Slashdot Mirror
Cracked Linux Boxes Used to Wield Windows Botnets
m-stone writes "Online auction house eBay recently did a threat assessment to better understand the forces ranging against them. The company is keeping the fine details under wraps, but the biggest source of danger for the company is apparently botnets. You're never going to guess who was running them. '[Dave Cullinane, eBay's chief information and security officer] noticed an unusual trend when taking down phishing sites. 'The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,' he said. Rootkit software covers the tracks of the attackers and can be extremely difficult to detect. According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected. Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers, who set up fake websites, hoping to lure victims into disclosing their passwords."
I've noticed a large increase in attempts to crack my co-lo Linux servers recently, and it must be said that two got through (shared site, some customers running old content management apps and the kits hit). When we watched the behaviour of the cracked box, it was connecting back to...I think undernet.org or similar?...and sending controls via IRC. Plus doing a spot of spamming of its own bat.
Our set-up is that we have a host OS install doing nothing but running VMware Server and then any real stuff gets done in a VM, so this was easy for us to recover from quickly via VM snapshotting. But still, it's a trend that's noticeably on the increase.
Cheers,
Ian
So many people have that mentality or were converted by hearing sayings like that.
They don't realize, like any other operating system, if you want it secure, you have to work to make it secure. Everything from using good passwords, to not running unecessary services, to getting behind a firewall or two.
And, as usually, the biggest security hole is between the keyboard and the chair.
speaking at a Microsoft-sponsored security symposium at Santa Clara University.
A fair amount of it, I'm sorry to say, is due to the perception that Linux boxes are much more secure than Windows and therefore don't need (a) up-to-date patches (b) proper security reviews of any app code (which these days usually means web apps) (c) defence in depth (block outbound connections from your web server, except for a hole poked in tcp|udp/53 to/from your DNS server if needed (d) proper security monitoring. Review your firewall logs! Run an external syslogNG box! use netflow, nagios, ntop etc -- can you account for all the packet flows from the machine? If you have time to spare, look into Snort.
Get the facts.
...that phishers prefer Linux to Windows because of its greater stability? That's like a car thief walking through a parking lot of early 90's Fords to get to a Honda. (With apologies to Ford afficionados)
This unbiased moderation brought to you by the Porcine Aviation Group!
Windows might be an easier target due to uniformity and adoption in the home market, but linux is also a great target now due to its wide adoption in the server space. And most servers have fast processors, lots of ram, and plenty of bandwidth which to botnet owners makes them better objectives than home computers. Not to mention that although people tend to think linux is more "secure" than windows, it still has it's problems and is vulnerable to attack
This really doesn't suprise me. With tools like ssh and shells installed by default, Linux is just plain easier to use remotely. Linux machines would also tend to stay up and online, whereas (predominantly Windows) desktops are often shut off when not in use. So, Linux makes the best "control console" for a botnet. The "army" should still be made up of Windows desktop machines, due to their large numbers.
I was going to post a comment earlier, but the bar with the big "Reply" button is missing. In fact, it seems to have disappeared from all the stories. How do you start a new thread on a story?
When our name is on the back of your car, we're behind you all the way!
Choose Windows over Linux because you know beforehand it is not secure.
It's the double edged sword of software popularity.
... perhaps I should.
Linux is becoming so respected and desired as an operating system for servers that phishers & hackers are slowly turning their attention towards it being profitable.
I think this will be the true test for Linux to prove that it can beat Windows in all departments.
I actually see this as good news although I must confess that when I get home I'm going to check & double check the configurations on the ports on my router and all my Linux boxes. When toying with app servers & apache, I have noticed tons of port scanners probing my Linux boxes. I paid them no mind although now
My work here is dung.
I work for a fairly well known dedicated server provider. If I had to give a rough estimate, I'd say we're 40% Windows and 60% Linux environments. Not surprisingly, the number of boxes that get hacked (rooted entirely or not) is about equal between the two, however the purpose for which they're hacked is generally quite different. 80% of the hacked Linux boxes are used for UDP floods, things like that. Also IRC bots. Interestingly enough, in my 6 months working there, I don't believe I've ever seen a Windows box used for phishing. They're always used for FTP servers hosting movies/music/programs and/or IRC servers doing the same thing.
Nothing like getting a stupidly high bandwidth bill to find out your hosting server has been hacked. Its even better when you have to fight them to prove its their fault for being hacked and not yours for being cohosted by them!
and yes they are running Linux... they apparently didn't cover all their bases and were caught by more than one known exploit and some default settings.
Just because its Linux does not make it secure, you actually have to use it correctly.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
The big difference is that the Linux commmunity will find these holes and patch them much quicker than Windows. Well.. at least in theory.
I think it's interesting to note that while we get submerged in a barrage of Windows trolls, that the hackers hack one or a few Linux boxes and use them to control the hundred or more Windows boxes they've hacked.
Still looks bad for Windows. Plus, here's betting they're servers, and not home computers behind a plain old linksys router.
-Nathan
Please stop stalking me, bro.
I'm sure pretty much everybody who is running a Linux server (or any server as a matter of fact), especially with services like SSH enabled, is currently subject to brute force attacks.
When I looked at my auth log I noticed a huge amount of brute force attacks for all my servers, so I installed denyhosts, which seems to work fine.
I guess the problem is also that in many distributions SSH servers are configured to allow root logins, and if nobody looks at the log files these go totally unnoticed.
Personal opinion.
Do I get happy that these punks perceive "safety in numbers" -- i.e., there's a lot of Linux out there -- or do I get depressed that stupid folks input their root pwds (which they shouldn't be using for starters) in their browsers?
Stepping down from the high horse, I myself am not all that comfortable with Linux network and security configuration.
Graphical front-ends (so you can easily see what connects to what and, in your network, what is permitted and what is forbidden) would be really nice. Any hints? TIA.
Iftach Amit says "Since Linux machines can be used to more easily create specially crafted networking packets, they can be used in highly sophisticated online attacks". If you root-kit a machine then regardless of OS you can create whatever packets you want. Bypassing the IP protocol stack and sending raw data on the wire can't be particularly difficult if you are trying to conceal processes from the equivalent of "ps" and avoid other methods of detecting your code.
