Slashdot Mirror


Ongoing Linux/Solaris Compromise Epidemic

An anonymous reader writes to point out that Stanford's Information Technology Systems and Services "has written a summary of a series of compromises that have been happening at universities, research institutions, and high performance computing centers, for the last month or more. The attackers are using known vulnerabilities in Linux and Solaris, along with compromised user accounts, to gain access and control of systems, from standalone servers to HPC clusters ... (the attacks are still ongoing)."

17 of 366 comments (clear)

  1. Windows is not the only vulnerable OS by ObviousGuy · · Score: 3, Insightful

    It is important that when we wave our flags and cheer when Microsoft is laid low by the latest security flaw that we not close our eyes to the very real vulnerabilities in the Unix/Linux system. No OS can be fully secured, and it is absolutely mandatory that we remain vigilant to the possibility of a heretofore unknown security hole in our systems, regardless of the system OS.

    Assuming that Unix/Linux is invulnerable to security holes is deadly. Though the OS may have more security features and "more eyes" on the code than closed source operating systems, we must not rest on our laurels watching Windows implode while our own house is burning.

    --
    I have been pwned because my /. password was too easy to guess.
    1. Re:Windows is not the only vulnerable OS by morelife · · Score: 4, Insightful

      You're joking.

      All the vulns mentioned have patches/fixes/replacements for the faulty code.

      The System Administrators are at fault FOR NOT MAINTAINING THEIR SYSTEMS PROPERLY.

    2. Re:Windows is not the only vulnerable OS by FrYGuY101 · · Score: 5, Insightful

      How does that differ from the worms which get released for Microsoft almost a year after the patch was released? I hear people railing Microsoft all the time for not 'getting it right the first time' when THAT happens...

      --
      "If we let things terrify us, life will not be worth living."

      - Seneca
    3. Re:Windows is not the only vulnerable OS by EvilTwinSkippy · · Score: 4, Insightful
      I am a religious patcher. Hell, I've almost gotten a fired a few times when patches went wrong. Bosses just don't understand that machines don't just "work". They require constant intervention. The computers, that is, not the bosses.

      Now that said, you have an interesting slant on ethics. By that mindset, a burglar is perfectly entitled to break into your apartment because your door could be kicked in. A theif can swipe your radio because, hey, it was only glass between him and what he wanted.

      Yes, there is a certain amount to be said for not painting a target on yourself. But regardless of how much you "had it coming" it's still a crime to break into your dwelling, steal your property, or damage your person or posessions. System intrusion is a crime, and a matter for law enforcement.

      --
      "Learning is not compulsory... neither is survival."
      --Dr.W.Edwards Deming
    4. Re:Windows is not the only vulnerable OS by bebing · · Score: 3, Insightful

      Wow this got modded up to +5 while there were only 55 replies to the article, that's fast. Either you're popular or there are a lot of pissed off MS fans out there.

      It is important that when we wave our flags and cheer when Microsoft is laid low by the latest security flaw that we not close our eyes to the very real vulnerabilities in the Unix/Linux system.

      Is there really flag waving and cheering going on? Perhaps joking and laugher. Also Linux vs. Microsoft(leaving Unix out for now) is not comparable to say Rocky vs. Apollo Creed, but David vs. Goliath. Microsoft does not need you to defend them, they have billions of dollars and a monopoly. We do have to stick up for Linux because we are Linux, and there is nothing close to a monopoly or billion dollar bank accounts. Now that I think about it maybe cheering is ok when the bully takes a blow to the chin, it happens in the movie theatres.

    5. Re:Windows is not the only vulnerable OS by SemperFiDownUnda · · Score: 3, Insightful

      Most companies don't get it right the first time. If they did there would never be patches would there!

      People do like to slam MS about holes that have known fixes for them along with newly discovered holes

      I agree that MS have tighten up about security because of market share but this doesn't change the fact that some people will look at a situation like this in the linux world and point fingers at the admin for not having things up to date but in the MS world they'll blame MS first not the admin that haven't kept up with patches and procedures.

    6. Re:Windows is not the only vulnerable OS by RT+Alec · · Score: 4, Insightful

      There is a well founded fear many Windows admins have about MS patches. They tend to break things. Patch Win2k, and MS-SQL does not work upon reboot. Or that third party medical charting software suddenly does not work.

