Linux Worm Creating "Attack Network"

RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."

D'uh.

[dsb3]

Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."

D'uh. Go on, mod me down if you must.

Re:D'uh.

[LinuxHam]

That shows the last moderation. Click the message number to see all the moderations. He got 2 for Funny and 2 for Insightful. If the last moderation was "Funny", would you have said, "Duh, +5 Funny? Come on!"

Re:D'uh.

[Yohahn]

While the "Duh" is true. I think the relavent questions are:

"How easily does a system lend itself to being upgraded out of the box, with no additional costs?"

"How quickly can a patch be developed and published"

"When I install the new patch am I going to have to accept some NEW BS license?"

I still choose Debian GNU/linux because I believe that apt-get being as easy as it is will keep newbie Linux people upgrading regularly. This alone could have significant impact.

Re:D'uh.

[RomSteady]

Sorry, but I'm not an editor. I read the article and submitted it, and while I was submitting it, a similar article appeared on the Apache sub-section.

I am glad that they used my submission without censorship, though.

One person farther down says that if something like this had been reported about Windows, it would have been Bill's fault, but when something happens on Linux, it's the sysadmin's fault. Personally, I think both are the sysadmin's fault. Nine times out of ten, patches are available for software shortly after the worm is first out there. If a sysadmin keeps up on his/her patches, the likelihood of infection/damage is very low.

Personally, I'd be very happy if /. would stop attacking Microsoft and start attacking the people who make the actual attacks. However, the likelihood of that happening is slim to nil, I'm afraid.

Re:D'uh.

[Jace+of+Fuse!]

I still choose Debian GNU/linux because I believe that apt-get being as easy as it is will keep newbie Linux people upgrading regularly. This alone could have significant impact.

While I actually agree with you -- I don't see how that is any easier than Windows popping up a requestor saying "YOUR CRITICAL UPDATES HAVE DOWNLOADED AND ARE READY TO INSTALL."

True, there is a good chance the new terms of usage might require you hand over your newborn, or give your soul to Billy, but the newbie doesn't care about this.

Linux users think they can topple the Windows empire because ethically, Free Software has a more solid foundation than Microsoft. But they seem to ignore the fact that this means nothing because most users have no ethics.

If Unix is going to shoehorn it's self moreso into the desktop market, it's going to have to appeal more to the laziness of the masses and spend less time touting the ethical reasons. Things like Apt-Get are major steps in the right direction, though.

Well Duh!

[libertynews]

Anyone who thinks that solely because they run open source they are immune to attack is an idiot. Look at how wide open a default RedHat 6.2 install is.

This new attack is easily avoided by upgrading your OpenSSL version to 0.9.6e, and this should have been done by now. The hole has been known and example exploit available for a while now, as anyone who follows the bugtraq list would know.

Security is an ongoing process. You have to stay on top of it if you run machines that are not turned off and locked in a basement. There is just no way around the fact that there will always be bugs in software, and these days that commonly means security holes as well.

Re:Is this talking about the SSL hole?

[alvieboy]

Yes.

Read the CERT Advisory CA-2002-27.

It's available here

The Diierence....

[the+eric+conspiracy]

Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux.

I'd agree with that statement - the difference being that with the Windows patch you may need to restart your server (bad), and you may have to swallow a new EULA (could be VERY bad).

Attack filter list

[inkfox]

You can get a current list of the top C networks which are participating in attacks of various sorts from dshield.org. Depending on your application, it may be advantageous to just add a cron job which grabs this and feeds it to your firewall rules, hosts.deny or access control lists.

Re:visioneers

[00_NOP]

Not to mention bullshit.

Re:Is this talking about the SSL hole?

[RestiffBard]

slashdot needs a "true dat" moderation.

Re:Not everyone is a Linux expert

[semaj]

Is there a quick, easy way to find out if OpenSSL is even installed on my system?

Do "telnet your.www.host 80" then type "HEAD / HTTP/1.0" and hit enter. Take a look at the "Server:" line, it'll tell you if OpenSSL is installed and enabled. If it is, and the version is less than 0.9.6e, you should upgrade.

Stoner's lament

[Scrameustache]

Don't say "free pot" if you don't mean it!