While I agree that Linux is a reliable OS, I doubt that is a reason for attackers to target it for running phishing web servers either. A good reason for targeting an OS is that you know it well and can easily write code for it. Given that many insecure machines can be obtained running any OS you please it makes sense that attackers will target their attack on machines that they know well. Maybe the criminals in question just enjoy Linux programming!
http://survey.netcraft.com/Reports/200708/
Then there's the issue of where servers are located, if you want reliable servers on the net then often the location of the server (in terms of a server room with UPS etc) is more important than the OS. What's the server market share for Linux? The above URL shows Apache leading the field for web servers and most Apache installations run on Linux...
It seems that if you want to own some web servers then aiming at Apache on Linux gives the largest number of potential targets - whether that gives the largest number of vulnerable targets is another matter.
See http://etbe.coker.com.au/ for my blog.
Just makes me wanna smack every Linux geek I know and scream, "I told you so!". The only reason Linux hassn't been widely hacked was because it was only used by a few professionals who had tight control on their security. The more mainstream it gets, the more of a target it becomes, and the stronger your security needs to be.
Anyone remember the days of (or are you still one of the people saying) "but with Linux, you have to login as root"? Not like there's a massively obvious problem there with regard to hacking or anything.
---Vote None of the Above---
There is nothing more dangerous to security than being lax about it. Sure, windows machines may make up the typical grunt, but there's often a bigger payoff associated with cracking a *nix server. The OS alone isn't going to save you from anyone except script kiddies.
"We see [linux servers] as part of the command and control networks for botnets."
Fear our new linux overlords?
I live in a giant bucket.
OK, it's a possibility. But what is the infection signature? Wouldn't it have been a service to the world to include in the article a means to detect and delete such rootkits?
Maybe the slashdot host had to pause to update a botnet;-)
I've been thinking about this for a while. I seem to remember somebody who wrote and article about reverse-engineering a trojan in order to determine the IRC channel name and password the bot used to connect to the botnet -- fascinating stuff. Anyways, this is all plain text being sent over your network, and there will be certain strings you can expect to see in any IRC connection. Wouldn't it be possible to write a packet sniffer that searches for IRC activity being attempted over your network, captures the channel name and password, joins the channel, and then hangs out until it sees the botnet controller join? Using that info one could then spoof the botnet operator and cripple (or destroy) the botnet -- perhaps by directing it to attack its own creator.
It seems to me that some serious gray-hat work could be done here to hunt down and destroy botnets, for somebody with the time, talent and interest in doing so.
We knew this would happen, so lets do what we can.
Upgrades. Don't run old versions of Linux Support has run out on. Upgrade.
Lets put emphasis on security, and develop new models.
... vast majority of the threats we saw were rootkitted Linux boxes to control (windows) botnets of 1/n in size?** I haven't RTFA
Mongrel News all the news that fits and froths
I read the article and missed that last bit about the sponsor of the symposium. In light of them not releasing the results, it's all a little bit suspect. Next we'll be hearing about how consumers really like DRM based on unreleased results of an analysis at a RIAA conference.
To be fair, I don't have a hard time believing they'd really like some good, stable machines as their controller...but it's all a bit odd.
"It is a miracle that curiosity survives formal education." -Albert Einstein
From tfa:
Cullinane: "The vast majority of the threats we saw were rootkitted Linux boxes, which was rather startling. We expected Microsoft boxes,"
Alfred Huger: "We see a lot of Linux machines used in phishing, We see them as part of the command and control networks for botnets, but we rarely see them be the actual bots. Botnets are almost uniformly Windows-based."
Seems like people are jumping on this as "linux bad!" where in fact the article is fairly neutral, Colinane has one opinion, Huger has another (and generally more accepted) opinion. Haydn.
Time is an illusion. Lunchtime doubly so. - Douglas Adams
Mod parent up. This is highly relevant (I have done a survey, and I am not releasing results but it does indicate that I am definitely better than you. Try to refute that without access to the facts!)
windows boxes in botnets are mostly going to be home computers on dynamic IP addresses. Linux boxes are more likely to have a static IP address, lots of bandwidth and they don't crash much or get turned off.
a lot of linux people have the holy than thou (the young liux crowd that is) and most all linux people use IRC.
Where is it easiest to find out almost everything about someone? Uh huh! Need I continue?
We share an internet connection with a couple other companies. One day our internet connection came to a halt. We were initially blamed, but after disconnecting our firewall from the network, it obviously wasn't us. The real problem: an Asterisk box owned by the company who was in charge of the internet connection.
The company is IT "specialist" company to handle other companies IT needs. They are good at doing Windows stuff, but had no clue how to use linux. They found out we put together an Asterisk box for next to nothing, so they did the same. I handed them the latest Ubuntu disc (Dapper at the time), showed them how to install it and admin it and left them to it.
When the internet died, they found out it was their Asterisk box. It turns out that they weren't comfortable with Ubuntu, so they used their old Fedora disc that someone had burnt for them. They were running an UNPATCHED FC4 box (FC6 was about to be released) with an Asterisk web console running on port 80 and exposed to the internet.
I wish I could have investigated more, but the box had about 20-30 internet connection spanning a small IP range. I immediately pulled the ethernet connection. The binary responsible for the internet connections: ps. I rebooted the box and told them to close port 80. I told them what to do to secure their box, but who knows if they listened. I at least fired up yum to patch the box, but I was busy enough with my own work to hold their hand through the entire process.
I'm not sure what happened to that box, but now I can only imagine it's attacking eBay.
1. setup linux machine
... step was needed).
2. rootkit it yourself
3. sell access to script kiddies
4. profit
5. wipe and reinstall go to 1.
(Notice that no
* this phrase is not meant to be inflammatory, I use it too :-)
Mongrel News all the news that fits and froths
Can anybody comment on the ratio of cracked Linux to BSD boxes?