      Windows is very complex (many would say "too complex"), and certainly suffers from the "integration" of its parts. Therefore, unintentional side effects of patches are envitable. With Unix(ish) systems, the descrete parts can be patched, well, descretely. You can patch Sendmail, or MySQL, or OpenSSL all by itself (although sometimes you must recompile applications that depend on shared libraries, such as OpenSSL).

    7. Re:Windows is not the only vulnerable OS by Anonymous Coward · · Score: 3, Insightful

      We all know no patch has ever caused any problems with any server.(heavy sarcasm)

      I work with a large organization with hundreds of servers and no patch gets install until the patch is tested to make sure it does not break the business app. That means setting up a lab with as close to production setup as possible, install the patch and try to run some realistic tests to confirm that things work. If everything checks out then you can update that server. Repeat process for each application. Don't forget the months of negotiation to get the time to patch/reboot the server for the upgrade.

      I have been waiting 4 months to do patches because the users refuse to let the server to be shutdown for even a few minutes a year. They want mainframe uptime on PC budgets. It is a case of the golden rule, and I don't have the gold.

      Not ever unpatched system is the fault of bad administrators.

    8. Re:Windows is not the only vulnerable OS by Anonymous Coward · · Score: 5, Insightful
      The problem with patching is that it's not reasonable to take some slab of code that's been put on the 'Net by the software manufacturer and throw it on the computer.

      Why not?

      Well, what happens if that system just happens to be the payroll system, for example? What happens if the patch just manages to break the system so that the fortnightly payroll run doesn't happen? What happens when that money, which you expected to be in your bank account, doesn't appear? What happens when your mortgage provider goes to pull out your fortnightly mortgage repayment, and finds that there's no money in there to grab?

      It isn't as simple as "Here's a patch, you're now secure as long as you apply it." We're talking real-world systems, with real-world conflicts and requirements. If you step outside the known and tested, you're liable to break things.

      In other words: have a second system which you can throw patches onto and pound away on for a week or two, to make sure that those patches don't break anything important. Then throw the patches onto the live, production system. Doing it any other way could cause serious problems.

      Sometimes, it's a case of having a choice: either you're secure, or your business is functioning. This is not a choice that I would want anybody to have to make, but you need to know that that choice is entirely possible, every time a new patch is released from your vendor, whether that vendor be Microsoft, Sun, IBM, HP, SGI, Apple, or Linus. Note that I'm not talking about deliberately (or through slacking off) avoiding application of patches; I'm talking about verifying that the patches still let you function as a business.

      Or, in other words: IT exists to serve the business. The business does not operate to serve IT. Most of the time, there is no conflict between the two, but when there is, you need to make damn sure that the right one wins.

  2. In other words by Rosco+P.+Coltrane · · Score: 5, Insightful

    a variety of local exploits, including the do_brk() and mremap() exploits on Linux

    In other words, Stanford doesn't keep its Linux boxes up to date. These exploits have been fixed. Linux too requires maintenance and patching, not just Windows.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:In other words by winkydink · · Score: 4, Insightful

      Maintaining a large, heterogenous environment (where administrative control may be decided by political or monetary reasons) is not easy to do. This may explain why you see so many really bright sysadmins at .edu's, but even they have difficulty breaking the political & financial layers.

      --

      "I'd rather be a lightning rod than a seismometer." -Ken Kesey

    2. Re:In other words by randyest · · Score: 3, Insightful

      Actually, it's users who are not following rules (assuming they have rules against using insecure telnet, which I'm sure they do):

      The attacks start with the compromise of an unprivileged local user account. Usually this is because the attacker's captured the password from somewhere else: it's been sniffed off the network (through the use of insecure protocols like telnet), it's been collected when the user signs on to or from another compromised machine, it's been harvested from the password file on a compromised system.

      So, we have user passwords as the source, which users freely give away by (1) using telnet instead of SSH, (2) just being very uninformed or gullible users, enough to plug in his/her unix password to a web form, and (3) once-removed version of (1) or (2) since these are just obtained from other compromised machines.

