Speedy Attack Targets Web Servers With Outdated Linux Kernels

alphadogg writes "Web servers running a long-outdated version of the Linux kernel were attacked with dramatic speed over two days last week, according to Cisco Systems. All the affected servers were running the 2.6 version, first released in December 2003. 'When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied,' Cisco said. After the Web server has been compromised, the attackers slip in a line of JavaScript to other JavaScript files within the website. That code bounces the website's visitors to a second compromised host. 'The two-stage process allows attackers to serve up a variety of malicious content to the visitor,' according to Cisco."

No Details

[OverlordQ]

So the webserver was compromised and JavaScript was inserted and their first thought is it's the kernel?

Re:No Details

[jythie]

It would have been nice if they at least said WHICH kernel versions, or which web server, or which version of web server.

I admit, I have some fairly obsolete (and difficult to upgrade) linux boxes running in my lab, this is the kind of detail I would kinda like to know....

Re:No Details

[X0563511]

You clearly don't understand the lifecycle of a production OS.

Re:No Details

Yeah, the article is extremely uninformative. They say 2.6 and yet RHEL/CENTOS 6.5 are 2.6... so that meaning nothing as far as being "old" or "outdated".

Well it sort of does. RHEL is intentionally outdated because that's what their market wants. It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.

"Doing it right" includes not "upgrading" things that aren't broke, or "just cuz".

The idea is to split "change for the sake of change" and "change for stability and security reasons" into separate buckets.

You don't rip out all the "old" appliances in your house each time a newer one comes out do you? You'd cause more damage moving things around then you'd gain from the new features trickling in. You fix them in place until the cost to do so is more than buying a newer one. That's just common sense. "Upgrading" software is in no way free, when you actually need it to work.

Re:No Details

[number6x]

Age of the code and the level of patches are two different things

Older code has had more time for vulnerabilities to be found and patched.

Newer code is, well, newer and has had less time for vulnerabilities to be patched.

In general if you want to maximise vulnerability, run the oldest code, but apply no patches. The next most vulnerable general case would be to run the newest code because you are playing with untested fire and risking zero day exploits.

In production systems it is usually best to run code that is old enough to be stable, well tested and well patched.

There are counter examples when a long unknown exploit is discoverd, but the same kind of exploits could live in brand new code as well. However new code could contain some really simple exploits that will be patched pretty quickly. You don't want your production system to be the system opening up the tickets with support that find the exploit is the root cause. Because that means you've got to explain to your customers why their credit card numbers have all been stolen.

Re:No Details

[Nimey]

Spot the guy who's never done professional IT.

Re:No Details

[Penguinisto]

You clearly don't understand the lifecycle of a production OS.

...nor does he understand the concept of back-porting patches, apparently.

Re:No Details

[markdavis]

You clearly don't understand what it means to run real-world business IT infrastructure. Just because something is oldler doesn't mean it is "outdated" or "insecure". RHEL/CentOS update the packages for a long time making them relevant and still secure through backporting and patches.

Sometimes stability and reliability are far more important and efficient than constantly ripping everything out and starting over again every year or two. Besides, the more bleeding edge like Fedora and Ubuntu and Mint are more likely to have NEW security holes with less manpower behind them to fix it quickly.

There is a reason that RHEL and CentOS are so popular for servers and "utility" boxes.

Re:No Details

[Barsteward]

Don't worry, its a crap report with no real analysis.
Here is a short list of some of the actual compromised sites from the WhiteFir analysis report
Compromised Websites

archive.mrpools.co.uk Windows Server 2003
blueprintbowling.com Windows Server 2008 R2
hwy65mx.com Windows Server 2003
jandjpoolspa.com Windows Server 2003
mussotra.com Windows Server 2003

Second Compromised Websites

3d2print.eu FreeBSD
7va.cc Windows Server 2008 R2
babycaust.info Windows Server 2008
banderil.com.ar Windows Server 2008 R2
c2consultores.com.ar Windows Server 2008 R2

Slashdot continues its decline

[Nimey]

All the affected servers were running the 2.6 version, first released in December 2003.

Not even wrong. I guarandamntee you that none of the affected computers were actually running 2.6.0, and it wouldn't have been /that/ long ago that such an obviously stupid and ill-researched claim wouldn't have been posted.

Soulskill, you /do/ understand that there were forty different versions of Linux in the 2.6 series, do you not? You do understand that the final 2.6 release was in August 2011 and it was numbered 2.6.39.4, which I know because I did 5 minutes of basic Googling?

Re:Slashdot continues its decline

[Bacon+Bits]

You didn't read the article, did you? TFS is vague, but so is the article. The article contains no details about the vulnerability. It only contains information about the severity and locations of the attacks. Comments on the article add "Version 2.6.18 appeared to be particularly prevalent." The article is shockingly limited on details.

