Duqu Attackers Managed to Wipe C&C Servers

Trailrunner7 writes with an update in the saga of Duqu and Stuxnet. From the article: "Shortly after the first public reports about Duqu emerged in early autumn, the crew behind Duqu wiped out all of the command-and-control servers that had been in use up to that point, including some that had been used since 2009. An in-depth analysis of the known C&C servers used in the Duqu attacks has found that some of the servers were compromised as far back as 2009, and that the attackers clearly targeted Linux machines. All of the known Duqu C&C servers discovered up to this point have been running CentOS ... There also is some evidence that the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially."

NO!

[masternerdguy]

Damn, not the command and conquer servers. My weekend is fried.

Umm, how about a little context?

[Evro]

Editors, your job is not simply to click "post." Read the submission and see if it makes sense. I have no idea what Duqu is or what this is about. I had to dig down 2 links deep to see that this was related to an attack in India. Context: provide it.

Points 4. and 5...

[djsmiley]

4.The servers appear to have been hacked by bruteforcing the root password. (We do not believe in the OpenSSH 4.3 0-day theory - that would be too scary!)
5.The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they get control of a hacked server.

Ah yes, lets pretend there is no problem because the idea that there is, is too scary. Someone kill me, please. The only other reason I can think of, which also ties in with the fact they were appently checking the man page for sshd_config is that something changes in the default settings between 4.8 and 5 and this they wanted desperately, but even then this would point to some sort of exploit. *(Maybe an exploit in the way the default settings are in centos, rather than in openssh).

Re:Points 4. and 5...

[Pharmboy]

Why the f**k PermitRootLogin defaults to yes on CentOS's sshd config?
Isn't it supposed to be a enterprise oriented distro?

Most enterprises have IT staff to change that as soon as the OS is installed. The problem with not allowing root to ssh in with a fresh install is that a fresh install only creates the user "root", so you physically have to be at the machine to log in and setup the system if you don't allow root to ssh in. Yes, it is technically safer to disallow root to log in with a vanilla install, but it is inconvenient. On the DESKTOP, it makes sense to disallow root via ssh from a vanilla install, however.

On servers, I usually setup vanilla, then ssh in, add a user, change to disallow root logins, and change the default port, then restart ssh, open a new session to test as that new user on the new port and "su -" to root, then log out of the first root shell, and finally start a new session on the new port and try to root in, to make sure I can't. I can't be that unique in doing it this way.

Serious question to all: Do people still use the default port for SSH anymore? I never have, as once we went from telnet to ssh (over a decade ago...) we just always used a non-standard port. Makes my logs a lot easier to read.

Re:This says it all for Linux "security"

[americamatrix]

It's just like any other OS. You need to know what your doing.

A poorly setup Linux box will be worse than a locked down Windows install. Everyone knows this.

To say Linux itself is inherently vulnerable is an ignorant statement.


-americamatrix

Re:Dear Kids...

[amicusNYCL]

My point was that several servers do use SSH. If I rent a dedicated server, SSH is how I get things done. If an exploit is discovered in httpd, the correct solution is not to block port 80.

Re:Dear Kids...

[Em+Adespoton]

The only things you should need open to the internet are SSH ("the attackers may have used a zero-day in OpenSSH 4.3 to compromise the C&C servers initially") and/or IPSec/L2TP. Anything else should redirect to a DMZ that does NOT route to the same subnet as SSH/IPSec/L2TP. The DMZ should not have port access to the regular network (everything should be pushed). The firewall should be set to not allow active connections out from the DMZ to anywhere, and any activity should not just be logged, but flagged and sent to the administrator. All devices in the DMZ should log to a remote (to them) syslog that is polled from outside the DMZ.

There... that's the ideal world. In reality, this doesn't account for people who don't have that much hardware/expertise with VMs, for people who don't keep up with their patches, for those who want to do an end-run around this policy to set up torrents, etc. directly from their working computer, etc.

It also doesn't help that most gateway routers these days have some full-fledged OS inside and as a result often have exploits that can be leveraged directly against them due to inappropriate default configurations.

Re:AC troll that "kicked my ass" (lol, NOT)

[Jerry]

Wow, windy fellow, aren't you?

Your rant has one HUGE hole. Your citations are about one-off manual attacks against Linux. Not a single case involves a large group of Linux boxes being compromised by with a single email sent out from a spam box.

Most attacks against Windows boxes are carried out by a simple email payload. That's how the 4,500,000+ Windows zombie bot farm was created last year within a couple of weeks. A Linux zombie bot farm was found last year as well. It contained only 700 boxes and it took the group of hacker who created it nearly six months to do so because they had to manually attack each machine. They ran dearjohn against who knows how many machines trying to find those with insecure root passwords. 700 in six months. They immediately secured those machines against all known exploits and used them for C&C machines to control much, much larger Windows bot farms because Linux IS secure. How many C&C Windows boxes have you heard about?