Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ubuntu Servers Hacked

Posted by CmdrTaco on from the zomg-alert-the-media dept.

An anonymous reader noted that "Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems. Canonical blames the community, saying they were community hosted, and were poorly maintained. However, kernel upgrades couldn't be done because of poor backwards compatibility with the very hardware that Canonical had sponsored! While people point fingers at each other it is pretty clear that both sides are equally to blame, the community administrators for practicing bad security practices, such as using unencrypted FTP transfers with accounts, not properly maintaining the system. However Canonical should have been well aware of what they are hosting. The question remains, if any of the files distributed to users have been compromised. A major blow for Canonical though who are attempting to enter the business market with Ubuntu Server."

42 of 330 comments (clear)

  1. New distro name by Anonymous Coward · · Score: 5, Funny

    Spambuntu

  2. Hacked... by andrewd18 · · Score: 5, Funny

    You keep using that word. I do not think it means what you think it means.

    1. Re:Hacked... by Lord+Ender · · Score: 5, Insightful

      Language changes with time. This particular word has changed meanings (or at least got a new meaning) in the English language. You don't have to like that fact, but bitching on slashdot isn't going to change that fact.

      People in the industry are aware that "hack" used to mean "cleverly manipulate a device into doing something its designers did not intend." People also know that "wherefor" used to mean "why." In both cases, the original definitions no longer apply.

      Language changes. You'll get over it. There are more important battles to fight.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  3. Gentoo also recently disclosed security breach by ChazeFroy · · Score: 4, Informative

    This isn't the only Linux distro security breach being disclosed recently. One of Gentoo's web applications was compromised and they are investigating it:

    http://bugs.gentoo.org/show_bug.cgi?id=187971

  4. Don't worry by just_another_sean · · Score: 4, Funny

    This is just a transitional feature designed to make Windows users more comfortable using Ubuntu.

    --
    Creationist Textbook Stickers Declared Unconstitutional by CowboyNeal
  5. I would like to read a report by QuantumRiff · · Score: 5, Interesting

    Since this is a community based, open source project, I would love in the near future (after the investigation and cleanup are done) to read about how they determined that the machines were compromised, what the attackers did, and more importantly, how Ubuntu cleaned them up...

    This could really help the community as a whole, and I know I would enjoy reading it..

    --

    What are we going to do tonight Brain?
    1. Re:I would like to read a report by Frosty+Piss · · Score: 4, Insightful

      I don't think documenting the discovery process is going to do anyone any favors.

      Isn't that part of the Linux/Microsoft Double Standard? Now, if Microsoft this type of issue and had been less than totally open about the cause and methods, you know as well as I do that there would be a high-pitched wailing from the Slashdot World.

      --
      If you want news from today, you have to come back tomorrow.
    2. Re:I would like to read a report by gmack · · Score: 4, Interesting

      It's important to note that the servers may not have been actually rooted. There is a large number of ssh dictionary breakin attempts on every machine I administrate on several completely different ip blocks. The worst hit is usually my personal server that tended to get hit with several thousand attempts per hour(enough that legitimate logins were a problem) before I installed countermeasures. Even now the countermeasures are locking out 5 to 8 hosts per day.

      They have managed to get user accounts on a few occasions and most of the time they never even attempt to gain root. They just start scanning for new hosts.

      I'm now running a python script called DenyHosts to find and lockout dictionary attacks. "apt-get install denyhosts" for debian users. Even on much more liberal settings than the default it's lowered my cpu load considerably and locks out attacks in the first minute rather than the hour it would otherwise take me to notice.

    3. Re:I would like to read a report by discord5 · · Score: 5, Interesting

      Unless we're going to be composing a Linux Administration HOWTO: Best of Bloopers.

      I could fill about a 100 pages on my own from stupid things I've done and stupid things I've seen coworkers/customers do.

      The funniest one is still one where one of my coworkers nuked /lib on a fairly important machine unintentionally because he just loves his spacebar:

      rm -f /home/user/project /lib/*

      Upon which of course by he proceeded to ask everyone "Hey, suppose I deleted something like /lib, is there a way to get it back?", followed by 10 people laughing, followed by a minute of silence as soon as we realized what machine he just did that on. He never got a root password for an important server after that incident. In hindsight, that was a funny incident, and a valuable lesson to us all (we all became paranoid of rereading what we just typed).

      Yes, we had backups... Yes, tape drives are still slow

    4. Re:I would like to read a report by mickwd · · Score: 5, Insightful

      "The funniest one is still one where one of my coworkers nuked /lib on a fairly important machine unintentionally"

      "He never got a root password for an important server after that incident. In hindsight, that was a funny incident, and a valuable lesson to us all (we all became paranoid of rereading what we just typed)."