Need Mercedes parts ?
The company I work for performs emergency Linux support services. We get a lot of calls from peoples boxes who are attacked. I've seen at least two eBay/PayPal phishing sites recently. In both cases, it had nothing at all to do with Linux itself.
/var/www/html, and stick some php code in there.
Case #1: Customer running a web server had vulnerable PHP applications (I believe it was an outdated WordPress). Someone was able to use this vulnerability to wget a few php scripts and bury them under some subfolders.
Case #2: Customer had a non-root account with a weak password. This account was in the "root" group, giving it write access to a number of system files. Cracker was able to brute force the password quite easily, make a directory called eBay under
In both cases, the php scripts were logging username and password guesses into a text file. The text file was within the same web root, allowing the cracker to easily grab the latest passwords over http instead of needing to re-crack. Also, in both cases, there were at least a dozen usernames and passwords in the text files.
The lesson: Keep your web apps up to date, use strong passwords, and don't add anyone to the root group.
I think it's fair to take it as a given that no platform is completely invulnerable to being breached. And once the problem of getting in is resolved, which would you rather work with, Linux or Windows?
"Who controls the past controls the future. Who controls the present controls the past." -- George Orwell
Because Linux is highly reliable and a great platform for running server software, Linux machines are desired by phishers
So when phishers target windows servers, it's because windows has horrible security, but when they target linux servers, it's because linux is just awesome?
APlus is a hosting company that offers BSD and Fedora Core (note that I say Fedora Core, not Fedora... they only offer up to FC6 at the moment) in their hosting operation. They lease boxes with Plesk installed to people and businesses with hosting needs. Before I arrived on the scene where I work, we were already hosting with them and the box was running on Fedora Core 2.
One day it was noticed that the site was malfunctioning and so a call was placed with APlus. We were informed that there was some sort of compromise and initially, at least, it was stated that it had something to do with Plesk. (Later queries denied that Plesk was at fault) After a day or so, a V.P. in charge of this stuff sent out a broadcast email to all of their hosting clients explaining that, in no uncertain terms, that it was the CUSTOMERs' fault that this had occurred.
Well, let's ignore the crappy customer-service issue this brings about.
The fact that this company offers up Fedora as their preferred flavor for hosting is ridiculous! It's a development distribution primarily aimed at the desktop with somewhere between 1 and two year update availability. Since a lot of their machines were running Fedora Core releases at least as old as Fedora Core 2, I'd say a good portion of the blame rests on APlus for their CONTINUED selection of Fedora as their distribution of supported choice. It has a SHORT LIFE! It stops getting updated after a year or so. It's idiotic to run a server with such a short support life cycle. Forget about blaming customers for not keeping their boxes updated. It couldn't be done with the distros that were affected in the first place.
But yes, my box was affected by this attack as well... and they STILL will not identify the actual point of compromise though they still deny it was Plesk. I find it ironic that I was, at the time, already talking to them about moving my box to CentOS and porting the web site code (that their developers created) to it. Interestingly, all sales people I spoke with said "we don't do that." And when I pointed out that it was their company that created the code, they said "we don't do that."
So over that weekend, I managed to port the web site code and database over from the original host to a CentOS5 box. I don't know PHP. I know a *little* about programming and I know how to use Google... that was enough to get be by. (Apparently, "this" became a reserved word in current versions of PHP and the old code named objects "this$" a lot!)
Anyway... it had been a mess and the best resolution was to move away from APlus. It's unfortunate that I cannot get the truth from them about what exactly happened... we just get blamed without specifics as to what or how it happened.
Trend 1: Linux users tend to block web ads the most effectively, using a variety of techniques.
Trend 2: Many big companies deliberately break their sites for non-IE browsers (probably for kickbacks from Microsoft).
Trend 3: Linux users probably buy less stuff than other people anyway (not counting computer parts which they buy on price or features, not ads or shill articles).
Trend 4: this story.
Net Result? It may pay in more than one way to block Linux users: (1) they don't read your ads anyway, (2) they don't buy your products as much anyway, (3) Microsoft will reward you for shutting them out, (4) you may be reducing your exposure to DDoS attacks.
I come here for the love
Grawr!
It might surprise you to find out that the OP and the slashdotters who claim that Linux users are security-aware are different people.
Comment removed based on user account deletion
It has nothing to do with one operating being more secure than another. Windows 2003 server is pricey and is likely to be deployed at a company with at least some form of IT support and is therefore more likely to be properly maintained. Someone running a server in their basement or a mom and pop business is more likely to choose Linux. I've seen plenty of cracked linux boxes where someone threw up a box with PHPbb or LAMP and left it running unpatched for several years. Usually they only realize it is when they get an email complaining about attacks originating from their machine or a notice from their ISP. Often these are non-root compromises where the attacker is running as the Apache user and has the standard toolkit with bot software and flooders stashed in /tmp.
I ran a linux box with 22 open just to see what would happen about 2 years ago. Within a week someone was trying to brute force their way in (auth.log showed thousands of attempts using simple usenames).
*sigh*
"We are all geniuses when we dream"
- E.M. Cioran
Hello,
I am a Linux Bot. Call me LinBot for short. There has been a lot a lot speculation as to why Bots like me prefer Linux over Windows. The truth is that us bots prefer Linux because of the GPL. It is a question of freedom. And the "free beer" pwnage offered by Windows does not cut it.
Kind regards,
LinBot
While I think it's true that Linux boxes really are 'more' secure, that very fact makes a lot of users (myself certainly) less security aware when using non Windows systems (Mac OS/Linux). That just means that I don't tend to worry that I'm going to get any spyware or viruses no matter what website I visit. When it comes to someone actually attacking a machine directly rather than relying on passive methods then I admit am pretty clueless, with regards to both Windows and Linux... perhaps some people here could give advice on how to be more proactive in defending against such threats (intrusion detection programs etc?)
which is totally what she said
1) Get the enemy to do horrible things at your direction.
2) Hope no one notices that you are really calling the shots.
3) Make them look unreliable
4) Profit!
