Slashdot Mirror


Ongoing Linux/Solaris Compromise Epidemic

An anonymous reader writes to point out that Stanford's Information Technology Systems and Services "has written a summary of a series of compromises that have been happening at universities, research institutions, and high performance computing centers, for the last month or more. The attackers are using known vulnerabilities in Linux and Solaris, along with compromised user accounts, to gain access and control of systems, from standalone servers to HPC clusters ... (the attacks are still ongoing)."

14 of 366 comments (clear)

  1. IMO all of these attacks are related by bersl2 · · Score: 4, Interesting

    going back to the back-door insertion attempt on the Kernel, the rooting of gnu.org's ftp server, the compromise of Debian's servers... it's the same people doing this.

    Just a feeling.

  2. Re:Attacks against universities? by Anonymous Coward · · Score: 3, Interesting

    I'm running a live cd distro based on Damn Small Linux. Is this the coming thing to prevent attacks and viruses from getting anywhere?
    Nothing is written to a hard drive with this OS.
    If so, how would this apply to the story on these attacks? How would anyone "gain control" of my computer under these circumstances.
    BTW, Damn Small has a limit of 50 Mb, mine runs a little over 60 MB, and I put Mozilla Firefox and Wvdial in the remaster, as well as some office applications from the Debian list of over 8000 items.

  3. Yeah, so? by ameoba · · Score: 4, Interesting

    The entire (up to date) Windows lab here gets compromised & backdoored to hell and everyone just says "Have it working by tommorrow". A Linux cluster gets compromised and they issue a press-conference.

    --
    my sig's at the bottom of the page.
  4. My opinion by weekendwarrior1980 · · Score: 3, Interesting

    I dont think we will ever have a fully secure box, these vulnerabilies will continue to pop up occassionally and there's nothing we (the developers) can do about that. It is just a testimony of the fact that we are imperfect beings and sooner or later we will have our errors exposed. It is not a bad thing, in the evolutionary way of dealing things, this (finding and sorting out bugs) could probably be a good thing. Having said that, I think developers do have control over how they respond to these problems, like coming up a problem that doesn't just band-aid the wound hoping to find a cure for in the future. Also developers have control over how fast they respond. On both criterias, open source peer reviewing is winner over closed sourced development. One tends to promote security through openness and and in the other security through obscurity like think MSFT( Read comments from a MSFT bigwig who said the only reason MSFT servers are compromised because the vulnerabilities are announced).

  5. Libsafe protects against buffer overflow exploits by tjmather · · Score: 5, Interesting
    Does anyone use Libsafe This library protects against buffer overflow vulnerabilities, and is very easy to install (basically you just install the RPM and you're done)

    If more sysadmins installed this, perhaps we wouldn't have problems with so many Linux compromises? Of course it's no substitute for patching, but seems like a good additional security measure.

    This is from the gnu.org software directory

    The exploitation of buffer overflow and format string vulnerabilities in process stacks are a significant portion of security attacks. 'libsafe' is based on a middleware software layer that intercepts all function calls made to library functions known to be vulnerable. A substitute version of the corresponding function implements the original function in a way that ensures that any buffer overflows are contained within the current stack frame, which prevents attackers from overwriting the return address and hijacking the control flow of a running program.

    The true benefit of using libsafe is protection against future attacks on programs not yet known to be vulnerable. The performance overhead of libsafe is negligible, it does not require changes to the OS, it works with existing binary programs, and it does not need access to the source code of defective programs, or recompilation or off-line processing of binaries.

  6. Now, wait a moment ... by JMZorko · · Score: 5, Interesting
    Just an observation, but this story has the "Security" icon, while the story about Windows critical flaws has the "Bugs" icon. Both stories deal with bugs or "vulnerabilities" that compromise security on the affected machines.

    Now, my opinion of MS is not that great, but this just seems wrong.

    Regards,

    John

    --
    Falling You - beautiful
    1. Re:Now, wait a moment ... by CAIMLAS · · Score: 3, Interesting

      This is why you should at least try to pay attention; reading the article would help, too.

      This article is about incompetent admins and actual security breaches using exploits that have had fixes for ages. Thus, security. The windows item was on patches for actual bugs and didn't mention any specific exploit instances: thus, bugs.

      It all makes sense now, doesn't it?

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
  7. Re:Windows is not the only vulnerable OS by morelife · · Score: 4, Interesting

    How does that differ from the worms which get released for Microsoft almost a year after the patch was released? I hear people railing Microsoft all the time for not 'getting it right the first time' when THAT happens...

    Wrong. People rail because Microsoft rarely gets it right the first time, and are damned slow and arrogant about fixing security holes. Oh, sorry. They did speed up their response time on security issues after realizing that the public was noticing and they were losing a little market share in IIS.

  8. Re:Windows is not the only vulnerable OS by jarich · · Score: 4, Interesting
    Perhaps an alternative view...?

    The p;roblem, among others, is that we don't have enough real punishment going on for hacking activities.

