Slashdot Mirror

← Back to Stories (view on slashdot.org)

Linux Most Attacked Server?

Posted by CmdrTaco on from the certainly-more-to-gain dept.

Anonymous guy who can't remember his login sent in a story from the Globe And Mail that says "During August, 67 per cent of all successful and verifiable digital attacks against on-line servers targeted Linux, followed by Microsoft Windows at 23.2 per cent. A total of 12,892 Linux on-line servers running e-business and information sites were successfully breached in that month, followed by 4,626 Windows servers."

26 of 815 comments (clear)

  1. What? by ascalon · · Score: 5, Funny

    Good god sir, do you know where you are posting this? ;]

  2. Active or passive attacks? by Gothmolly · · Score: 5, Interesting

    Does this count the number of Windows machines that were 'compromised' by BLASTER and its children? If someone gets a binary on my server and controls what my server does ( in this case, replicating the worm ), then I'd call that hacked. Just because a worm did it vs. a human doesn't mean anything. More direct hacks on Linux machines might just mean that there was much more human effort expended.

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Active or passive attacks? by LostCluster · · Score: 5, Informative

      Numbers without a counting methodogy are usually worthless. We've got a small article that doesn't even name what "british security company" released the data, and a summary that somehow gets the BBC involved even though they're nowhere to be found in the story.

      Uhm... slow /. day?

  3. Staying uptodate costs money... by JohnGrahamCumming · · Score: 5, Insightful
    No doubt the Linux faithful are going to bay and scream about this report, but there's something interesting buried in the article. The following quote:
    The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.

    "Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."

    Although I don't like Microsoft's software and it's a real pain having to get all the latest patches, they do at least tell us when they've got a patch. This is an inadequacy with Free Software that in general needs to be addressed, and it will make a nice revenue stream. At my company we subscribe to RedHat's "uptodate" service that makes sure that we are always patched. Even though the software is Free we are still willing to pay someone to tell us what we need to patch.

    It's ironic that Microsoft provides that service for free, whereas Linux requires paying money. But it's good because at least here there's a clear way to make money off Free Software and keep programmers like me from going hungry.

    John.

    1. Re:Staying uptodate costs money... by Kevinv · · Score: 5, Informative

      Both debian and gentoo (and Red Hat) have security mailing lists that list packages/ebuilds that have been updated for security reasons. I know Debian & Red Hat's are cross-posted with Bugtraq, not sure about Gentoo's.

      Finding updated packages isn't a big deal. Harder is finding what software has an announced vulnerability that hasn't been patched by it's respective distribution yet. Red Hat uptodate has the same problem, if Red Hat hasn't patched the vunerability yet you won't know about it.

      Of course in the Open Source world the updates come pretty quick after the annoucement anyway, but if there were some software app that had a real old version with no maintaniner as the default it could present a problem.

    2. Re:Staying uptodate costs money... by HiThere · · Score: 5, Insightful

      It's a plausible claim. But I don't know how one would go about substantiating it.

      Above it says that it costs 30 pounds to read the report and discover their methodology. Not worth it to me. But before I took it seriously I'd need to know their target populations and their sampling rates. It makes a big difference, for instance, if they only sample people who know and admit that they have been hacked, or whether they have some independant way of checking. And it also makes a big difference if they are counting servers in Fortune 5000 glass houses, or whatever is connected to the web, or (...what are the alternatives?).

      I've seen too many bogus news stories to start taking one seriously just because it says that there are a lot of Linux machines out there.

      (P.S.: staying up to date doesn't cost MUCH money. I normally run Debian, and once a day I usually run apt-get update/apt-get upgrade. This does sort of depend on a broadband connection, as some days the amount of upgrades would choke a dial up connection. OTOH, most days nothing significant to me has changed.)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  4. Most attacked server? by Hieronymus+Howard · · Score: 5, Interesting
    Yes, my Linux server is certainly being attacked constantly. I know this because I keep finding entries like these in the apache log files:
    212.181.127.182 xxxxxxxx.org - [08/Sep/2003:21:36:02 +0100] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404
    12.242.55.56 xxxxxxxx.org - [09/Sep/2003:21:41:54 +0100] "get /scripts/..%c0%af..%c0%af..%c0%af.. %c0%af..%c0%af..%c0%af..%c0%af..%c0%af/winnt/syste m32/cmd.exe?/c%20dir" 501
    62.194.103.198 xxxxxxxx.org - [11/Sep/2003:10:31:35 +0100] "GET /scripts/nsiislog.dll" 404
    HH
  5. Re:Yeah... by notsewmit · · Score: 5, Informative

    Exactly.... the report would have been better if they had broken it down like this:

    OS
    % of Total Hacks
    % of Servers running OS Hacked

  6. Re:Yeah... by Chester+K · · Score: 5, Insightful

    But think of how many more linux servers are out there than windows servers.......