HexaByte - he's a square and a half!
How often do you hear of a Windows exploit being successfully used in the wild? Every darned day. How often do you hear of a Linux exploit being successfully used in the wild? Almost never. Don't judge Linux security as as bad as Windows security because there have been 2 serious exploits this year. Windows has had FAR more.
If there's anyone I hate more than stupid people, it's intellectuals.
I am a supporting system administrator for Linux/UNIX servers at a large hosting
/var/www/html
company. I have come across many Linux servers that are compromised and being
used to host phishing scams, spamware, IRC servers, etc. Rarely, however, do I
see a "root'ed" server -- that is, a server on which an unauthorized
person or program has gained root privileges illicitly. In fact, having root
access is not necessary to host web content, send mail or provide other
Internet-facing services.
All that is needed is the privilege to put content served by the web server in
place. That could be a script for server-side execution, page or fragment for
browser- (client-) side execution, etc. If you can upload to the web content
(DocumentRoot or include) directories and the web server automatically servers
that content, you, too, can host a phishing scam or illicit media for download.
If a directory in the DocumentRoot tree on a web server can be written to by the
web server (the apache or nobody system account) then it is easy to inject one's
illicit content on that server. OS is irrelevant at that point. In fact, if a
web server has world- or apache-writable directories in the web content area the
OS *must* allow any web client to upload whatever they desire to that server.
It is the responsibility of the owner of the server to restrict who gets to
upload what content to his/her server.
I try to explain to web designers that granting write access to the
apache/nobody user is BAD, but often I hear back: "Ya, but, I can't make
the script work without opening the permissions." Usually, this is done on
PHP Content Management System portal sites that allow content to be uploaded
directly from the web browser by arbitrary users. There is a little bit of
effort required to make doing this difficult -- and it can be tricky to get
right -- but forcing the script to work by removing world/apache write
privileges is EASY:
$ sudo chmod -R 777
Ugh. Then, when that same customer is complaining that, "Hey! I've been
hacked!" I respond, "no, you haven't. You been compromised. You
allowed *anyone* to upload *anything* to your server and set apache to
automatically server that content. You were trusting *everyone* on the Internet
to behave. Your trust was broken and now your server is distributing phishing
scams/malware/kidde porn/spam."
If you ever think you need to "open up" permissions so your PHP script
will "run right" you either need a different PHP script or help making
the script run "safely." It's harder than chmod'ing 777 but it's
definitely worth doing.
One server I worked on had a lazy owner who allowed apache full write and
execute access to his web content directories. He would not upgrade his PHP
scripts to patched versions that plugged well-publicized holes. After repeated
warnings I received a frantic call from him that his server was
"hacked" and running a banking phishing scam. I checked the weblogs
and found that 20,000 people had clicked the phishing scam links from their
webmail inbox and retrieved the malware-ladden web pages with Internet Explorer
-- meaning many of these people were sending their data right to the
Russian/terrorist criminals for funding their illicit operations. The customer
asked that I call the FBI to "find out who is responsible" and I said
I didn't need to make that call to find out: he was responsible.
That customer is now fully-turned around and is complying with the necessary
steps to ensure that his server is not used for illicit purposes any longer.
Root was never required for these compromises. Just poor administration.
-- @rjamestaylor on Ello
RedHat has to stop allowing root login in their default SSH configuration.
Which distributions do the right thing ?
If this is true, which ATFA, we won't ever know because it's a secret, you are right on. Linux has vastly superior auditing tools to the win32 world, it is only a matter of lazy admins _not_ using them.
/.
Nice work on the call to action. Not enough of that on
Got Trader Joe's? friendwich.com RSS feeds work now!
The first rootkit I got in my life was a Linux box running BIND for a local DNS cache. That was 5 years ago. BIND before version 9 is so lousy that everyone using it should expect to get rootkit someday. I was tweaking the firewall setting. I forgot to block port 53 because I hadn't been using that box all that much, and I forgot it was running BIND. The rootkit tried to replace /sbin/init, but my DSL connection died halfway so that didn't complete, and it left my machine unbootable.
About 3 years ago, I sent a PowerBook G4 laptop to an authorized Apple Care center for hardware repair, and some smart-ass there set my root password to something I couldn't guess. But one of the SSH scanning bot successfully guessed. The cracker downloaded and compiled psyBNC (an IRC proxy) and installed it under "/usr/sbin/sshd " (with a trailing space). I think it'd be used as one of the hops designated to make the IRC connection difficult to trace.
I found out about it a few days later, seeing strange IRC connections in netstat.
After that, I always make sure the root password is disabled, using sudo or sudo su - if I need root access. I only have port 22 and 80 open, and I haven't seen a rootkit since.
I once had a signature.
That the OS doesn't matter. What matters is your goal.
On the desktop, people hack Windows machines since that's what most desktop Machines are. On the server side, people hack more Linux machines since that's what most servers are.
Hacked Linux machines are hacked with a specific purpose in mind, and so are Windows machines. In fact, in both cases, the attack vector is usually an application running on said OS. Be it PHP script, server daemon, your browser or even music player on Windows.
Just like the article on Randi and weird audiophile products, it was said "music fans listen to music, audiophiles listen to stereos". Well, same applies:
"computer users run software applications, OS zealots run operating systems"
And now we see it even applies to hackers, which hack not according to the OS but their desired goal.
I could not agree with you more, Any machine connected to the internet is un-secure and the more market share linux gains the more hacks and exploits will be seen. The Linux fan boys will always be more than happy to point out pitfalls of windows, yet these same script kiddies seem to forget to patch their own linux servers leaving them exploitable and open to hackers.
Linux is a superior operating system.
2 cents,
QueenB.
HDGary secures my bank
Great. This kind of headline is what I never wanted to see. Now I have to look at all the stupid comments from the open source whores about how Microsoft sucks and everyone else rocks, how when Microsoft fixes a bug they still suck because their code shouldn't have had the bug in the first place, and how Linux rocks because when it has a bug fixed it's a testament to its development model.
