Slashdot Mirror
Novell OpenSUSE Server Hacked
abelikoff writes "Both LinuxWorld Australia and SuSE Linux Forums report that OpenSUSE website got hacked last night." This story was submitted quite a number of times.
← Back to Stories (view on slashdot.org)
I still will never understand why people do stupid things like hack websites.
They could just run OpenBSD.
How does hacking this website help to put your voice ? Other than geeks, how many people check that website. If they had hacked CNN or BBC, it would have been noticed significantly. Soon this would go into oblivion. Makes me wonder what has nuclear progam to do with open source linux ?
The Iranian hackers should first learn English. I was banging my head on the table reading that grammatically incorrect junk.
Linux is near-flawless in terms of security.
You don't follow security mailing lists, do you? Most Linux distros have decent security but "near-flawless"?
Trolling is a art,
The US and EU better let Iran develop a nuclear energy program or these senseless acts of web terrorism will never stop!
http://wiki.novell.com/
Site is currently down.
People always try to blame the software right away but usually it's poor administration.
Was this a targeted attack? Did they just fall victim to a script? Unpatched vulnerability? Weak password? what? Im just asking cause none of the links provided answer this.
If something exists that does not need a creator (god) then why must the cosmos need one?
I see these attacks all the time on all Internet facing servers.
There are two kinds of sysadmins: paranoids and losers. I'm both kinds.
The LinuxWorld Australia story is actually about an earlier break-in of a Novell system that was being used for World of Warcraft related stuff, not the OpenSUSE site at all.
Steven
Isn't this the same flaw Windows has?
If it was a website about Linux, it probably wouldn't even need to be hacked to make the front page of /. if it was running Windows
The open SuSE website wasnt hacked, it was a damn gamming machine they had on their network.
From TFA:
"The employees that set it up apparently had no idea of security," Brandon said. "But what is really surprising is that Novell would allow employees to set up game servers on their corporate network and then allow the public to access it."
"There was no major breach of security here," Barney said. "Needless to say, we are taking the appropriate steps" to address the situation.
TruePunk | Games
Your logic and reason are not welcome here.
Don't you mean ./t3h_l33t_5cr1pxx0r?
No, it wouldn't. People would get pissed about having to dig through 100000 stories of "Yet another cheesy Windows server hacked" until they found a real story.
Speaking from personal experience, 85% of all hacks come from poor administration. ie. not patching flaws, weak passwords, poor security measure such as file permissions and lack of firewalls. The remaining 15% come from a mixture of things, and like it or not, 14.999% of that is Windows. Security through obscurity doesn't work when you have thousands of people pounding at your code just trying to find a way in.
All these Worms on the net is a perfect example. And when you get down to it, even some of the poor administration is Microsoft's fault for making it "so easy you don't need an experienced technician...." When in fact they bury stuff so deep unless you know where it is, the necessary changes don't get made leaving everything as default.
I can't even begin to count how many times I've gone to a customer's location where they had an employee that was a self proclaimed geek that did all the setup and everything was not only wrong, it opened gaping holes on their network. Including things like having a USER logging in as Administrator on the server and using it as a workstation.
Plus I won't go into all the people who hold an MCSE that never touched a computer until they went to a 2 week bootcamp on how to pass the tests.
But, point in fact, any closed source application is subject to flaws that don't get patched because it's a small enough flaw that putting a programmer on it to fix it would cost more than keeping the flaw hidden.
the hacker team has a website to add to that, its likely being hosted in iran so no one can do jack shit
Viable Slashdot alternatives: https://pipedot.org/ and http://soylentnews.org/
Which part actually got hacked, the OS or the webserver itself??
:) Regardless, running something like OpenBSD with its hardened & chroot'd apache could mitigate a lot of the damage. ie.: make most files read only to the httpd process, etc etc.
Only those Iranians and the SUSE people know
Trolling is a art,
The OpenSuSE server has been sucking wind for weeks, and i know for a fact that trouble tickets have been submitted about it within Novell.
Maybe they were just trying to lend a hand with the administration . . . .
This is just like television, only you can see much further.
Pardon my obvious post-placement, trying to get this near the top and visible, but I suspect this is an important question for people to see, assuming answers are posted:
What is the practical upshot of all this? Is the damage limited to the "Give us nuclear rights" web defacement, or was that just a front to make people think nothing else was damaged?
I'm running SuSe 9.3, and this morning, I let the automated update program do it's thing. Did I download and install any breached files?
TFA don't say anything. One is dead already, and the other is useless.
I mean, I understand that there's a lot to discuss regarding security policies and server operating systems, but there are people who could be immediately affected here.
Procrastination -- because good things come to those who wait.
Dear Hackers,
If you're going to hack websites, don't try to justify your idiotic hobby by turning it into a political posterboard. It has the opposite effect you're looking for. The thing that scares people most is unpredictable behavior. If Iran were calm, clear in stating there intentions, and followed all the diplomatic protocols with a smile there would be no way for anyone to stop them from builting reactors (wheather it be for processing fuel for weapons or not). But stupid stuff like this make Iranians look like evil subversives. Just look at the graphic they posted. It looks like the shadow of some kind of daemon with horns. This is not a good image for Iran.
Or if it's a different group impersonating iranians, you're just losers.
Allowing "users" to setup their own box, on your network, outside your firewall, using your IP address IS a breach of security.
No modern OS is flawless. Due to feature creep and the massive amounts of code involved, none can really be considered 'near flawless'. ( agreed, some are better then others )
Its the job of the administrators to mitigate and compensate for known, and unknown, security flaws.
