Slashdot Mirror
Duqu Attackers Managed to Wipe C&C Servers
Trailrunner7 writes with an update in the saga of Duqu and Stuxnet. From the article: "Shortly after the first public reports about Duqu emerged in early autumn, the crew behind Duqu wiped out all of the command-and-control servers that had been in use up to that point, including some that had been used since 2009. An in-depth analysis of the known C&C servers used in the Duqu attacks has found that some of the servers were compromised as far back as 2009, and that the attackers clearly targeted Linux machines. All of the known Duqu C&C servers discovered up to this point have been running CentOS ... There also is some evidence that the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially."
Damn, not the command and conquer servers. My weekend is fried.
To offset political mods, replace Flamebait with Insightful.
Editors, your job is not simply to click "post." Read the submission and see if it makes sense. I have no idea what Duqu is or what this is about. I had to dig down 2 links deep to see that this was related to an attack in India. Context: provide it.
rooooar
You never need your server directly on the internet.
put it behind a firewall with holes poked through. they can't attach a zero day SSH exploit if the only hole is port 80 to Apache.
And if you are one of the incredibly rare cases where you really do need to have the machine on the net directly.. I suggest daily security audits.
Do not look at laser with remaining good eye.
The first thing you do in C&C is build walls around your MCV so engineers won't get it. Seriously, guys.
>All of the known Duqu C&C servers discovered up to this point have been running CentOS
Probably since this is a popular OS for web hosts that resell/sell servers. Who are the people who buy these server? Well anyone and everyone who wants to be another web host yet have no idea on how to secure a server so they hire some $40 per month security company to secure their servers. There must be 1000's of those servers out there ripe for raping.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
Am I the only one who is kind of worried about the whole stuxnet/duqu thing? We've been hearing/hypothesizing about the dangers of "cyber-warfare" (as much as I hate the term) for a while, pretty much since the beginning of Internet malware, but it seems as though recently shit has finally started to hit the fan, first with increasingly worrying allegations about Chinese hackers and such, and now with this (which seems to be the doing of the US/Israel, at least a lot of people think it is).
If things continue along this trend, one could expect a really bleak future for the Internet where major world governments and other well-financed organizations have virtually unlimited power to do what they like with any computerized system, and continually carry out covert attacks against each other. It seems the only thing that could prevent that from realizing would be some major game-changing advances in computer security, but I'm not seeing any indication that that's likely to happen...
weinersmith
4.The servers appear to have been hacked by bruteforcing the root password. (We do not believe in the OpenSSH 4.3 0-day theory - that would be too scary!)
5.The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they get control of a hacked server.
Ah yes, lets pretend there is no problem because the idea that there is, is too scary. Someone kill me, please. The only other reason I can think of, which also ties in with the fact they were appently checking the man page for sshd_config is that something changes in the default settings between 4.8 and 5 and this they wanted desperately, but even then this would point to some sort of exploit. *(Maybe an exploit in the way the default settings are in centos, rather than in openssh).
- http://www.milkme.co.uk
If I had mod points I would give them to you for actually linking articles that prove your point, but try to be a bit more coherent and maybe don't post as AC next time. Have the balls (or ovaries) to stand up for what you said. That being said, anyone who thinks that FOSS is $DEITY's gift to security by default is mistaken. Nothing is safe until someone competent configures, patches, and hardens it correctly. However, I don't believe that the proprietary corps are any better, and are usually worse, because they rely on security through obscurity (i.e. no one knows our code so we don't have to worry that much about it.)
It's just like any other OS. You need to know what your doing.
A poorly setup Linux box will be worse than a locked down Windows install. Everyone knows this.
To say Linux itself is inherently vulnerable is an ignorant statement.
-americamatrix
Oh come on!
If someone did a rant like this for Windows it would be moderated +5 Insightful.
The Agenda here is to point out that Linux isn't the God of OS. It has its problems just like Windows and the others. As we giggle and glee when there is a Major Windows Issue, we like to discredit any Linux problem.
It isn't that Windows is More Secure then Linux but there are too many people running Linux feeling invincible from all the world has to attack them.
The biggest problem in IT Security isn't the OS it is the Dumb Ass who runs the systems.
You can have a Windows Network running for years without a security issue. You can Have a Linux network that is attacked daily. It determine the skill of the System Administrator.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Kippo will not work for anyone but the kiddies. Did you change the default root passwords even? Those two are a real tip-off to a honeypot. Also there are hardly any commands, ifconfig never changes, and in this case /etc/issue says Debian and these people were after CentOS. If you had been hacked, you would have had the vulnerable sshd and no Kippo logs would have been the least of your worries.
That makes me think twice about skipping on that Redhat license.
Perhaps the folks at Cent should be checking their logs.
I am very small, utmostly microscopic.
Yeah, go for it! You keep at it, pal! You're beating your opponent so hard that the straw is leaking out!
Seriously, nobody with any credibility has ever claimed that Linux is "invulnerable secure". The strongest argument usually made is that Linux is more secure than Windows, which was absolutely true when it was commonly being made 10 years ago. The debate has moved on. The claims you should be arguing against today are that Linux is better value-for-money on servers, and more secure than Windows specifically on the desktop.
As for malware - well, a targeted attack probably by a nation-state is hardly the scenario people are thinking of when they say "Linux doesn't get viruses". The claim you should be fighting here is that Linux is less likely to be hit by drive-by malware or compromised at random by malicious websites. These claims are absolutely true; even if Linux is no more secure than Windows, it is still a much smaller and less attractive target, and therefore safer.