On the other hand, good to see that the truth is EVERYBODY is vulnerable and not just Microsoft.
One of the problems are dedicated server hosts. I picked up a dedicated box a while back and I was startled to find that I was put in a position to scramble to secure the box immediately upon receiving my ssh password.
Of course, I could have paid extra to get a more secure box, but budget was an issue, and my plans were pretty simple for the machine.
Another problem is that a lot of webmasters with dedicated boxes and virtual servers end up running older and insecure versions of software - from mail servers to web servers, etc. because the software is all wrapped as part of Plesk or something similar. When security patches come out, the turnaround time for updates from the software providers is far from instantaneous.
A third problem is efficiency. If your system has been rooted, it's easy to not notice as long as the person who rooted you isn't abusing your system resources.
Recovering a rooted system is a problem as well - sys admins in general could stand to take a lesson from rootkits to protect their own system. I've seen two instances myself where overwritten binaries like ps and ls could not be reverted without a great deal of effort.
Further - people who get "Managed" servers expect that they have a secure system and that their system is being monitored for security issues regularly. From what I've seen, "Managed" means that vendor provided packages get updated automatically and uptime may be monitored, but that's a far cry from someone actually managing a system.
Linux can be secure, but I think the vast majority of web servers out there are wide open targets, much like all those windows ME boxes attached directly to cable modems.
I understand why you say this (and you did say unix, not linux), but you have to see the humor in your statements. "See!? Linux is better because it is the OS choice of *REAL* crackers." It could be seen as a mere spin attempt, but it is really the truth. What servers do you think crackers used to break into back in the day? I'll admit that there is certain fanboyism that exists around Linux, but usually the "it's really not the fault of the OS" can be backed up. If not, the attitude is generally "whoops... let's fix it ASAP". Whereas *ahem* other OS providers tend to do a lot more coverup, consult PR and lawyers, etc etc.
My beliefs do not require that you agree with them.
True, security is not simple and requires work on the administrators part. Last year (2006) I detected that my home linux server (also acts as the network router) was being attached through SSH. (Someone was trying to login to my OpenSSH server.) They never got in, and I tracked the addresses to China.
However, I am now working on rebuilding the server - upgrading to a new box in the process too. Part of the upgrade is putting more security in as well. Testing out the firewall before it the server goes live, adding in Snort, Packet monitoring, and other tools. I am even planning out use of a Radius server to further protect the wireless portion of my network, and looking at making VPN access the only way to get in from the outside (instead of SSH or any other method). However, this is all taking work to do, and will take more work to maintain and review later. Now, I'm probably going to an extreme - quite likely - but I am also working towards a plan to be able to know what goes on on my network and be able to manage it myself. A lot of the stuff is easily automated, and easily managed. (The hardest part is getting it configured and working in the first place.)
Windows is no different, though without most of the tools. (They just started bundling a usable firewall in XP SP2, but even that is very basic and not very good.) I do have a couple Windows systems on my network, but I don't have to worry as much about them as there is a strong guard between them and the Internet - one that I actively maintain.
In the end, no matter what size your network is - you can never just "set it and forget it". At the very least you need to keep applications up to date on the server, but you also need to monitor the various logs and then respond when something does come up.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
only if you trust Micro$oft...
"According to Cullinane, none of the Linux operators whose machines had been compromised were even aware they'd been infected"
Must be a slow day at Computerworld. Like, how do they equate Linux with an increase in phishing. How did eBay discover all these rooted Linux boxes? Who gathered the data, how was it gathered? Why would phishers use rooted Linux boxes when that would draw attention to themselves, why not hire a box in a server farm or why not just hack eBay.
davecb5620@gmail.com
So as a desktop linux user, should I be concerned? I googled anything that I wasn't sure of in ps aux and think I'm ok. Running Ubuntu Feisty x64.
There is more to science than physics!
www.iomalfunction.blogspot.com
There's a particularly nasty rootkit out there which overwrites certain system programs (such as ls, ps, netstat, md5sum and a few others) with modified versions, then does a chattr to stop you overwriting them (though lsattr is left alone). And while attempting to clean up a machine so infected, I've seen Perl scripts changing the value of $0. This means even if you've got a "clean" ps around (like a copy of busybox in your own non-root home directory ..... you do have a non-root login, don't you?), it will report the "wrong" thing. Another clue that this rootkit is installed, is that (at least on Debian and Slackware) coloured directory listings don't work properly, and invoking ls generates a non-fatal error message. (The "special" ls must be based on an older version.)
..... install a script in a user's home directory, then persuade it to run. Beware of badly-written PHP scripts which don't chmod uploaded files to make them non-executable (turning off short open tags is also surprisingly effective). And what you think might be a DDoS (repeated attempts to retrieve mail on nonexistent accounts via POP3) might actually be a password-guesser. Block the /24 with an iptables rule at once. Note, if you aren't within walking distance of your co-lo, make your first firewall rule /32 because my IP is static) and never, ever use -I INPUT 1; use -I INPUT 2 or -A INPUT instead. It's too easy to block yourself out with an injudiciously-applied rule (and I do live within walking distance of my co-lo). If you see a process running that looks suspicious, leave it running long enough to examine its /proc entry before applying kill -9. Give users who don't need shell access a "shell" of /bin/true or /usr/games/fortune -o; but be sure to include whatever "shell" you gave them in /etc/shells -- otherwise they will not be able to use FTP. (If they don't have any web space on your server, just e-mail, then use /bin/false and don't put that in /etc/shells. That will make it harder to use an ftpd-based exploit.)
..... so running 64-bit Debian (which has *no* 32-bit libraries) will break them. Personally, I'd like to see a patch that will make Perl give a segmentation fault if any script tries to alter $0. In fact, I'd like to see a kernel patch that will break any binary that was not compiled locally.
The www-data (Debian / Ubuntu) or apache (Fedora) user should not be running any process other than apache2 or httpd. If you see something like "accepting connections", that's a sign that someone could be running something nasty.
