticisms of Microsoft and its own offerings.

Microsoft does not have a very positive history when it comes to security of their products. Although it would be wrong to ignore that they have made steps to improve - faster releases of patches and security tools have helped improve a dismal repuatation. However, Microsoft still continues to ignore some vulnerabilities, attempt to cover up issues, and otherwise imply that it is those who discover and publish flaws that are to blame for vulnerability - not their own products. But (bad) attitude is not everything. It is the Microsoft product itself that is at the heart of the issue.

Sure - one can administer a fairly secure Windows environment. But it is no easy task.

Patches (or service packs) have had a history of being dangerous - which leads to a standard policy of waiting before deploying what could be critical security fixes. Furthermore, it is now an apparent policy of Microsoft to change the legal framework of their license through the use of security patches / service packs. Installing a patch is not a simple matter for the smart Windows admin.

Deciding to install a service pack is only the first step. Once the admin has accomblished this, they must then audit their configuration to ensure that the service pack has not replaced insecure services or configurations that the admin has removed with security in mind. Service packs tend to do this - especially if the admin has gone through the process of hardening their Windows server.

Hardening is not a simple process either. Unix/Linux systems are very modular and allow for the removal of almost any component. Not so with Windows. Removal of unused components tends to not be suported by Microsoft and often involves following a checklist created by someone else who has already discovered what can or can not be safely removed (the dependancies of various components are not always logical). Once again, this entire process must be repeated after installation of any new system components or service packs.

While Linux does share the dubious honor with Windows of having both vulnerabilities and worms designed to take advantage of those vulnerabilities... it does not share all the same issues. And that keeps the line between the two fairly distinct.

Re:Defense agains DoS attacks

[RGRistroph]

A better analogy would be that a whole crowd of kids come, mixed in with the normal wanting icecream kids so you can't tell the difference, only when these kids get up to the counter they move very slowly, argue, take napkins one at a time, change their request of which flavor, so that soon you are serving 1 kid every two minutes instead of 1 kid every ten seconds.

Re:You don't get security from one thing?

[LarsG]

OpenBSD has only had "One remote hole in the default install, in nearly 6 years!" But it has had one, does this make it as insecure as unpatched win98?

If we talk about Win95 instead of Win98, you can truthfully say that "Win95 has not had a single remote[1] hole in the default install". ('95 didn't install TCP/IP by default) ;-)

[1] If we define remote as 'outside your local network segment'.

Just expect more

[xixax]

For a while now, IIS has been the h4X0r child because it is ubiquitous and easy to break. Mal-ware activity is a good indicator of the popularity of a platform (at least partially).

Fewer people did Linux mal-ware before this because there were relatively few machines and they were generally owned by clueful people. Now we have a far larger base of ignorant users/operators and far wider deployment, including high profile deployments. How many clueless people had 24/7 broadband connections even 3 years ago?

Expect to see greater interest in Linux Mal-ware as the popularity of Linux increases. With increased H4X0r attention, the delivery of security to the ignorant will determine how often we see headlines about Linux hosted exploits[1].

Xix.
[1] OK, maybe OpenSSL screwed up, but surely the OS has *some* responsibility for looking after its own integrity? Imagine a distro that keeps your firewall, ppp connection, web server and stuff in seperate, minimal user-mode Linux virtual boxes.

Code Red... STILL!

[Bilbo]

Jeeze... Just went to check my Apache logs to see if there was any indication of this worm on my servers (all clean), and I'm STILL getting plugged by a couple dozen freaking Code Red hits a day! Is there any way to get these cleaned up, or are we going to be putting up with winnt/system32/cmd.exe requests until the end of time?

Automatic Updating

[HawaiiLinux]

These worms (including Nimda and Code Red) always have targeted holes that have been known and fixed for months, but the masses who never keep up with security updates are still cracked. These many people who never keep up with security updates will always exist due to ignorance.

I can't count the number of times I tried to convince someone to apply updates, but they always say "My system isn't important, nobody will want to crack it."
But of course, that type of system is a prime candidate for cracking, because often the owner wont even notice that they have been compromised and they can usually be used to launch more attacks for a long period of time.

All of Microsoft's recent products now do automatic updating by default. Yes, automatic updates annoys power users and Administrators due to the risks and loss of control, but unfortunately this is exactly what the ignorant masses want, it is taken care for them so they don't care. (Effort is a rare thing to most end-users.)