: (

Re:Is this talking about the SSL hole?

[coupland]

The systems that are getting hit are the ones with lazy admins who don't promptly follow up on security patches.

Why do topics like this always have to degenerate into a holier-than-thou diatribe by a self-righteous few? I'm running a vulnerable system and it isn't because I'm "lazy" as you so kindly put it. I run Linux on my *desktop* and use it to play Quake, surf the web, and share out some HTML pages for my family. I run RH7.2 (only one version behind, bub) and run Ximian Red Carpet and up2date regularly. But no, I don't read bugtraq for the sheer joy and I usually wait for RPMs to come out before I install a patch. The unfortunate downside to RPMs is that if you compile your own software the RPM database starts to choke on its biscuits. So maybe, just maybe it's not that people who don't upgrade same day aren't lazy. Maybe we just don't have as much time or interest as you to troll bugtraq or more so, troll /. acting all high and mighty because of the stinking version of OpenSSL they run.

Re:Why is this topic here again?

[SuiteSisterMary]

Much like those of us who understand that there are no insecure systems, only insecure sysadmins had our Win2K boxes patched against Code Red a full MONTH before it hit the wild?

If anything, Linux makes a lot of people too damn complacent. "Oh, I'm running Linux, don't need to worry about all those Windoze viruses and script kiddies!"

Further Info

[cr@ckwhore]

The worm exploits OpenSSL via http port 80. The exploit writes c source files to /tmp, I believe the program is named bugtraq.c. Then, the exploit compiles the program into a hidden binary /tmp/.bugtraq which is executed.

Once the program is running, it accepts commands on UDP port 2002.

Simple solution, so your bandwidth won't be exploited for a DDOS, block UDP port 2002.

The worm can be used for multiple purposes, including execution of arbitrary commands on your machine, various flood attacks, etc.

You need to patch your machine, before a more dangerous worm comes along. If you can't patch right away, at least block UDP port 2002.

Additionally, your /tmp (if located on a separate partition) should be mounted noexec.

Is Linux now a POS?

[Oliver+Defacszio]

Should we immediately start referring to Linux (et al) as an easy touch for these worms? This is now two serious vulnerabilities in the last three days. Sure, there are fixes available, but there are also fixes quickly available for similar Windows holes and, yet, when "sysadmins" don't apply them, everyone blames Microsoft. So, that means Linux sucks too, right?

Let's face some facts, there are probably more "forgotten" Linux servers than Windows ones, simply because Linux can run unattended for months at a time and Windows cannot. Making the reasonable assumption that a sizable number of these neglected machines will not be fixed, suddenly Linux and OSS looks no better than the Windows machines that are still infected with Nimda or something similar because no one has been bothered to apply patches.

I await your wrath for being reasonable.

Re:Is Linux now a POS?

[shepd]

>So, that means Linux sucks too, right?

No, Linus didn't make Apache or the OpenSSL library (the real problem).

If anyone deserves the blame for this, its the OpenSSL team themselves (and I would hedge a bet more of them work for BSD rather than Linux, just by the license). They caused the vulnerability. One would think that a team of programmers who are trying to create a set of high-security tools wouldn't _ever_ have a buffer overflow. That's the kind of mistake a green programmer like myself would make.

The fact is people blame Microsoft for Nimda because Microsoft made the vulnerable IIS webserver. Blame went where blame was due.

So, anyways, blame the right people. Microsoft for IIS, OpenSSL team for OpenSSL.

Re:Is Linux now a POS?

[NonSequor]

One would think that a team of programmers who are trying to create a set of high-security tools wouldn't _ever_ have a buffer overflow.

It seems to me that it has been thoroughly proven that programmers are incapable of handling memory management on their own. The number of problaems that buffer overflows, memory leaks, and other such problems have caused is staggering. I don't care how great you think you are, you shouldn't be doing your own memory management. Given enough time you'll fuck something up.

Re:actual apache log lines

[tubabeat]

The CERT Advisory has information on what to look for in your logs.