In general, watch for world-writable directories (they list with a green background in Debian) because that's one of the first steps in cracking a box
iptables -I INPUT 1 -s 10.20.30.40/32 -j ACCEPT
(replace 10.20.30.40/32 by a subnet specifier which will always contain your own IP address -- get this from your broadband company -- and just to make you all jealous, my one ends in
Note that the binaries in this rootkit are 32-bit
Je fume. Tu fumes. Nous fûmes!
Not really.
You will note that first replies were all of the form: How did they do this? How can we keep it happening in the future? Here are some tools & techniques to help.
A Pirate and a Puritan look the same on a balance sheet.
Hackers prefer attacking Linux servers because there are so many more of them serving up web sites.
OSSEC HID is a very helpful simple tool to help protect your linux box (or most other OS). It watches the logs for you (ssh, apache, mail servers, ...) and spot abnormal patterns registered in XML rules then send alert mail to the box admin and is able to blacklist the IP address of bruteforce attackers for some time to avoid being dosed or ssh-bruteforced.You can whitelist your common ip adresses to avoid being blacklisted by DOS attacks with forged IP packets.
It also maintains checksums for system files to help detect rootkits or other intrusion. For more details see the project page:
http://www.ossec.net/main/
Unfortunately it is not yet packaged in all major linux distros so security updates will have to be applied manually.
There's an old adage: "a good crook is one that doesn't get caught".
Provided the admin knows their stuff I think there is little difference between the two these days ( XP vs Linux ). I also think the vast improvement in Windows has been driven by competition from *nix in general and Linux in particular. The reason you see so many windows drones is because that's what comes pre-installed when people buy a computer expecting it to be like an xbox, or a television, or an encyclopedia, ect. Many people don't really have a need for a PC when they buy one they are just intrigued by something that claims to do all these things and more.
These people don't even get discs with the O/S, they walk out with "a bargain" that (aside from the O/S and IE) has all the pre-loaded appliverstiments that the chain stores are paid to load on their machines, or for that matter pre-configured "support account" with admin rights (that one screwed the machine a novice freind of mine bought last year after he managed to hook it up and get online by himself). In other words the mass market is only vaugely aware that other O/S's exist and even then most would say "Apple" shortly followed by "is expensive".
Some people fight the windows adware/malware battles and come out wiser, most just try and keep the kids queit. I've been ploding along since the BBS days and like to think I can look after myself, but after 20yrs as a developer with experience in over a dozen O/S's and their countless versions I've come to learn that there is always someone "smarter".
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Has anyone ever tried forcing people to make longer passwords? I worked for a place that hired a firm to come in to actually test the security of the servers. They setup a box to brute force every user name in the system. Pissed me off that my boss handed them all the user ids in the first place. Anyway, After a week there were 7 accounts that were not hacked. I set the passwords on those accounts. All were over 30 characters in length. The firm's attack system only tried up to 15 characters. maybe making longer more 'complex' passwords can a good thing.
It's funny that a long time ago, maybe 1998, I had linux boxes set up on my cable modem. I noticed several times that somehow people were able to crack in and install software like eggdrops and such. I eventually got a little better at security and stopped them. But the attacks themselves seemed to taper down over the years; most focus on Windows boxes.
However, I've seen an increase lately. None of them successful on my systems thankfully, but it's on the rise. I think it's mostly just more script kiddies but then again, someone's got to write 'em..
- It's not the Macs I hate. It's Digg users. -
1) these bot-net controlling Linux boxes probably were not hacked to root access level, but only Web server access level - which is not a problem with the OS.
2) And if they were hacked to root access level, it was probably not a kernel hack but a service level hack based on an unpatched service and a lazy admin.
Whereas when Windows gets hacked, it is USUALLY hacked at all sorts of levels - applications to services - ALL of which end up allowing arbitrary code with essentially "root" access (if not "system" access).
THIS is why Windows is less secure than Linux.
At the very least, THIS story does NOT prove that Linux is equally insecure to Windows AS AN OS.
Get your facts straight.
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
The zealots got bit in the butt due to their own ego's.
Linux is far better then M$ bloatware, but it is wide open "out of the box" and with the devs making the installations so easy, the users feel secure, and do things any old time linux user would cringe at. (gawd I recall cli slackware and building it up to use gui...security was GOD then, now it's a redheaded stepchild with acne...)
So in closing, I say again, it isn't the OS, it is the way it is configured and how you protect yourself that matters.
Welcome to reality kiddies. (and a tip of the hat to those admins that can catch a rootkit as it takes effect...)
Maybe at YOUR edge but not your carriers'. Lots of banks, some gov't agencies, etc, do this already.
This has been discussed to death and beyond on the NANOG list. No way anyone but a few have the resources to install and monitor this kind of thing, more than a few would not block on the grounds of net neutrality and "information wants to be free", and even more would end up blocking huge segments of the net either my mistake or for stupid political reasons. The "routers" are busy enough routing packets without doing deep packet inspection, and NOCs are busy enough doing whatever it is they do.
Feel free to write an RFC for it though, and good luck.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
These guys found that the phishing sites were hosted primarily on Linux machines. These are not "linux botnet" machines. Yeah, botnets are great for sending out massive spam loads, but imagine trying to host a stable website on a thousand windows machines with DSL connections. So big surprise: most web servers are Linux, and most phishing web sites are on Linux machines. Yeah Linux is fail-able, but this provides no new information.
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
My Linux box has been running funny for the past year or more now. It runs much more slowly than I would expect, and once in a while it freezes up. Little oddities here and there have been showing up, but every little thing on its own has been explainable.
Finally, the other day, when I tried to SSH into my Dellbuntu laptop from the home server, it said, "Possible man in the middle attack!" I wondered if it could be a trojan on the server itself, or on my re-flashed Linksys router (with DD-WRT), so I pulled out an old D-Link router and tried connecting to the Dellbuntu from a Windows machine, and it gave the same hostkey, so I guess I had never updated the keys after I reinstalled Dellbuntu.