On the flip side, none of the Linux distributions do automatic updating by default, nor do they saliently annoy the Administrator with pop-ups saying "You need to update!"
It is good that Mandake 8.2 and higher give you the option to download updates in the installer, but after you have booted you aren't ever told "Updates are available" or "Please update."

I ask this question, would Automatic Updating be a good thing as an install option of popular end-user distributions? Say the installer had a screen saying "Automatic Updating is on by default. Uncheck this box to disable it." This will of course annoy knowledgable users, but unchecking a box isn't hard! Simpy uncheck and enjoy the control that you expect. You haven't lost anything!

This idea is mainly to protect the uneducated end-users who probably will never apply updates. These people don't care about control, and they wouldn't be installing conflicting custom operating system components that may potentially screw up automatic updates.

I just worry about a future where Microsoft end-user machines are always fully patched, while many Linux end-user machines are not due to ignorance. That will NOT be good PR if more of these Linux worms occur while they no longer occur to Microsoft.

Bad analogy

[ZigMonty]

If your car kills someone because you don't give a fuck about your actions, it's also YOUR fault.

Bad analogy. Better one: If someone steals your car because you don't have a car alarm and then crashes and kills someone, are you to blame?

No! You are the victim of grand theft auto.

If your computer is insecure and it gets broken into and is used for a malicious act, you are the victim of being hacked. It's not your responsibility to protect your computer from hackers anymore than it is your responsibility to secure your car from theft.

If you are the computer security adviser to a large company then you are in trouble. Otherwise, it's the police's fault for not stopping it.

Note: I have secured my box (to the best of my ability) but I am reasonably computer literate. I don't think my Grandmother should have to do it.

Re:Bad analogy

[ZigMonty]

True, but in that case there is no one to blame other than the owner of the car (or computer). Security updates are a different matter. My analogy is apt. There is a malicious other person who is responsible. Just because who can't find them or prosecute them doesn't remove them from the equation. Blaming the victim is just looking for a scapegoat. It is similar to the detaining of Japanese Americans during WWII, we couldn't hurt the actual Japanese Government so we found a scapegoat.

It isn't that simple however. Your analogy is also good. With a car when you register (in Australia at least) the car has to pass a roadworthy test. The car owner isn't responsible for their own maintenance, merely for taking the car to someone who is qualified. Maybe we should acknowledge that most people aren't qualified to take care of their computers and work around that. Does your new Ford come with a "Maintenance Wizard" to lead complete novices through the necessary engine adjustments? No. Arguing that everyone should know enough to secure their boxes is similar to demanding that everyone be able to do complex maintenance on their car. Maybe making maintenance "easier" for the user is attacking the problem from the wrong direction?

Re:Distributions, sub-version #'s, & straight

[mccalli]

It's OpenSSL 0.9.6b, with security patches...the version number is right.

Well, I sort of agree but mostly don't. If patches have been applied, then it isn't the same as a vanilla 0.9.6b. Essentially, they've created a fork off the 0.9.6b trunk. The version number should reflect that - maybe 0.9.6b-sc1 (for security patch 1) for example.

As an aside, what is that open source people have got against making a version 1.0 of anything? It's just a number, nothing to be scared of...

Cheers,
Ian

Hey, Code Red is still filling my logs

[EvilTwinSkippy]

I was around for the last round of major mischeif with linux. Back in '99 I had my box at work rooted using an flaw in bind. It seemed like every week there would be a new flaw and we had to patch and patch and patch and patch.

We got over it.

For the record, my logs are still being filled with attempt to grab root.exe and all sort of other nastiness from IP addresses that look like they are on the local cable modem network. I have to purge the hard drive on my email server from the 200 MB of viruses that try to leak through to my Windows based users. Every 6 weeks or so NIMBA and Klez sneak back through and infect a bunch of workstations.

We should be honored that it is newsworthy to report problems in Linux. With Windows it is just assumed!

Re:Hey, Code Red is still filling my logs

[EvilTwinSkippy]

Well my present employer disagrees.

And, pray tell, what do YOU do for a living?

Re:How can ya tell? What do you do?

[rosewood]

The problem is that rh patched openssl and called it 0.9.6b-28 instead of just going to 6e or whatever

so when I did rpm -q and saw I was still in 6b land I was kinda worried

I have OpenSSL installed cause I was trying to do SSL Certs for Freeswan

Re:A fuckload more than 3500

[konmaskisin]

A blatant lie ... hmm. FUD meisters gardening on /. ... who is more pathetic?