Slashdot Mirror
Linux Worm Creating "Attack Network"
RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."
Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."
D'uh. Go on, mod me down if you must.
Slashdot? Oh, I just read it for the articles.
Anyone who thinks that solely because they run open source they are immune to attack is an idiot. Look at how wide open a default RedHat 6.2 install is.
This new attack is easily avoided by upgrading your OpenSSL version to 0.9.6e, and this should have been done by now. The hole has been known and example exploit available for a while now, as anyone who follows the bugtraq list would know.
Security is an ongoing process. You have to stay on top of it if you run machines that are not turned off and locked in a basement. There is just no way around the fact that there will always be bugs in software, and these days that commonly means security holes as well.
Remember Lexington Green!
Yes.
Read the CERT Advisory CA-2002-27.
It's available here
Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux.
I'd agree with that statement - the difference being that with the Windows patch you may need to restart your server (bad), and you may have to swallow a new EULA (could be VERY bad).
You can get a current list of the top C networks which are participating in attacks of various sorts from dshield.org. Depending on your application, it may be advantageous to just add a cron job which grabs this and feeds it to your firewall rules, hosts.deny or access control lists.
Says the RIAA: When you EQ, you're stealing bass!
slashdot needs a "true dat" moderation.
-
Is there a quick, easy way to find out if OpenSSL is even installed on my system?
Do "telnet your.www.host 80" then type "HEAD / HTTP/1.0" and hit enter. Take a look at the "Server:" line, it'll tell you if OpenSSL is installed and enabled. If it is, and the version is less than 0.9.6e, you should upgrade.
Meep meep
Don't say "free pot" if you don't mean it!
: (
You can't take the sky from me...
The systems that are getting hit are the ones with lazy admins who don't promptly follow up on security patches.
Why do topics like this always have to degenerate into a holier-than-thou diatribe by a self-righteous few? I'm running a vulnerable system and it isn't because I'm "lazy" as you so kindly put it. I run Linux on my *desktop* and use it to play Quake, surf the web, and share out some HTML pages for my family. I run RH7.2 (only one version behind, bub) and run Ximian Red Carpet and up2date regularly. But no, I don't read bugtraq for the sheer joy and I usually wait for RPMs to come out before I install a patch. The unfortunate downside to RPMs is that if you compile your own software the RPM database starts to choke on its biscuits. So maybe, just maybe it's not that people who don't upgrade same day aren't lazy. Maybe we just don't have as much time or interest as you to troll bugtraq or more so, troll /. acting all high and mighty because of the stinking version of OpenSSL they run.
Much like those of us who understand that there are no insecure systems, only insecure sysadmins had our Win2K boxes patched against Code Red a full MONTH before it hit the wild?
If anything, Linux makes a lot of people too damn complacent. "Oh, I'm running Linux, don't need to worry about all those Windoze viruses and script kiddies!"
Vintage computer games and RPG books available. Email me if you're interested.
The worm exploits OpenSSL via http port 80. The exploit writes c source files to /tmp, I believe the program is named bugtraq.c. Then, the exploit compiles the program into a hidden binary /tmp/.bugtraq which is executed.
/tmp (if located on a separate partition) should be mounted noexec.
Once the program is running, it accepts commands on UDP port 2002.
Simple solution, so your bandwidth won't be exploited for a DDOS, block UDP port 2002.
The worm can be used for multiple purposes, including execution of arbitrary commands on your machine, various flood attacks, etc.
You need to patch your machine, before a more dangerous worm comes along. If you can't patch right away, at least block UDP port 2002.
Additionally, your
Skiers and Riders -- http://www.snowjournal.com
Let's face some facts, there are probably more "forgotten" Linux servers than Windows ones, simply because Linux can run unattended for months at a time and Windows cannot. Making the reasonable assumption that a sizable number of these neglected machines will not be fixed, suddenly Linux and OSS looks no better than the Windows machines that are still infected with Nimda or something similar because no one has been bothered to apply patches.
I await your wrath for being reasonable.
-
Inventor of the term 'pardon my French'.
The CERT Advisory has information on what to look for in your logs.
"Linux is a serious competitor"
- Steve Ballmer, Chief Executive Microsoft Corp.
You are full of shit. Distros roll patches and bugfixes back into the stable and tested version, and release a new -subversion. Try using a modern distro sometime. I can't believe you flamed that guy, out of your own ignorance.
/me puts the cluestick back in its holster.
openssl-0.9.6b-28 is the current red hat version, and it is fully fixed.
It even shows the old version if you run openssl version:
OpenSSL 0.9.6b [engine] 9 Jul 2001
It is, however completely patched, and came out in early August.
Modern distros value stability in current releases, and will not upgrade to the latest version just to get a bugfix. This is the value they add, you don't have to worry about a security patch breaking some critical functionality.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
The openssl tarball already has a spec file in it. So just: /usr/src/redhat/RPMS/i386/openssl*
1) Download openssl-0.9.6g.tar.gz from a mirror.
2) rpm -tb openssl-0.9.6g.tar.gz
3) rpm -Uvh
Even easier.
Let me elaborate a bit here:
You are running a computer that is connected to the Internet. For the sake of this argument it doesn't matter which system you favour. You are the admin of this machine.
Like it or not, you have responsibility towards ALL other network peers (i.e. the whole Internet) to make your system as secure as possible. Consider malicious software that can start DoS attacks on other remote boxes. Your insecure machine is now causing trouble to others as well as yourself (degrading connectivity).
Would you like this? Your answer could be: I don't care.
Imagine someone else has a similarly unpatched/insecure system and is directing DoS attacks on your IP. Do you care now? I guess you would.
The problem is that advertising and far too many teachers in "Internet for dummies" courses do not emphasize the fact that anyone with admin privileges on any computer (that is connected to the Internet) is effectively an administrator and has to act accordingly on issues like security. Point'n'Click installation doesn't make it any easier: You want to run a web server? Here you go.
How many install software without knowing about the security implications of the stuff they are going to run? I guess far too many. If you had to read about a certain program BEFORE you install it, the manual or How-To can give you an idea of the security implications you are probably going to run into, thus alerting the admin (on a home system that means you) and increasing awareness.
This could be a reason why Linux/Unix installations often seem to be more secure: You have to read a lot more before you can actually do something. This advantage, of course is slowly going away with point and click installations on Linux systems as distro installation programs become more user-friendly and everything gets installed via a graphical system. This might be ok for an advanced user, but could be dangerous in the hands of a novice (i.e. most home users).
I guess you could compare it to driving a car, where you have to get a license in order to participate in public traffic, because you need to know about the rules and dangers beforehand. The impact your mistakes might have on others can be very serious.
I don't want to lecture you, but I think it is important to increase awareness of security ramifications on boxes that are connected to others.
I feel so sig.
Another evil plan with a big red Self Destruct button: one of the supported remote instructions for the network is "run a command" (0x24). All you have to do is find an entry point and command it to killall -9 .bugtraq and the command will propagate through the network, killing itself. Doesn't keep it from regenerating on the original https vulnerability vector, but we could perhaps slow down the DDoS attacks.
What do you mean they cut the power? How can they cut the power, man? They're animals!
By the way, who says this attack won't affect Apache on Windows, Sun, True Unix, etc?
"You looked at your network settings, you should reboot your computer now."
Friends don't help friends install M$ junk.