    The ratio of Windows workstations to Linux workstations has never stopped us from divining that the reason there are more viruses for Windows because of its ubiquity, not necessarily its security record.

    Why should this be any different?

    --

    NO CARRIER
  7. Help me with the math here by Lawrence_Bird · · Score: 5, Insightful

    They claim a database of 280,000 attacks since 1995. They claim there were at least 18,000 attacks in August alone, or 6.5% of the total of 1% of their sample. Also, these numbers are meaningless without knowing the total population of each type of server. Oy!

  8. These aren't good statistics by BrynM · · Score: 5, Insightful
    "The proliferation of Linux within the on-line server community coupled with inadequate knowledge of how to keep that environment secure when running vulnerable third-party applications is contributing to a consistently higher proportion of compromised Linux servers," mi29 chairman D.K. Matai said.
    So let me get this right. Since third party applications under Linux get hacked, it is attributed to Linux being more vulnerable while MS Windows running third party software is more secure??? So a PHP/SQL injection exploit is attributed to the OS PHP is installed on? Does the exploit count twice then? - Once for each operating system?

    I think it's time to break the statistics down application by application at that point. Show me some Apache vs. IIS numbers or MySQL vs. SQL Server numbers or exclude third party applications altogether please. For the record, I run both Windows and Linux for clients and servers and am pretty neutral in the whole OS wars thing. Each has their merits and uses, both need regular security maintenance and I am pretty much happy with both for very different reasons. I'm not a Linux zealot, but I know bad numbers when I smell them. And then...

    "Microsoft deserves credit for having reduced the proportion of successful on-line hacker attacks perpetrated against Windows servers."
    So MS is shoring up third party applications then? They even go on to cite Sobig and MSBlast as the reasons for the high MS numbers. This is shifting over to a very FUD-like smell now.
    --
    US Democracy:The best person for the job (among These pre-selected choices...)
  9. Your login request by eweu · · Score: 5, Funny

    Anonymous guy who can't remember his login

    That would be WilliamGates.

  10. Re:Yeah... by retinaburn · · Score: 5, Insightful

    So we can rail against MS for having an insecure operating system and flaunt Linux's proliferation in the market, and then dismiss that its because of Linux's dominance that more Linux systems are getting hacked. We should instead try to foster a more security mindeded friendly community to educate the Linux sysadmins out there. This is a problem, that should not be lightly dismissed. If there was a larger percentage of windows boxes out there would anyone say 'But think of how many more windows servers are out there than linux servers.......

  11. Re:Hmm... by Anonymous Coward · · Score: 5, Funny

    For the attacks or the study?

  12. mi2g by FrostedWheat · · Score: 5, Informative

    Brought to us by our friends at mi2g. I'd take this with a grain of salt.

  13. Linux-based systems not as simple as the buzz by The+Revolutionary · · Score: 5, Insightful

    Folks who have traditionally been Microsoft users, who have recently installed Linux on an old machine at home or maybe as dual-boot, who have little to no real experience or training with Unix-like systems or with particular open source servers, are going into to the business IT environment and installing Linux-based systems on the hype.

    Sure they can get Apache webserver serving pages, they can get Tomcat doing "something", and they can certainly run XMMS quite well on their workstation, but they really have no clue how to properly use these technologies in a production environment.

    They see switching to Linux-based systems as being a simple fix.

    They aren't willing to extensively review their configuration or product documentation. They aren't willing to put in the significant amount of time that is in fact required to become experts with the technologies.

    Yes, they certainly do get a kick out of telling their friends that they have "Linux boxes running their shop", but security suffers due to their naive incompetence.

    These techs should be fired.

    Open source development may be a "we'll get that feature done when we feel like it" affair, but deploying Linux-based systems in a production environment must not be.

    If anything, effectively and securely deploying Linux-based solutions requires more training and knowledge than does deploying Microsoft.

    Let's stop pretending otherwise.

    --

    .sig Realistic fines for copyright in

  14. Re:Yeah... by NanoGator · · Score: 5, Insightful

    "We should instead try to foster a more security mindeded friendly community to educate the Linux sysadmins out there. This is a problem, that should not be lightly dismissed."