    The internet has become the equivalent to living in a slum. Sure, the property is cheap, but if you don't have bars on your windows, you can count on a break in. And lots of people will tell you it's your own fault for not putting bars on your windows and living in a walled compound with broken glass on the tops of the walls.

    I agree that the systems should be patched, but the real problem is that there are communities of thugs who feel at liberty... NO, who ARE at liberty (due to the lack of a cohesive international enforcement) to do what ever they want to you machine.

    I vote for real international difficult (I know that's not going to be trivial) and hard jail time when people are caught. And, just like Kevin Mitnick, they should not be allowed to work with computers when they get out.

  9. academic machines? by dj245 · · Score: 3, Interesting
    article: The attacker appears to be deliberately targetting machines in academic and high performance computing environments, rather than attacking systems indiscriminately.

    I can see why they would want to target academic boxen if they wanted high-powered computers to do some serious slaved number crunching. If they are just going to launch a DDoS attack or send a bunch of spam though, academic computers are not the best. Most academic sysadmins have fairly limited budgets, and spend a fair amount on bandwidth. As such, they rule their bandwidth with an iron fist in many cases. The Admins at my particular college have bandwidth flags on certain ports and a global flag of somewhere around 1gb/day over 3 days. Break that, and the admin gets very interested in what you are doing with your boxen.

    I'm sure other colleges have similar schemes, and I've heard of many colleges which are even more strict with their bandwith (200mb/day limit, etc). These academic boxes may make good targets because of their relatively user intervention and user experience, but they don't have that great of a pipe on them, relatively speaking. If it was me, I would have gone after servers that also run wireless access points. Hard to tell where the bandwidth goes in some cases with those.

    --
    Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  10. Re:Libsafe protects against buffer overflow exploi by EvilTwinSkippy · · Score: 4, Interesting
    On gentoo I compile everything with -fstack-protector. A nifty new feature in GCC that compiles it into all me binaries.

    I still use libsafe. It is the greatest thing since sliced bread. Ok, that and distcc. Distcc and rsync... and ssh... DOH!

    --
    "Learning is not compulsory... neither is survival."
    --Dr.W.Edwards Deming
  11. Re:Attempts easy to guess passwords by Anonymous Coward · · Score: 5, Interesting
    From "/var/log/messages" on a 64-processor cluster at our university (unrelated to the parent post):
    Apr 12 09:51:24 xxx sshd[32583]: Illegal user alias from 210.166.208.97
    Apr 12 09:51:24 xxx sshd[32583]: Failed none for illegal user alias from 210.166.208.97 port 34243 ssh2
    Apr 12 09:51:26 xxx sshd[32583]: error: Could not get shadow information for NOUSER
    Apr 12 09:51:26 xxx sshd[32583]: Failed password for illegal user alias from 210.166.208.97 port 34243 ssh2
    Apr 12 09:51:35 xxx sshd[32587]: Illegal user info from 210.166.208.97
    Apr 12 09:51:35 xxx sshd[32587]: Failed none for illegal user info from 210.166.208.97 port 34695 ssh2
    Apr 12 09:51:35 xxx sshd[32587]: error: Could not get shadow information for NOUSER
    Apr 12 09:51:35 xxx sshd[32587]: Failed password for illegal user info from 210.166.208.97 port 34695 ssh2
    Apr 12 09:51:41 xxx sshd[32598]: Illegal user backup from 210.166.208.97
    Apr 12 09:51:41 xxx sshd[32598]: Failed none for illegal user backup from 210.166.208.97 port 35292 ssh2
    Apr 12 09:51:41 xxx sshd[32598]: error: Could not get shadow information for NOUSER
    Apr 12 09:51:41 xxx sshd[32598]: Failed password for illegal user backup from 210.166.208.97 port 35292 ssh2
    ...
    The attempted logins appear to be in the exact same order, so it's safe to say the attack was done with a script. The attacking IP address also starts with "210" and resolves back to "ns.himanainu.jp" (not necessary the attacker's machine, but rather a compromised host).
  12. Strategic issues by Animats · · Score: 3, Interesting
    We're seeing more attacks that seem to be Phase I of something big. Somebody is going to considerable trouble to prepare for something. But what?

    I see a day coming when, in one day, half the computers in the US have their disks erased.

  13. Re:Does anyone on the inside... by drmerope · · Score: 5, Interesting

    Yeah, I've been involved in some of the staff discussions at one of the compromised institutions. The vulnerabilities listed seem old because these attacks have been ongoing for a while now. Some of those vulnerabilities were actually discovered originally in relations to this situation. What's important to realize is that this situation is very unlike what's happened to windows machines recently. Most of the Windows intrusions have been remote exploits via services. We've been facing primarily local-root exploits. These people are breaking into accounts--usually by password sniffing, key-stroke logging, etc from other compromised machines. Those accounts are then used to launch various known (and previously unknown) local-root exploits. These people appear to be after other systems for an unknown purpose rather than just "games" or DoS attacks. Most of the targeted institutions have substanial DARPA/government research contracts. It's reasonable that these attacks are being used to steal information. The focus has not been on High Performance Clusters but rather on interactive clusters. These people are after information not computing power.