Re:Distributions, sub-version #'s, & straight

[GigsVT]

You are full of shit. Distros roll patches and bugfixes back into the stable and tested version, and release a new -subversion. Try using a modern distro sometime. I can't believe you flamed that guy, out of your own ignorance.

openssl-0.9.6b-28 is the current red hat version, and it is fully fixed.

It even shows the old version if you run openssl version:
OpenSSL 0.9.6b [engine] 9 Jul 2001

It is, however completely patched, and came out in early August.

Modern distros value stability in current releases, and will not upgrade to the latest version just to get a bugfix. This is the value they add, you don't have to worry about a security patch breaking some critical functionality. /me puts the cluestick back in its holster.

Acutally what I am afraid of is this---

[einhverfr]

This virus made several fatal errors in its execution--
1: It did not delete its source code file on execution.
2: It did not hide its binary very well.

If the worm did these things it would have been MUCH harder to detect and deal with. As it is my servers are secure (no SSL for now, and I have the latest version of OpenSSL for when I want to re-impliment it), but I would have been worried to some extent if I could not have actially looked for bugtraq.c in the /tmp directory.

Many trojans I am aware of do these things, though.

Re:Why is this topic here again?

[actiondan]

Surely it is newsworthy when a vulnerability is actually exploited 'in the wild' like this, even if only to remind people aboutt he importance of patching.

Are you suggesting that Code Red should not have been reported on Slashdot, as the patch was out a month before the infections took place? Or is it only Linux exploits that should be blacked out once a patch is available?

I don't think anyone is blaming the programmers - the story seemed pretty clear that it is admins that fail to patch that are at fault here.

Point taken but

[einhverfr]

I am assuming you didn't install a web server, NFS Server, etc. if you never thought you's use them, right? Or if you did, you would turn them off, or at least use Red-Hat's built-in firewall rules to keep other people out.

If you did any of these things, you are not directly vulnerable, and don't classify as lazy. But if you were running a production server and did not want to do a security patch because "there are no rpm's yet" then you would be lazy and I would berate you for it ;)

So my point is-- you can't compare apples and oranges here, and security is important to everyone, but there are different ways of
handling this security as appropriate for environment. If you think security doesn't matter, you are not lazy so much as clueless, but if you think that there is only one path to security, you are missing the point too.

I did support for Windows for a while and I was amazed at how many compromized systems I found because home users thought "I don't need security." It is all fun and games until people start uploading illegal content (such as kiddie porn) onto your system of your account gets terminated with your ISP because someone used your system to attack another computer, etc.

I don't care who you are-- security is important.

Re:Is this talking about the SSL hole?

[Chris+Hiner]

The openssl tarball already has a spec file in it. So just:
1) Download openssl-0.9.6g.tar.gz from a mirror.
2) rpm -tb openssl-0.9.6g.tar.gz
3) rpm -Uvh /usr/src/redhat/RPMS/i386/openssl*
Even easier.

Interesting, but dangerous approach that is

[bankman]

Let me elaborate a bit here:

You are running a computer that is connected to the Internet. For the sake of this argument it doesn't matter which system you favour. You are the admin of this machine.

Like it or not, you have responsibility towards ALL other network peers (i.e. the whole Internet) to make your system as secure as possible. Consider malicious software that can start DoS attacks on other remote boxes. Your insecure machine is now causing trouble to others as well as yourself (degrading connectivity).

Would you like this? Your answer could be: I don't care.

Imagine someone else has a similarly unpatched/insecure system and is directing DoS attacks on your IP. Do you care now? I guess you would.

The problem is that advertising and far too many teachers in "Internet for dummies" courses do not emphasize the fact that anyone with admin privileges on any computer (that is connected to the Internet) is effectively an administrator and has to act accordingly on issues like security. Point'n'Click installation doesn't make it any easier: You want to run a web server? Here you go.

How many install software without knowing about the security implications of the stuff they are going to run? I guess far too many. If you had to read about a certain program BEFORE you install it, the manual or How-To can give you an idea of the security implications you are probably going to run into, thus alerting the admin (on a home system that means you) and increasing awareness.