    You are right. I've read a lot of anti-MS babble here that has me a little spooked. Evidently, when Linux is more secure than Microsoft, the impression is generated that you can install a Linux based webserver and you're instantly secured. That's what I did. Being a Linux newb, I set up a Redhat/Apache server and within 2 weeks it was rooted. We had to have our sysadmin build us a new one. (It was a project for me to grow...)

    It only takes one exploit to destroy your server. Vigilance is absolutely necessary on either platform. Maybe it's time to end the anti-MS pissing contest and focus on good practices in general for whatever OS you're using.

    --
    "Derp de derp."
  15. Re:Interpretations... by dom1234 · · Score: 5, Insightful

    Those are four facts leading to interesting quesitons :

    • How much possible in average is it possible that someone makes an insecure Windows system ?
    • How much possible in average is it possible that someone makes an insecure Linux system ?

    Those probabilities should be pondered by the frequency of default installations, frequency of having an expert rather than a novice as the administrator, etc.

    Thus, could someone not knowing which one to choose, and not knowing whether he is hiring an expert or not, rely on those statistics ?

  16. mi2g - computer security hysteria specialists by tagishsimon · · Score: 5, Informative
    mi2g - authors of the report being discussed, are the single most dissed security company I know of. They're derided by such a long list of organisations, that one might wonder if there's any point giving their work houseroom. They certainly appear to be PR whores, and, bless' em, good at this part of their job.

    Vmyths appears to summarise the anti-mi2g camps position. Searches for mi2g on NTK and The Register, (when its search engine is working) for mi2g are as enlightening as they are amusing.

  17. Re:Yeah... by Osty · · Score: 5, Interesting

    First, In the Windows case, shit might happen because it takes longer for a proper fix to appear (though, on the last DCOM-related vulnerabilities, we should give credit to MS for the quick response to the problem). If a patch does not exist, the admin can not do as much (unless he has a proper firewall).

    I call bullshit. Most Windows problems are patched long before they're exploited. See Code Red, Nimda, Blaster, etc. All of these were fixed long before they were exploited, and yet long after the worms first appeared people were still being hit. While I will agree that there is a possibility of patches taking a while to appear from closed-source software (and that it has happened, usually regarding Internet Explorer), that has been the case only in a very minority of important patches. As well, though you call out Debian's apt-get for making it fairly easy to update systems, Microsoft has Windows Update (and they freely-available provide software to run your own Windows Update site, so that you can verify patches before pushing them out to your site). Therefore, your argument is a red herring.


    But it all depends on the administrators.

    Bingo! 99.999% of all of the problems with both Linux and Windows being insecure have stemmed not from late patches, but from administrators not keeping on top of security for their machines.


    Oh, and yes, there are more viruses for Windows, but that includes the 'dumb end-user' type such as SoBig, which are purely unrelated to server attacks. And those, I'm more than sure, will _not_ appear an Linux systems since I do not know of an email client that makes it so easy for a user to execute incoming garbage straight away.

    It's false to say that Linux will not ever be affected by such viruses, because it's quite possible. Even with proper separation of user rights and administrator rights, a user can still royally screw himself and his data. More, all it takes is one unpatched local root exploit ("I'm not too worried about local exploits, because they're local" is an attitude that will get you in trouble if you have users ...), a malicious binary that exploits it, and a dumb user. As well, with more users wanting to use Linux, the need will come for user-friendly desktop apps (what do users want to do? easily open e-mail attachments. Better code that properly, our you're going to be as bad as Outlook Express ...). Users will also want to be able to easily install software (see Lindows, and how at least initially it suggested you not only run as root, but without a password!). There's work to do on Linux before it will be acceptable to Joe Sixpack or Bettie Secretary, and unless developers keep their wits about them they can (and will!) fall into the same problems seen in Windows.


  18. Re:Yeah... by TClevenger · · Score: 5, Interesting
    A friend went to clean up a server that finally crashed under the load of Blaster. When he went to that site, he found that the server also still was infected Nimda.

    Needless to say, the regular server administrator for that site is in an uncomfortable spot now.

  19. Re:Yeah... by nicodaemos · · Score: 5, Insightful
    They are not counting server boxes that have been hacked, but websites.

    From MI2g website:
    Do multiple website attacks resulting from a single system breach count
    as one attack or many?

    Mass website attacks are counted as multiple attacks because although there is a single
    action on the part of the attacker, economic damage is always done to multiple victims.

    So if a single ISP box gets hacked, they may count that as 100 linux sites hacked because of virtual hosting.