      (1) and (2) are arguably the same problem, so that boils down to: users breaking rules -- surprise! But, that's easy to say, but hard to fix without more power . What to do? Seriously? Fine users for breaking rules?

      --
      everything in moderation
    3. Re:In other words by KrispyKringle · · Score: 3, Insightful
      I don't think they mean clusters as in MOSIX, etc. The term seems to be used frequently in academia to refer to a group of machines, with load balancing between them, used for services like shell access, web and mail serving, etc. Additionally, individual servers are being attacked as well. Many schools have a very, shall we say, fragmented IT infrastructure; I'm at a medium-sized private university (about 10,000 undergrads, perhaps) with four different undergraduate schools and perhaps twice as many graduate schools. Each has its own IT department. The larger ones are well-run, but some of the smaller ones aren't even on the newsgroup of which all the IT departments are supposed to belong because they can't figure out how to use the news server (or so it's been said, at any rate). Point is, academia has some great admins, and some psych professors running servers out of their classrooms.

      Academic computing is the epitome of *available* computing, in the sense that availability is the highest priority. Financial institutions may prioritise (or at least, should prioritise) security and a good administration over availability, but by its nature, academic computing involves disparate infrastructures, various levels of admins with various goals, and so forth. All students, faculty, and staff need access; frequently, granting loose, unsecure access is simply more efficient for the time being than making things secure. Such is life.

    4. Re:In other words by modecx · · Score: 3, Insightful

      At my university nearly everyone used telnet to check their mail, and FTP on the big computer (ran AIX, probably still does). It's really quite stupid, especially when Free software exists for pretty much all platforms under the sun to easiy mitigate that risk.

      I once approaced one of the computer dorks at the lab about making PuTTY available to everyone on the lab computers, explaining packet sniffing (what's worse is that most of the individual labs were hubbed), and he turned me into the administration for hacking, and they froze my account. I wrote a letter to the network admins and CS staff, and got my account back explaining this--that I hadn't attempted sniffing passwords, and that I was just illustrating a point. But that's what you get for trying to do the right thing. No good deed goes unpunished, as they say.

      So don't doubt that at many universities around the world there's passwords--and all sorts of other good stuff floating around in plaintext--ripe for sniffing.

      Admins just need to turn off telnet and FTP where applicable, and force their users to use other methods. That's what it comes down to.

      --
      Constitutional rights may be respected, repealed, or modified; but they must never be ignored.
  3. Sloppy work all around by fastpage · · Score: 5, Insightful

    What gets me is that you can tell the white hats and black hats are both lazy.

    If the sysadmins had actually patched their servers with the appropriate security patches the "hackers" would have never gotten in, in the first place. If you read the counter measure section this isn't anything new that they shouldn't be doing every day and enforcing.

    If you look at the section entitled Evidence of compromise you can see that the people breaking into the systems are leaving a pretty big trail to follow. In my job, when customers start complaining that their servers are working quite right, when you take a look at whats going on you can see a root kits been installed. The whole idea of a root kit is to cover your tracks. If these guys did a better job you'd never know you were hacked. Its quite sad really. Laziness is the biggest security problem if you ask me.

  4. they wanna know WHAT? by ChipMonk · · Score: 4, Insightful

    If you believe your Unix computer has been affected by these intrusions, please contact the Information Security Services office (650-723-2911 or security@stanford.edu). Please include the name or IP address of the affected machine, as well as any compromised userIDs.

    Never mind the compromised machines. Let's try social engineering instead. I know! We'll make a security alert, get it on Slashdot, and the poor trusting souls will beat a path to our POP3 account!

    Seriously, you might as well just hand them your hard drive and credit card number.

  5. Re:Nothing to worry about by Daniel+Dvorkin · · Score: 3, Insightful

    No, no, just ignore this. When Windows is being compromised that's cause for gleeful giggles and jokes on slashdot. When Linux is being compromised that's for social misfits to blush about and shamefacedly ignore.

    When Windows is being compromised, that's cause for Microsoft to ignore, deny, and lie about the problem, and if that fails, spend a few billion dollars on PR. When Linux is being compromised, that's for knowledgeable programmers to study, work on, and fix the vulnerability.

    --
    The correlation between ignorance of statistics and using "correlation is not causation" as an argument is close to 1.