---- Booth was a patriot ----
The problem comes in when you are, yourself, an OS vendor. It's really hard (from a marketing/PR perspective) to have your site run a BSD when you happen to sell a major Linux distro. Or have a major online service you bought run Solaris when you happen to make Windows, for that matter. Customers (and potential customers) will rightfully wonder why you don't have confidence in your own product.
The higher the technology, the sharper that two-edged sword.
I think it is time for the open source community, as a whole, to better consider its public image. Incidents like this, involving one of the premiere Linux vendors, do unfortunately tarnish the image of our community quite badly. And then you have rogue open source developers publically insulting users. Such incidents make people remember open source software for all the wrong reasons.
Now, perhaps this is just a case of amateurs being allowed to join a community that mainly consisted of academics and professionals. The high standards that the open source community once enjoyed are being degraded on a daily basis by developers who cannot write secure code (ie. many PHP developers), by developers who blatantly insult and ridicule their users (ie. the KOffice example earlier in this post), or companies that provide insecure, open source-based products.
Is there much that can be done about this? I'm not sure.
Cyric Zndovzny at your service.
It's not being hosted in Iran. It's hosted in the US by Virtuoso Net Solutions inc. I sent this email to abuse@virtuosonetsolutions.com yesterday about 7 PM (I sent them my real info, obviously):
Dear Sir/Madam:
The OpenSuSE website was defaced either today or yesterday by an Iranian
hacker clan whose website is located on your servers. I checked the
whois data for the hacker clan's domain (ihsteam.com):
Majid NT
Bl Sajjad-milad 7 no. 12
Mashhad 8735452575
Iran
IP of the website (according to whois records of the ip, it is owned by
your company):
147.202.64.138
References:
http://www.opensuse.org/
http://www.ihsteam.com/
In case the sites above have been changed, I've attached an compressed
archive saves of their main pages. I hope you'll see that ihsteam.com
is in direct violation of your AUP.
Sincerely,
Name
Phone
Email
They haven't replied yet, and the website is still up. But it IS a weekend.
I pretend to know more than I really do by mooching off google and wikipedia.
Actually, I disagree. I've been running Windows networks for over a decade without a single virus or spyware infection. Interestingly, we've had a nearly identical amount of successful hacks on both our web-facing Windows and Linux machines. I would say I'm pretty much on par with the Linux admin in terms of skills and knowledge, and we are both in agreeance that no matter what you do, eventually you will get hacked. Just like you will eventually be a victim of some sort of crime in the Real World, if you spend enough time in it. With a combination of flaws and ignorance / mistakes, every OS under the sun is suceptable to penetration, regardless of how skilled the Admin is. Just ask the Linux admin at my place of work, who lost a server thanks to a vendor-coded exploit. It happens. Live, learn, patch and move on.
End of Line.
It's a little worse than that. The IHS guys aren't just script kiddies, their lead guy's blog is here. He is apparently very active in writing exploits and gives code to all of them. He was just accepted into a university, but worse, one of his blog entries is about how he likes slackware and is trying to write some code to help the project out. Now I don't know about you, but I find that suspicious as hell. Unless someone goes over every line of code submitted with a magnifying glass than it can be fairly easy to sneak in a little area for a buffer overflow or something. (Preventive measures like SELinux and exec-shield are necessary and even they don't fully solve the problem). I can only hope that the slackware community does decent background checks on submitters, and also good code checking. The last thing we need is for Open Source to start being purposely made vulnerable and attacked from within.
Regards,
Steve
It's a reasonable question to ask.
Yes, fundamentally it's true that configuration management has a significant effect on security. To be precise, this is not a flaw, but a characteristic. A site which is in full control of system configuration will have formal security advantages over one which isn't, and this is universally true regardless of platform.
However, the story is told from a much different perspective when it comes to evaluating the security of a given platform. Configuration remains a major factor in security, but it has to be weighed in light of platform capability. So, for example, a very simple network appliance with a very small configuration space has the prospect of being very secure. An ideal appliance cannot be configured insecurely. In practice, that may or not be the case, depending as always on design tradeoffs and correctness of implementation.
Apart from pure appliances, all computing platforms must, for reasons of generality, offer configuration possibilities that put some security tradeoffs in the hands of site administrators. Such is the case for both Linux and Windows, so indeed poor administration can always result in poor security on a sufficiently general platform.
The practical focus, therefore, has turned to how securely these platforms are configured by default. Interestingly, even though Windows is marketed for nonexpert use, it has a long tradition of being configured insecure by default, exactly the opposite of what would be appropriate for a nonexpert market. It also, in my opinion, embodies a lot of fundamentally insecure design tradeoffs, neglecting principles such as modularity, containment, and least privilege, for example. These are extremely deep design problems, not easily fixed.
Linux and Unix, although designed by developers for developers, and therefore intended for expert use, have a record of delivering much better security by default. I can think of lots of particular exceptions, but they have tended to be minor design tradeoffs that could be, and were, easily corrected. Security incident statistics seem to reinforce these observations very strongly.
In my line of work, I get to see what goes on behind the scenes at a lot of sites. It's not often that I come upon a site which is not suffering to some significant degree from a chronic neglect of configuration management. All discussion of platform characteristics aside, this is a real problem on the ground for security.
The issue, in terms of value for effort, then becomes to identify which of these sites is (a) at most immediate risk, and (b) has the best potential of improvement. In the former case, I find that the answer is Windows, and in the latter, it's Linux.
Parity: What to do when the weekend comes.