      I hope the decision to deny him root access was based on more than that one unintentional incident. It could have happened to any of you. After all, why else would it be a "valuable lesson" to you ? Isn't the person who made that mistake the least likely to make it again ? And you did also say you "could fill about a 100 pages on my own from stupid things I've done".

    5. Re:I would like to read a report by houghi · · Score: 3, Informative

      That is why I use `rm directory -rf` instead of `rm -rf directory`. It saved me a few times already.

      --
      Don't fight for your country, if your country does not fight for you.
  6. uh ho by FudRucker · · Score: 4, Funny

    Ubuntu made a boobootu

    --
    Politics is Treachery, Religion is Brainwashing
  7. The real test by ZachPruckowski · · Score: 4, Interesting

    The real test is how they react to this, and how they clean up their mess. Everyone screws up, but what separates good people from bad is how they react to problems and screw-ups.

    It sounds like that part at least is still underway, with a meeting (FTA) in "#ubuntu-locoteams on Tuesday, August 14, 2007 at 2:00PM UTC". Seeing as that's yesterday, we should probably reserve judgement a day or two to see how they respond.

  8. sftp by SolusSD · · Score: 3, Insightful

    it amazes me that people even use the plain old ftp protocol for anything important. sftp has been around forever.

    1. Re:sftp by Anonymous Coward · · Score: 5, Interesting

      sftp and scp STILL do not allow anything like a REGET operations. Whenever anyone mentions this they got shot down in flames.

    2. Re:sftp by burner · · Score: 4, Insightful

      rsync works great for many use cases when transfers really need to be resumed.

      --
      MRSH-Recording device, corned beef sandwich with kraut, seafaring bird, and the foamy top of a beverage.
  9. Not like Debian by Bruce+Perens · · Score: 5, Informative
    This happpened to Debian once. I remember the very careful quality of the notifications, and the forensic analysis, and the fact that it was caught quickly and there thus wasn't much damage. It showed that a volunteer community can be right on top of this sort of problem with as much or more professionality than any paid staff. It's unfortunate that the configuration of Ubuntu and its loco teams has them pointing fingers at each other. And what about those systems that can't be upgraded? Are they, per chance, using proprietary network drivers? If so, well, folks should know better.

    Bruce

    --
    Bruce Perens.
    1. Re:Not like Debian by soupforare · · Score: 4, Funny

      Maybe they should've been running deb stable. ;)

      --
      --- Do you believe in the day?
  10. how ironic by Anonymous Coward · · Score: 4, Insightful

    had these been windows servers we would have heard cries of a flaky operating system being the problem. in this case, since they're linux servers, we hear that the fault lays on the administrators of the boxen for not hardening the systems?

    1. Re:how ironic by Super_Z · · Score: 3, Informative

      If you had bothered to read the originating mail ( https://lists.ubuntu.com/archives/loco-contacts/20 07-August/001510.html ), you would have seen that these servers were hacked through unpatched 3rd party web-applications running on these servers - namely:

      art-web, gallery, drupal, phpmyadmin, wordpress, postnuke, phpbb,
      smf, moodle, planet, aspseek, moin, taskfreak, cms made simple,
      mediawiki, ...

      Your argument is whiny and offtopic.

  11. Panic, They Might Have Gotten the Source Code! by twitter · · Score: 4, Funny

    It's like NT all over again. God only knows what bad things they can do with that.

    --

    Friends don't help friends install M$ junk.

  12. Re:sorry... by ZachPruckowski · · Score: 5, Insightful

    Oh, from the sounds of it, all that you say is well-warranted. They were running a version of Ubuntu from October of 2005, which was obsoleted in April of this year, and they weren't using encryption. This is security 101, and they didn't do it. This does sound a lot more like an administration problem than a software problem.

    Ultimately, I'd say that if this does wind up being an admin problem, then Ubuntu Server will not suffer. The bottom line is that a poorly administered server is a hacker target regardless of the OS.

  13. Further proof.. by HerculesMO · · Score: 5, Funny

    Linux systems are only as secure as the admins who manage them.

    And for bonus "hate" points, even MS servers can be secure if they are admined probably. Don't worry though, I have my flame suit on. :)

    --
    The price is always right if someone else is paying.
  14. Some clarification by joe_cot · · Score: 5, Informative

    As one of the people affected by this issue, I'd like to give some clarification on this. Firstly, the servers affected were Local Community (LoCo) Team servers, of which I maintain ubuntu-us.org While I'm personally annoyed that the site is down (given it was on the front page of Digg last week), these servers are far from "production" servers; they host LoCo team resources and websites. I'd like to know what "compromised" software would have been downloaded by users, given that these servers did not host user repositories, and for the most part hosted news pages, blogs, and localized documentation. The issues were twofold: the servers were not upgraded past breezy, leaving them open to vulnerabilities after Breezy's EOL; LoCo team users were running an array of web applications (Drupal, Wordpress, Mediawiki, etc), but not updating their systems with new security patches. Top that with ftp logins and no ssh keys, and you have yourself a problem. Canonical is moving the installs to their facilities, retrieving the data, and building the installs (including the aformentioned web applications) from scratch, assuming that everything has been compromised. Hopefully in the next few days this will all be over.