(By the way, why is it so difficult to display a SSH hostkey from the host itself? The SSH client would say, "Are you sure this is the correct SSH hostkey?" and then display the suspicious hostkey. What are we supposed to compare this to? Why can't the SSHdaemon display the hostkey? No, it is NOT in the ~/.ssh directory.)
I guess the other possibility is that my Dellbuntu is compromised.
Anyway, just for peace of mind, I'm going to reinstall everything after the weekend. I put every single config change I make, including a tonne of "sudo apt-get --assume-yes install [xxx]" commands, into a script file, so it should take under an hour to reinstall. I'll have to wait till after the weekend since we have guests over this weekend.
Crummy. I guess it's time for some port-knocking software or ostiaryd or something.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
If you can, be very selective from where you can connect via SSH. Sure there is no need for all the chinese address space to have free access to your SSH port. If you administer the machines from behind a dynamic IP, there is a solution. Register a dyndns name and have your dynamic address updated automatically. Then make a cronjob that updates a firewall rule from that address once an hour or so.
So... For the newly frightened linux user, could someone bundle this discussion into one post. Namely, answer 2 questions:
1. What, very specifically, do we look for?
2. What, very specifically, do we do?
Keep it in simple, if not noob, terms. This is one for the archives. I've been running Linux since Slackware was on floppies but to be honest I didn't understand half the acronyms or recognize many of the terms used.
What's a good (up-to-date) place to learn more?
---Democracy is two wolves and a lamb voting on what to have for lunch.Liberty is a well armed lamb contesting the vote.
This won't stop the baseless arguments that Linux is more secure than Windows, however. Face it, neither OS is secure.
You said: Is there any way to avoid this? I don't even want to do it once a week, because: a) I might forget, and it's a chore, and b) I'm not sure what to look for. I might get alerted because of something or other that would generate a false positive (e.g. a new configuration on a bittorrent or IRC program).
A sibling poster mentioned Tripwire. How handy is that? I tried installing it when I first started with Linux, back in the days of Mandrake 9.0, but it got to be too much of a hassle installing, and I was never sure when to be or not to be suspicious of minor changes. For example, if I try out new kUbuntu packages all the time, then toss them aside if I'm not interested, would it cause problems with Tripwire?
Also, I run a Linksys router flashed with DD-WRT. It's great protection for my Linux box, but I worry about the router itself. How secure is DD-WRT? I usually turn off the ability to SSH into the router from the Internet, but sometimes I need it on. I wish there were something like Guarddog that would fit into the small non-graphical environment of the DD-WRT so I could easily configure the iptables/netfilter. Also, I don't know if the router can log the connections --that would give a much better indication of intrusion attempts, compared to the logs of my Kubuntu box sitting behind the router.
Any advice would be appreciated. Remember, the main thing is: I am trying to minimize administering the box, and maximize using it.
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
You should have no problems. Do an update every so often, if they aren't happening automagically already. The vast majority of problems come are from servers, hosting data, etc.
But because of the vindictive nature of people on this site, when it's a Windows problem, nobody bothers to help.
It's nothing to do with the difference between closed and open-source. It's petty revenge from mentally-challenged idiots who would rather rip the shit out of people who choose a different OS than them than actually deign to help out.
See, now we must ban any open source software due to national security.
---- Booth was a patriot ----
I knew this would happen sooner or later.
This had to happen when the clueless windows users begun using linux as a desktop system.
It is just the migration of administrator accounts to root accounts.
Linux has been doomed from the single moment that its user interface and user friendliness became a priority.
That was the main filter that kept clueless users away.
The stupid clueless mind is the main vulnerability of the systems.
And now windows users invading the linux realms are going to say, "meh, linux has viruses just like us". NO!, you just brought the plague with you!
I can think of a few right off the top of my head. There's SIP, RTP, OpenVPN and DNS, just to name a few. I'm sure there are more.
Never eat more than you can lift -- Miss Piggy
A friend emailed me about this just this morning. Here is what he wrote and my reply:
> I'm going to chalk this up (tentatively) to the increasing popularity of
> Linux, which means that a subset of users will be those who don't actually
> know what they're doing, and how to protect a box-- something long the norm
> in the Windows world:
>
> http://computerworld.co.nz/news.nsf/scrt/CD0B9D97EE6FE411CC25736A000E4723
>
> While there, he noticed an unusual trend when taking down phishing sites.
>> "The vast majority of the threats we saw were rootkitted Linux boxes,
>> which was rather startling. We expected Microsoft boxes," he said.
I am not surprised in the least that this was their conclusion. I don't chalk it up to the increasing popularity of Linux at all. I have never (not once) run across a Linux box operating in a botnet. Nor can anyone name a botnet software that infects Linux boxes. In the last 5 years I have found only one Linux box that had a security issue and that was because of PHP (*spit*) which had an XML-RPC exploit a while back and allowed someone to make the box host a fishing website that looked like some bank website. It seems very rare that a Linux desktop (not a webserver) would fall victim to this. I have never seen a security incident such as a botnet on a Linux desktop. I have seen that phishing page on the Linux server that hosted the bogus PHP install. That's it.
And I suspect that they are using terminology incorrectly. A Linux box hosting a fishing site is not part of a botnet. I can understand how Linux boxes would be more popular for fishing websites. PHP is popular and is a pox on Linux as PHP released a bunch of absolute garbage which only happens to run on Linux. It can run on Windows also but that is the expensive and less reliable way to do it so few people do. If people make a conscious decision to install software on Linux that lets just about anyone use the box for whatever they want such as PHP often does I don't think counts against Linux security.
Glancing over the article I immediately spotted this:
"eBay recently did an in-depth analysis of its threat situation, and while the company is not releasing the results of this analysis, it did uncover a huge number of hacked, botnet computers, said Dave Cullinane, eBay's chief information and security officer, speaking at a Microsoft-sponsored security symposium at Santa Clara University."
I challenge anyone to find a single MS sponsored paper or symposium which DOESN'T come to a conclusion favorable to MS and unfavorable to Linux. Just one. And they won't release the raw data. How much is a large botnet? 10? 100? Among millions of infected MS machines. I would also like to know what this alleged Linux botnet software is called.
