Slashdot Mirror
Linux Worm Creating "Attack Network"
RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."
Anyone who thinks that solely because they run open source they are immune to attack is an idiot. Look at how wide open a default RedHat 6.2 install is.
This new attack is easily avoided by upgrading your OpenSSL version to 0.9.6e, and this should have been done by now. The hole has been known and example exploit available for a while now, as anyone who follows the bugtraq list would know.
Security is an ongoing process. You have to stay on top of it if you run machines that are not turned off and locked in a basement. There is just no way around the fact that there will always be bugs in software, and these days that commonly means security holes as well.
Remember Lexington Green!
Yes.
Read the CERT Advisory CA-2002-27.
It's available here
Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux.
I'd agree with that statement - the difference being that with the Windows patch you may need to restart your server (bad), and you may have to swallow a new EULA (could be VERY bad).
Is there a quick, easy way to find out if OpenSSL is even installed on my system?
Do "telnet your.www.host 80" then type "HEAD / HTTP/1.0" and hit enter. Take a look at the "Server:" line, it'll tell you if OpenSSL is installed and enabled. If it is, and the version is less than 0.9.6e, you should upgrade.
Meep meep
The systems that are getting hit are the ones with lazy admins who don't promptly follow up on security patches.
Why do topics like this always have to degenerate into a holier-than-thou diatribe by a self-righteous few? I'm running a vulnerable system and it isn't because I'm "lazy" as you so kindly put it. I run Linux on my *desktop* and use it to play Quake, surf the web, and share out some HTML pages for my family. I run RH7.2 (only one version behind, bub) and run Ximian Red Carpet and up2date regularly. But no, I don't read bugtraq for the sheer joy and I usually wait for RPMs to come out before I install a patch. The unfortunate downside to RPMs is that if you compile your own software the RPM database starts to choke on its biscuits. So maybe, just maybe it's not that people who don't upgrade same day aren't lazy. Maybe we just don't have as much time or interest as you to troll bugtraq or more so, troll /. acting all high and mighty because of the stinking version of OpenSSL they run.
The worm exploits OpenSSL via http port 80. The exploit writes c source files to /tmp, I believe the program is named bugtraq.c. Then, the exploit compiles the program into a hidden binary /tmp/.bugtraq which is executed.
/tmp (if located on a separate partition) should be mounted noexec.
Once the program is running, it accepts commands on UDP port 2002.
Simple solution, so your bandwidth won't be exploited for a DDOS, block UDP port 2002.
The worm can be used for multiple purposes, including execution of arbitrary commands on your machine, various flood attacks, etc.
You need to patch your machine, before a more dangerous worm comes along. If you can't patch right away, at least block UDP port 2002.
Additionally, your
Skiers and Riders -- http://www.snowjournal.com
Let's face some facts, there are probably more "forgotten" Linux servers than Windows ones, simply because Linux can run unattended for months at a time and Windows cannot. Making the reasonable assumption that a sizable number of these neglected machines will not be fixed, suddenly Linux and OSS looks no better than the Windows machines that are still infected with Nimda or something similar because no one has been bothered to apply patches.
I await your wrath for being reasonable.
-
Inventor of the term 'pardon my French'.
The CERT Advisory has information on what to look for in your logs.
"Linux is a serious competitor"
- Steve Ballmer, Chief Executive Microsoft Corp.
You are full of shit. Distros roll patches and bugfixes back into the stable and tested version, and release a new -subversion. Try using a modern distro sometime. I can't believe you flamed that guy, out of your own ignorance.
/me puts the cluestick back in its holster.
openssl-0.9.6b-28 is the current red hat version, and it is fully fixed.
It even shows the old version if you run openssl version:
OpenSSL 0.9.6b [engine] 9 Jul 2001
It is, however completely patched, and came out in early August.
Modern distros value stability in current releases, and will not upgrade to the latest version just to get a bugfix. This is the value they add, you don't have to worry about a security patch breaking some critical functionality.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
The openssl tarball already has a spec file in it. So just: /usr/src/redhat/RPMS/i386/openssl*
1) Download openssl-0.9.6g.tar.gz from a mirror.
2) rpm -tb openssl-0.9.6g.tar.gz
3) rpm -Uvh
Even easier.
Another evil plan with a big red Self Destruct button: one of the supported remote instructions for the network is "run a command" (0x24). All you have to do is find an entry point and command it to killall -9 .bugtraq and the command will propagate through the network, killing itself. Doesn't keep it from regenerating on the original https vulnerability vector, but we could perhaps slow down the DDoS attacks.
What do you mean they cut the power? How can they cut the power, man? They're animals!