  15. Re:Following the M$ example. Re:BWAHAHAHA... by Minwee · · Score: 5, Funny

    Well, if they _did_ get broken into all the time, then that would be pretty embarrassing. The last thing they would want to do is publicize the fact, so it only makes sense that they would cover it up and say nothing about it.

    Since nobody has _ever_ said anything about frequent break-ins, it's clear that they must be happening.

    Why am I the only person who can see how obvious this is?

  16. It happens by popeydotcom · · Score: 4, Informative

    Firstly these servers were not "Canonical Hosted" as the anonymous readers suggests. They were hosted in a DC which Canonical paid for, but the community maintained them. So Canonical system admins had very little to do with them.

    My site - http://screencasts.ubuntu.com was one of them that was affected, so I was of course concerned that there might be some data loss. I only use SCP to copy files up to the site, and logon with my ssh key, so don't think that all Ubuntu community members are using FTP, weak passwords and really old software, it only takes _one_ though to naff it up for everyone else.

    The Canonical system admins (on top of the work they already do) migrated the services from those servers to their own DC very quickly. My site went down on Tuesday and was back by Friday. For free hosting and oodles of bandwidth, I'm happy with that downtime - for a community site.

  17. "tighter than a dolphins ass" by Dystopian+Rebel · · Score: 3, Funny

    Sir, somewhere in the fully-indexed and data-mined future, your descendants will be publicly shamed and ridiculed because of your post.

    I suppose they'll have no choice but to flee to deeper waters.

    --
    Rich And Stupid is not so bad as Working For Rich And Stupid.
  18. Mod -1 please by greedyturtle · · Score: 3, Funny

    Please mod this -1, I don't agree with him.

  19. Re:Following the M$ example. Re:BWAHAHAHA... by abigor · · Score: 3, Insightful

    Okay, so your assertion of fact was really just an enormous assumption. Thanks for the clarification.

  20. Soviet? by Jugalator · · Score: 4, Funny

    "Ubuntu had to shutdown 5 of 8 production servers that are sponsored by Canonical, when they started attacking other systems."

    In Soviet Russia, server attack you?

    --
    Beware: In C++, your friends can see your privates!
  21. Re:Idiot by Anonymous Coward · · Score: 4, Funny

    And to think, the only reason I post here is so I can be taken seriously by the people who really count.

    Another dream shattered!

  22. Re:Following the M$ example. Re:BWAHAHAHA... by laederkeps · · Score: 5, Funny

    No, but if M$ can't guard their precious source code, what can they guard?
    Well, I heard that Ubuntu isn't very good at that either...
  23. Turns out the whole reason for the attack was... by bealzabobs_youruncle · · Score: 5, Interesting
    to replace the horrid orange and brown default themes.

    I used to be an ardent Ubuntu supporter but since Dapper and the wider adoption there has been too much emphasis on making things more Windows-like and less on best practices throughout the Ubuntu community (note I said the community, not the developers). Stuff like Automatix and the general feeling that any script that or line of code that is posted on the Ubuntu forums is guaranteed safe has led to lax standards. I've brought this up a couple times and any valid discussion quickly descends into a flame-fest and the mods (rightly so) lock it down.

    The Ubuntu community has bent over backwards so far to prove they can include everyone they lost site of many of the things that make Linux a better choice for many people; time to get back to fundamentals and best practices, the sooner the better. Stop worrying about besting Windows at every silly thing (ahem, desktop transparency), stop trying to include aunt Tilly (who is never going to "switch" anyway) and remember that some things take more effort but are often worth it.

  24. Breaks happens all the time by Pecisk · · Score: 4, Interesting

    It is just became obvious recently that open source publishes their breaks as they are, because they can't actually hide anything. I bet breaks in coorporation servers are so frequent that is common practise to be silent about them.

    In mean time, there is a tradeoff between having one, LTS release which has rather old kernel with old drivers and new one, which has 18 month support but has everything up to date, including also unstable stuff of course. But in fact it doesn't even mather, because admin is who in charge.

    So Linux is more secure than Windows? You bet. Then why such break-ins happens? Because of lazy or hobbist admins who have no time or maybe not enough knowledge to lock down server to protect it from attacks. To lock down such Windows server/workstation is much harder because of "black box" mentality such software has. But it is also possible.