I am positive that Linux will not be nearly so adversely affected by users who do not know what they are doing. Linux is very different from Windows and is architected for performance, security, and utility instead of being architected to make someone a boatload of money and maintaining monopoly lock-in. (See the fine the EU just imposed on MS.)
Some technical features which help ensure that even if Linux becomes popular on the desktop it won't suffer the same fate as Windows:
* Linux users don't run as admin/root.
* Email programs do not automatically execute attachments.
* Does not depend on filename extensions for anything.
* Does not auto-run anything from inserted media (Worth a laugh: http://www.foxnews.com/story/0,2933,299155,00.html )
* System of mandatory access controls (SE Linux) which really locks things down (some people still turn that off but it is improving rapidly, I use it on my desktop).
* Linux also takes advantage of NX (non-executable memory) which is a recent feature of x86 cpu's
I run a domain (and the associated web/dns/mail/etc services), as well as a LAN-server mainly for the purpose of self-education. Along with this comes the fact that I run apps on it I wouldn't be willing to just install and trust in my work environment. I've had two incidents occur. One was when I made my squid proxy settings a little too open and ended up being used as an open-proxy, the other was when I allowed a friend access and he used his name for both the username/password (oops, time to install a requirement for hardened passwords).
The first time a few spams got through before I caught in. From the logs I figure it was, luckily, a rather small amount as they were just testing me out before the big barrage. The second time there was an attempt to install custom scripts, but whatever it was attempting to do was thwarted by the fact that there wasn't an explicit rule allowing outgoing connections on the required port (default deny is your friend).
More recently I've been working with things such as virtual-servers to segregate any potentially dangerous services, then have them regularly audited and check with tripwire, etc. Still, there are a lot of ways to hack a box, and a lot of ways to secure it, so learning new tricks is always a good thing.
Not necessarily. Encrypt the binaries with public key cryptography. Just make sure you unplug the internet and boot off of a CD that checks your boot files before you type in the private key. After you're done compiling & installing everything reboot.
They ARE out to get you simply because They are in it for themselves and they don't care about you.
Being pretty new to all this linux stuff, what are a few commands I should be running, what should I look for, and which logs are the most important?
My problem with patches is that employees won't test updates, and won't give me a maintenance window - changes have to happen during an emergency, or be required to add resources. This is a business, and those employees generate the income. Furthermore, while I'm working with conscientious, gifted windows admins, the users still manage to propagate a virus throughout the company about once a year, whereas that's never happened on our Unix systems, so lay perception is: Windows security breaks, Unix doesn't. The financial folks run on windows and at least allow patch applications, whereas the Unix people don't unless externally coerced. I'm paranoid enough to treat seriously the possibility I've been rootkitted - but it would have to have been sophisticated. The perimeter firewall only allows outgoing traffic to known ports; no IM or IRC; and outgoing e-mail only from the mail servers. If we're being abused, someone is using highly sophisticated techniques, and I haven't seen it. I'm perfectly aware that's no guarantee.
:-).
Posting anonymously so as not to give a target profile to potential attackers
I don't believe that the majority are rootkits. I see tonnes of compromised sites all the time, but not due to compromises of the overall security of the server, they are in fact due to PHP injection attacks. I come across logfile entries of successful attacks daily. Attackers will have executed code hosted on other compromised sites all over the place, stuff like the r57 shell, and c99.txt always appears. They allow the attacker to upload webpages in to any location that the website owner/user has access too.
i'd take with a pinch of salt the notion that the article suggests, namely that the servers have been compromised themselves with rootkits. i've not seen that happen on decently configured UNIX webservers.. i kn ow if 's possible, I just don't think it's common.
I do not fear computers. I fear the lack of them. Isaac Asimov
We used to use phpBB for our quiet little forum. It got overran by spam, so it was switched to SMF, but that's a separate issue.
We installed a couple modifications to phpBB, I can't recall the specifics, I think a CAPTA (before it was standard issue) and some tweaks to the layout. This lead to huge problems when security issues required upgrades of phpBB.
In short, we didn't do the updates unless absolutely necessary. We'd have to patch in updates to the updated files... incredibly time consuming.
The same thing happened with phpNuke...
Turning off any service that listens on an external port would be a good start, unless you actually want such a service to be running. In that case, you'll have to read up on that particular service and how to make it secure enough.
Not really, as good distributions come secure out of the box. If you enable any network-facing service, then you might have to do some work to secure it (e.g. SSH often comes with root logins enabled, which is one of the things most admins turn off first).
In this case, it should be "If I was able to see further." Use of the subjunctive mood in English (If I were) indicates that the statement is contrary to hypothesis. For example, "If I were a dog, I would lick myself" implies that I am not, in fact, a dog, and am only speaking hypothetically. Whereas: "If I was a dog, it was only because I was selfish at heart" implies that you were a dog (in this case, the meaning is figurative, obviously).
Here, your sig does not introduce any information that is contrary to hypothesis. When you say "If I was able to see further, it is because..." you are actually giving an explanation for why you were able to see further. Saying "If I were able to see further" implies that you were not, in fact, able to see further, which is not what you meant.
Hope this helps.
Microsoft scum
Hope this helps
;)
Well, it did convince me to google up the actual original quote, which turned out to be different from what I remembered after all
If I have been able to see further than others, it is because I bought a pair of binoculars.
So basically the message here is that windows is more secure because it is an obtuse piece of s***. Security through obscurity instead of security by obscurity. Paragraphs 2, 3 and 4 indicate that you are a linux fanboy... better then being a windows fanboy though.
an eBay conversion to Vista servers and desktops at a really, really good price Real Soon Now.
IMO, MS and eBay deserve each other.
Tech Public Policy stuff
*sits back and watches all the Linux fanbois make excuses*
What do I look like to you? A WinDOS guru?
If you want help, look to your own gurus.
What? They aren't up to the task? They aren't doing their thing?
Well, don't blame kranky Unix users for that.
A Pirate and a Puritan look the same on a balance sheet.