    But even more important than their actual counting methods are where they get their data. Again, according to the same paper:
    mi2g is principally reliant on data for SIPS and EVEDA from a number of sources:

    2. Personal relationships at CEO, CIO, CISO level within the banking, insurance and
      reinsurance industry in Europe, North America and Asia. We have been involved in
      pioneering cyber liability insurance cover for Lloyd's of London syndicates which has
      given us access to case history since the late 1990s.
    3. Monitoring hacker bulletin boards and hacker activity. We have several white hat
      hackers who we use for penetration testing and developing our bespoke security
      architecture that feed digital risk information through to us on a continuous basis
      including vulnerabilities, exploits and the latest serious attacks they are aware of.
    4. We maintain anonymous communication channels with a large number of black hat
      hacker groups.

    So their highly informed executive manager friends seem to know when their linux systems get hacked versus their windows systems, they browse the web, looking at defacement sites and they converse with script kiddies via email. Umm, does anyone else see an issue with their data collection methods besides me?

    If you don't yet, then let me give you a simple example. Let's say that I wanted to bias the results. Mmm ... it appears that all I have to do is deploy one linux box that is virtual hosting say 2,000 sites that noone visits. I leave some things in a very insecure mode and let some script kiddies know about it. Once its been "hacked", the script kiddie posts on a board or sends email to mi2g.com and their numbers move by 2,000 sites.

    You can show me analyst reports by people like this all day long. In the end, this report bears no relation to what I see day to day in the real world.
  20. Re:Hmm... by SillySlashdotName · · Score: 5, Informative

    Not the BBC, from Globe News - No I hadn't ever heard of them either.

    From a press release from the people at mi2g - google for it, interesting information in the SECOND entry...

    Not funded by MS, this is a security consulting group of dubious integrity.

    Some of my favorite quotes in reference to their press releases -

    "Mathmatical Masturbation" Richard Forno (InfoWarrior.org).

    "Winn Schwartau, author of Pearl Harbor Dot Com, noted that mi2g seems to be relying solely on hacks that have been publicly documented".

    "Their statistics are basically worthless." Marquis Grove, editor of the Security News Portal.

    "mi2g continue to drum up PR about an "Inter-fada," or holy cyber-war, that rages between Palestine & Israel."

    and

    "Fearmongers" Rob Rosenberger, Vmyths editor.

    Read more at Vmyths.com

    --
    Acts of massive stupidity are almost never covered by warranty. --me.
  21. This is some FUD by purdue_thor · · Score: 5, Insightful

    Come on, where do they get these figures? In August alone:
    From NetworkWoldFusion

    The Blaster worm - also known as MSBlast or LoveSAN - has spread rapidly since it was first noticed on Monday. It has infected an estimated 188,000 systems running Microsoft operating systems, including Windows XP, Windows 2000, Windows 2003 and NT, that are unpatched for the so-called RPC vulnerability discovered last month, according to a security firm tracking the worm.

    They didn't count them. Why? Most of them aren't servers, right? Well how did they differentiate Linux servers then? I bet they didn't -- did they check and only record RH Advanced Server and disregard all the RH Workstation. I doubt it. This is pure FUD by a place that has trouble with math.

  22. Article headline by Overly+Critical+Guy · · Score: 5, Insightful

    I'm curious, was Slashdot afraid to put "Linux Most Breached Server?" in the headline? The stats were about most breached. The point wasn't who was most attacked. I guess that one word needed to be changed to soften the blow...

    --
    "Sufferin' succotash."
  23. Re:Globe and Mail by Alan+Cox · · Score: 5, Interesting

    Then I guess they just went down in quality.

    A trivial demonstration of the problem is to take the number of reported virus infections with Sobig and friends. Compare with the mi2g figures about proven break ins. Note weird difference in size of windows numbers.

    As to web sites they *appear* to count each web site affected. So a single linux breakin on a big hosting site scores 10,000 while nobody hosts 10,000 sites on a windows box.

    One of the problems with a lot of these metrics is the lack of a fair, formal and neutral third party methodology for analysis of such data that can handle the way proprietary vendors forget to reveal most bugs but just roll them quietly into updates, the difference between vendors in quantity of material and remove overlaps.

    Unfortnately that isn't likely to change. There is a marketing game being played by many vendors and security is simply another buzzword and another set of statistics to "optimise". Customers are expendable.

    I guess the final thing we all should notice. The number isnt zero. That only emphasizes the need to get more stuff like SELinux out and equivalent other OS products. Preferably before the bad guys mix something like Sobig or slammer with something that does actual damage, potentially hardware damage.