    So in resume - those are admins who are gulty persons here. Ubuntu Dapper and Feisty are secure enough releases to keep them locked down without causing trouble for services. And ohh, be careful to which persons you give access to and have good password management system.

    --
    user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
  25. Re:laziness and excuses by Fred_A · · Score: 4, Funny

    I've seen lots of dolphins but none of them had CAT5 coming out of their ass.

    --

    May contain traces of nut.
    Made from the freshest electrons.
  26. To put this into perspective... by AndyCR · · Score: 3, Insightful

    Thousands of Windows machines get exploited every day, and there's barely a word said about it. 3 Linux machines are exploited, and it's "OH MY GOSH!!111". I don't know whether this is a good thing, a bad thing, or, my best guess, both.

    --
    If there's anyone I hate more than stupid people, it's intellectuals.
  27. Your Conspiracy-Fu is strong, young Grasshopper! by Anonymous Coward · · Score: 3, Funny

    The last thing they would want to do is publicize the fact, so it only makes sense that they would cover it up and say nothing about it.
    "The complete lack of evidence is the surest sign that the conspiracy is working."

    - Jack Handey

  28. Re:Following the M$ example. Re:BWAHAHAHA... by AvitarX · · Score: 3, Funny

    When someone hacked MS and got a copy of their source code it was headline news.

    I am surprised no one reports how oftem Linux source code is taken from company servers, they must get hacked constantly compared to MS.

    --
    Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
  29. How right you are! by spun · · Score: 4, Insightful

    I've never seen a paid individual make a stupid mistake like this. The captain of the Exxon Valdez was a volunteer with the Red Cross on a humanitarian mission. The Challenger and Columbia were piloted by kids from space camp. The original Tacoma Narrows bridge was designed by volunteers with Habitat for Humanity.

    On the other hand, we all know that segregation & apartheid were both ended by paid professionals. If you want something big done right, only paid professionals can do it.

    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  30. Re:I am what I am and it is what it is. by Anonymous Coward · · Score: 3, Insightful

    What you are is a paranoid narcissist who is too immature to hold a rational discussion.

    Here we are, talking about a serious security breach at a prominent Linux distributor, and all you can muster is a hissy fit because not enough people are blaming Microsoft for it.

    It's not clever. It's certainly not constructive. Worst of all, it reflects poorly on the community you claim to serve.

    You're the rhetorical equivalent of a brick-throwing protester at a WTO meeting, foolishly believing that vandalism and insulting slogans will right the injustices of the world, while earning nothing but contempt from the very people you're trying to convert to your cause. Luckily for you, the "riot police" on Slashdot are only armed with Troll and Flamebait mods.

  31. Re:Turns out the whole reason for the attack was.. by nuzak · · Score: 3, Interesting

    Do you have a specific complaint, or is just it that the uncool kids are getting into the clubhouse? If you think the interface has gotten oversimplified, switch to kubuntu.

    --
    Done with slashdot, done with nerds, getting a life.
  32. Re:Turns out the whole reason for the attack was.. by bealzabobs_youruncle · · Score: 3, Insightful
    See, this is what I'm talking about, you automatically go on defensive if anyone has any honest criticism of Ubuntu. I think I stated some of my issues pretty clearly, but Ubuntu supporters now have thinner skin than Apple users in the 90s. I'm a huge fan of a simple and clean Gnome interface, but I'm against trying to bury the CLI and refusing to learn how to do things properly. I'm against mindlessly installing stuff via Automatix (especially close source and binary blobs) without honestly understanding what you are doing and what the implications are (note several Ubuntu devs agree with this point).

    Again, I am pointing at the community more than the developers, who have provided a great distro that has provided a much needed kick in the pants to other distros to improve their usability. Fedora is my favorite example, and my distro of choice again, since they had to face some stiff competition to stay relevant.

    Ubuntu was about a clean interface with best of breed apps, solid documentation and a community that balanced ease of use with best practices. When someone wandered into the forums with a "noob" question we avoided the "RTFM newb-sauce" stuff and helped them, as well as re-enforcing best practices and linking where to get better information. We didn't point them to untested scripts or recommend subverting security for ease of use, but that is a regular event these days. Shuttleworth wanted "free as in speech" software that was "free as in beer" for everyone, but now to court Windows users he considers installing binary blobs and distributing closed source software? The "Unofficial Ubuntu FAQ" used to handle this stuff very well while not polluting (or introducing possible legal issues) to the distro. I recall Shuttleworth at Debian conferences with his hat in his hand explaining how he wants to help and work with the community, but if you mention this on the Ubuntu forums you have people suggesting that they don't need Debian or the GNU tools? This is an ignorant and arrogant user base that needs to be educated, and in some instances policed.

    The original intent of Ubuntu was great, it just needs to get back on course. I much prefer apt to yum, I hope this wakes up the right people and I will gladly give Ubuntu a shot again.