This could be a reason why Linux/Unix installations often seem to be more secure: You have to read a lot more before you can actually do something. This advantage, of course is slowly going away with point and click installations on Linux systems as distro installation programs become more user-friendly and everything gets installed via a graphical system. This might be ok for an advanced user, but could be dangerous in the hands of a novice (i.e. most home users).

I guess you could compare it to driving a car, where you have to get a license in order to participate in public traffic, because you need to know about the rules and dangers beforehand. The impact your mistakes might have on others can be very serious.

I don't want to lecture you, but I think it is important to increase awareness of security ramifications on boxes that are connected to others.

Re:Interesting, but dangerous approach that is

[coupland]

Like it or not, you have responsibility towards ALL other network peers (i.e. the whole Internet) to make your system as secure as possible.

Sorry but I'm gagging uncontrollably at the thought of your saccharine love-fest. I am not here to protect *other* people's PCs from compromise, should I hold hands with other sysadmins and pray for the health of their machines while I'm at it? No. My machine isn't as secure as some but I try my best and check Red Carpet daily.

Your argument is that as a user with a public IP address it's my responsibility to have every package on my system updated on a daily basis. Hence by your logic, if I'm not doing so then I don't have a right to be on the net. It's precisely this kind of jaded self-righteousness that people hate about a small handful of Linux geeks. When even Linux geeks are telling you to get a life, maybe you should consider it!

Self Destruct

[devnullkac]

Another evil plan with a big red Self Destruct button: one of the supported remote instructions for the network is "run a command" (0x24). All you have to do is find an entry point and command it to killall -9 .bugtraq and the command will propagate through the network, killing itself. Doesn't keep it from regenerating on the original https vulnerability vector, but we could perhaps slow down the DDoS attacks.

Re:Self Destruct

[epsalon]

Actually, it will work even better making the command a script that will notify the admin and then kill the server at a given time, e.g.

echo 'See http://whatever' |mail -s 'YOUR SYSTEM IS HACKED' root; echo killall -9 .bugtraq | at 00:00 GMT

Re:Where are the RHN Updates ?

[Rick_T]

> Yeah. Confusing it is. I don't see anything in
> the RedHat RPM indicating that it is different
> from stock 0.9.6b.

You could try looking at the changelog ...

rpm -q --changelog openssl
(or rpm -qi --changelog openssl if you prefer.)

How Come?

[hooded1]

How come when there is a worm or virus on Windows it is because Microsoft is grossley negligent and has no understanding of security, yet when there is a linux worm it is because of no fault of the developers but instead the fault of the 'lazy' sys admins whos machines became infected. This is flamebait, but it would be nice to have some standards on slashdot.

One other small difference

[twitter]

The other small difference between Windows and Linux as operating systems: The one hundred billions other exploits that all M$ boxes have in software that should not be running on a server, can't be removed from the server, and show up as headlines every freaking month. Why, pray tell, should a server run a GUI or a browser ALL THE TIME? I know, it's a small difference that the average user might not notice in terms of privacy, stability and security. That would be because the average user does not run a stable secure and privacy protecting operating system and has no idea of what it would be like to not be asked by tech support, "have you tried rebooting your computer?"

By the way, who says this attack won't affect Apache on Windows, Sun, True Unix, etc?

"You looked at your network settings, you should reboot your computer now."

This is already standard practice

[tweakt]

You should ALREADY be blocking ALL unknown incoming ports. ESPECIALLY UDP.

Re:Here's how to stop _this_ one.

[sunset]

If there is anything in your /tmp directory named .bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...

I didn't see this described as a root exploit. Did I miss something?

Bad analogy

[ZigMonty]

If your car kills someone because you don't give a fuck about your actions, it's also YOUR fault.

Bad analogy. Better one: If someone steals your car because you don't have a car alarm and then crashes and kills someone, are you to blame?

No! You are the victim of grand theft auto.

If your computer is insecure and it gets broken into and is used for a malicious act, you are the victim of being hacked. It's not your responsibility to protect your computer from hackers anymore than it is your responsibility to secure your car from theft.

If you are the computer security adviser to a large company then you are in trouble. Otherwise, it's the police's fault for not stopping it.

Note: I have secured my box (to the best of my ability) but I am reasonably computer literate. I don't think my Grandmother should have to do it.