But, hey, I'm getting in the way of you beating on your strawman, so I'll shut up now and let you keep on with your regularly scheduled trolling!
4. Change PermitRootLogin to no. If you must have remote root access, make them log in as a normal user and su to root. (Better yet, set up sudo and control who can do what.)
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
Same AC here.
I actually rewrote many of the commands to appear more realistic. You can also change the output of various commands with a simple configuration change.
I also implemented better wget/curl support along with the virtual FS so it appears to be more accurate.
I agree about it being obvious to educated attackers. That's why I modified it. I enjoy watching the sessions on many of the servers I run for a large hosting company.
Patch the hole because you don't want someone else (say a pron spammer) to come in behind you and end up getting caught (or screwing up your server). But yes there could be an exploit they are using in 5.x as well.
I suspect it was not a brute force attack, they simply disguised the exploit as one so that it falls into the noise of the hundreds of brute force attacks each day.
I am very small, utmostly microscopic.
http://en.wikipedia.org/wiki/Duqu
Duqu is a computer worm discovered on 1 September 2011, thought to be related to the Stuxnet worm. The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics in Hungary, which discovered the threat, analyzed the malware and wrote a 60-page report, naming the threat Duqu. Duqu got its name from the prefix "~DQ" it gives to the names of files it creates.
Symantec, based on the CrySyS report, continued the analysis of the threat, which it called "nearly identical to Stuxnet, but with a completely different purpose", and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix. Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet.
More likely Duqu==Stuxnet==Stars. Same guys, different vulns, different tools. Duqu is an instance made from a lego-kit.
People don't like your posts for several reasons.
1. You compare Apples to Oranges. Specifically a fully-hardened Windows system to an out-of-the-box Linux distro.
2. You're overly sensitive to little criticisms. This is easily seen by the thread you linked to on the PC Pitstop forum. (Side question -- why are you banned from there?)
3. Your childish references to things like "open sores" ranks you right down there with the people who call it "M$". Grow up.
4. You seem to confuse the OpenBSD crowd and their "secure by default / no remote hole in XX years / we are unhackable" attitude with Linux supporters. Though, admittedly, there are fanboys and fanatics in every camp.
5. Some of your indirect links are questionable. For example, from the PC Pitstop forum article you lauded this link on IPSec. http://www.analogx.com/contents/articles/ipsec.htm
I'm unsure how to respond to that other than to say WTF? That has as much to do with IPSec as your post does with ice skating. It is talking about configuring a host firewall and never mentions anything about, well, IPSec!
Finally, one of the main security benefits a Linux system has over Windows is the ability to REMOVE any component that isn't needed. Not just disable, but actually remove it totally.
Custom Linux kernels can be built to support only the hardware on a specific machine. Entire classes of devices, from the printing subsystem to networking can be removed totally. You can't do that with Windows.
Learning HOW to think is more important than learning WHAT to think.
There are several ways that this is safer.
1. It removes the known user problem. Since root is a user on all Linux boxes, if I want access, all I have to do is to find a password. I only have to discover one piece of information. If root cannot log in, I must now find three pieces of information, a username, a password for that user, and the root password.
2. It discourages scripting attacks. Since root cannot get in, I would need to modify my script to try common usernames, or try specific usernames for each company or server I am attacking. While this does not block attacks that are targeted directly against me, script writers going after the easy targets are unlikely to spend the time needed to figure out what usernames are valid for my servers.
3. If I do breach a computer with a specific username, I now have two avenues of approach. I can try to exploit another hole that allows privilege escalation, or try to determine a root password. Guessing, using dictionary attacks/ribbon tables, or brute force methods take time. This increases the odds of being detected by Host Integrity Monitors (If they are being used). There is no guarantee that the server has the software with an exploit is deployed on that server, or that the users I have compromised has access to that software.
4. Logging. Instead of one part of a log that might be missed showing that I logged in as root, I now have multiple log entries. At least one showing that I logged in as a normal user, and another showing that the user had escalated privileges. Again, increasing the odds that I will get caught. Hopefully before I can do any damage.
5. Although this does not appear to be common, at least one company I know has monitoring set up to detect root access. A second local account is set up with root privileges. Admins sudo to the second account and only admins have rights to sudo su to it. The root is given a very, very complex password that is hidden. Traps are placed so that all admins are alerted if anyone at all logs in as root. If I get an alert in the day that someone is logging in as root, I can check with other admins to see who is doing what. If I get an alert at night, I can guess that my server has probably been breached and I can take appropriate steps. I don't get alerts for normal occasional root functions, but if someone does breach my servers, I know before they can do much.
These are just a few ways that using a normal user and then forcing su or sudo to root is safer. There might be more that I don't remember at the moment. BTW, this does not prevent all attacks, but it does help.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
Wow, windy fellow, aren't you?
Your rant has one HUGE hole. Your citations are about one-off manual attacks against Linux. Not a single case involves a large group of Linux boxes being compromised by with a single email sent out from a spam box.
Most attacks against Windows boxes are carried out by a simple email payload. That's how the 4,500,000+ Windows zombie bot farm was created last year within a couple of weeks. A Linux zombie bot farm was found last year as well. It contained only 700 boxes and it took the group of hacker who created it nearly six months to do so because they had to manually attack each machine. They ran dearjohn against who knows how many machines trying to find those with insecure root passwords. 700 in six months. They immediately secured those machines against all known exploits and used them for C&C machines to control much, much larger Windows bot farms because Linux IS secure. How many C&C Windows boxes have you heard about?
Running with Linux for over 20 years!