Slashdot Mirror


Ongoing Linux/Solaris Compromise Epidemic

An anonymous reader writes to point out that Stanford's Information Technology Systems and Services "has written a summary of a series of compromises that have been happening at universities, research institutions, and high performance computing centers, for the last month or more. The attackers are using known vulnerabilities in Linux and Solaris, along with compromised user accounts, to gain access and control of systems, from standalone servers to HPC clusters ... (the attacks are still ongoing)."

4 of 366 comments (clear)

  1. Libsafe protects against buffer overflow exploits by tjmather · · Score: 5, Interesting
    Does anyone use Libsafe This library protects against buffer overflow vulnerabilities, and is very easy to install (basically you just install the RPM and you're done)

    If more sysadmins installed this, perhaps we wouldn't have problems with so many Linux compromises? Of course it's no substitute for patching, but seems like a good additional security measure.

    This is from the gnu.org software directory

    The exploitation of buffer overflow and format string vulnerabilities in process stacks are a significant portion of security attacks. 'libsafe' is based on a middleware software layer that intercepts all function calls made to library functions known to be vulnerable. A substitute version of the corresponding function implements the original function in a way that ensures that any buffer overflows are contained within the current stack frame, which prevents attackers from overwriting the return address and hijacking the control flow of a running program.

    The true benefit of using libsafe is protection against future attacks on programs not yet known to be vulnerable. The performance overhead of libsafe is negligible, it does not require changes to the OS, it works with existing binary programs, and it does not need access to the source code of defective programs, or recompilation or off-line processing of binaries.

  2. Now, wait a moment ... by JMZorko · · Score: 5, Interesting
    Just an observation, but this story has the "Security" icon, while the story about Windows critical flaws has the "Bugs" icon. Both stories deal with bugs or "vulnerabilities" that compromise security on the affected machines.

    Now, my opinion of MS is not that great, but this just seems wrong.

    Regards,

    John

    --
    Falling You - beautiful
  3. Re:Attempts easy to guess passwords by Anonymous Coward · · Score: 5, Interesting
    From "/var/log/messages" on a 64-processor cluster at our university (unrelated to the parent post):
    Apr 12 09:51:24 xxx sshd[32583]: Illegal user alias from 210.166.208.97
    Apr 12 09:51:24 xxx sshd[32583]: Failed none for illegal user alias from 210.166.208.97 port 34243 ssh2
    Apr 12 09:51:26 xxx sshd[32583]: error: Could not get shadow information for NOUSER
    Apr 12 09:51:26 xxx sshd[32583]: Failed password for illegal user alias from 210.166.208.97 port 34243 ssh2
    Apr 12 09:51:35 xxx sshd[32587]: Illegal user info from 210.166.208.97
    Apr 12 09:51:35 xxx sshd[32587]: Failed none for illegal user info from 210.166.208.97 port 34695 ssh2
    Apr 12 09:51:35 xxx sshd[32587]: error: Could not get shadow information for NOUSER
    Apr 12 09:51:35 xxx sshd[32587]: Failed password for illegal user info from 210.166.208.97 port 34695 ssh2
    Apr 12 09:51:41 xxx sshd[32598]: Illegal user backup from 210.166.208.97
    Apr 12 09:51:41 xxx sshd[32598]: Failed none for illegal user backup from 210.166.208.97 port 35292 ssh2
    Apr 12 09:51:41 xxx sshd[32598]: error: Could not get shadow information for NOUSER
    Apr 12 09:51:41 xxx sshd[32598]: Failed password for illegal user backup from 210.166.208.97 port 35292 ssh2
    ...
    The attempted logins appear to be in the exact same order, so it's safe to say the attack was done with a script. The attacking IP address also starts with "210" and resolves back to "ns.himanainu.jp" (not necessary the attacker's machine, but rather a compromised host).
  4. Re:Does anyone on the inside... by drmerope · · Score: 5, Interesting

    Yeah, I've been involved in some of the staff discussions at one of the compromised institutions. The vulnerabilities listed seem old because these attacks have been ongoing for a while now. Some of those vulnerabilities were actually discovered originally in relations to this situation. What's important to realize is that this situation is very unlike what's happened to windows machines recently. Most of the Windows intrusions have been remote exploits via services. We've been facing primarily local-root exploits. These people are breaking into accounts--usually by password sniffing, key-stroke logging, etc from other compromised machines. Those accounts are then used to launch various known (and previously unknown) local-root exploits. These people appear to be after other systems for an unknown purpose rather than just "games" or DoS attacks. Most of the targeted institutions have substanial DARPA/government research contracts. It's reasonable that these attacks are being used to steal information. The focus has not been on High Performance Clusters but rather on interactive clusters. These people are after information not computing power.