Slashdot Mirror
Duqu Attackers Managed to Wipe C&C Servers
Trailrunner7 writes with an update in the saga of Duqu and Stuxnet. From the article: "Shortly after the first public reports about Duqu emerged in early autumn, the crew behind Duqu wiped out all of the command-and-control servers that had been in use up to that point, including some that had been used since 2009. An in-depth analysis of the known C&C servers used in the Duqu attacks has found that some of the servers were compromised as far back as 2009, and that the attackers clearly targeted Linux machines. All of the known Duqu C&C servers discovered up to this point have been running CentOS ... There also is some evidence that the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially."
You never need your server directly on the internet.
put it behind a firewall with holes poked through. they can't attach a zero day SSH exploit if the only hole is port 80 to Apache.
And if you are one of the incredibly rare cases where you really do need to have the machine on the net directly.. I suggest daily security audits.
Do not look at laser with remaining good eye.
>All of the known Duqu C&C servers discovered up to this point have been running CentOS
Probably since this is a popular OS for web hosts that resell/sell servers. Who are the people who buy these server? Well anyone and everyone who wants to be another web host yet have no idea on how to secure a server so they hire some $40 per month security company to secure their servers. There must be 1000's of those servers out there ripe for raping.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
4.The servers appear to have been hacked by bruteforcing the root password. (We do not believe in the OpenSSH 4.3 0-day theory - that would be too scary!)
5.The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they get control of a hacked server.
Ah yes, lets pretend there is no problem because the idea that there is, is too scary. Someone kill me, please. The only other reason I can think of, which also ties in with the fact they were appently checking the man page for sshd_config is that something changes in the default settings between 4.8 and 5 and this they wanted desperately, but even then this would point to some sort of exploit. *(Maybe an exploit in the way the default settings are in centos, rather than in openssh).
- http://www.milkme.co.uk
It's just like any other OS. You need to know what your doing.
A poorly setup Linux box will be worse than a locked down Windows install. Everyone knows this.
To say Linux itself is inherently vulnerable is an ignorant statement.
-americamatrix
Wow, windy fellow, aren't you?
Your rant has one HUGE hole. Your citations are about one-off manual attacks against Linux. Not a single case involves a large group of Linux boxes being compromised by with a single email sent out from a spam box.
Most attacks against Windows boxes are carried out by a simple email payload. That's how the 4,500,000+ Windows zombie bot farm was created last year within a couple of weeks. A Linux zombie bot farm was found last year as well. It contained only 700 boxes and it took the group of hacker who created it nearly six months to do so because they had to manually attack each machine. They ran dearjohn against who knows how many machines trying to find those with insecure root passwords. 700 in six months. They immediately secured those machines against all known exploits and used them for C&C machines to control much, much larger Windows bot farms because Linux IS secure. How many C&C Windows boxes have you heard about?
Running with Linux for over 20 years!