Slashdot's editors are often appear to be asleep at the wheel, but this time the editors weren't adding anything that wasn't in the original article.

Re:Slashdot continues its decline

[Nimey]

That's exactly my point. "The 2.6 version" is meaningless and Soulskill should have known better; there's a huge difference between 2.6.0 and 2.6.39.

Re:where's the door?

I think its pretty unfair to refer to kernel 2.6, subversions of 2.6 were in use in one form or another from 2003 to 2011, 3.0 was brought about because Linus randomly decided to up the version number one day, not because of any single significant change. Plenty of old distros that still have security support are running 2.6 kernels that are regularly patched and completely up to date security wise.

horrible article, author has no idea about 2.6

[Gothmolly]

"All of the affected web servers that we have examined use the Linux 2.6 kernel."

Right, because RHEL (and Centos) run 2.6.... so sampling ANY number of servers is likely going to show that they run 2.6.

Is Slashdot just a click redirector these days? Do 'editors' remotely 'edit' anything?

Re:horrible article, author has no idea about 2.6

[mlts]

TFA tells us nothing. Even the followup about 2.6.18 being the worst culprit and the note that upgrading the kernel will not help makes it even more pointless.

My fix: yum upgrade, and if the update does grab a new kernel, reboot. There was a kernel bug (long since patched) a few years ago that allowed attacks past even SELinux... but if one is running a recent distro, this shouldn't be an issue.

Of course, one should doublecheck what is likely the real culprit... applications like apache and its modules, and perhaps check for compromised credentials [1].

[1]: On Internet-facing machines, if possible, I configure ssh to only allow public/private keys and no passwords. That way, if the remote machine gets completely pwned, the attacker will have my SSH public key, which is a lot less of an issue than having a hashed password list.

It would be nice to know what Web Server...

[Virtucon]

"We think you're door is unlocked but we won't say which house it is or where it's located."

Talk about vague.

Re:where's the door?

[hermitdev]

While it is supported, and RH claims backwards compatibility, they do have an annoying habit of breaking things. I remember going from a point minor version of RHEL 5 (I think it was 5.5 to 5.6; it might have been an earlier release) to the next, and they broke the behavior of semaphores. In the prior version, a "sem_wait" would block until the semaphore was signaled, in the next version, it'd indicate errno EAGAIN. This was an unexpected change and required code changes for my company's apps at the time to busy wait when trying to acquire a semaphore.

Worse than No Details:

[Penguinisto]

It gets worse (or IMHO, less competent):

Author Comment FTFA (bottom of page - emphasis mine):

"We haven’t identified the initial attack vector. We have no reason to suspect that the attack isn’t via http. I’d be very interested to hear from any affected sys admins if they identify how the attackers gain access."

In other words, they don't even know if it's the effing kernel at this point -all they know is that 2,000 some-odd websites have been bit, and they all use the absolute most common kernel version for webservers on the planet (2.6.x).

  Hell, for all we know it could be some commonly-shared crappy PHP script getting popped. :/

Re:Worse than No Details:

[Barsteward]

Correct. here is a good analysis of the stupid report http://www.whitefirdesign.com/...

Not only Linux

[avij]

There is a list of affected sites linked in the comments. The first one on the list is running FreeBSD. I did not bother checking the rest.

Re:Not only Linux

[JohnFen]

Oh, hell, looking through that list... there are Windows Server installations in there as well!

Apache bug?

[cant_get_a_good_nick]

From the comments on the announce page, since (almost) nobody will go over there.

The first site on compromise_1.txt seems to be running “Apache/2.2.26 (FreeBSD) DAV/2 mod_ssl/2.2.26 OpenSSL/0.9.8y”, which does not quite sound like it’d be running Linux at all. As others have already pointed out, I would not blame this on a Linux kernel bug yet.

So, it looks like the "old 2.6.x kernel releases" was really just a signal for "old nonupdated code".

BTW: for those who bitch about "well the 2.6 line was patched and maintained all the way to 2011" they do have a line where they imply the 2.6 kernels are early kernels, not the latter 2.6.20 whatever ones, but it's not a well written article and is easy to miss.

Advert for Cisco Web Security

[wjcofkc]

FTFA:

All of the affected web servers that we have examined use the Linux 2.6 kernel.

For clarity, the old kernel is a common indicator on the compromised hosts.

Okay, so between 2003 and 2011 there have probably been 3 dozen versions of that kernel. The overwhelming majority of Linux based web servers run the vetted, thoroughly tested and patched, tried and true 2.6 series Linux Kernel. This makes me concerned Cisco doesn't understand what it means to run a production system. Also, what do they even mean by "web server" are we to assume Apache? Because there are alternatives in use... lots. Considering most Linux based web servers are running a variation of the 2.6 kernel, then of course that's where they will the find the attacks (Duh anyone?). I would be much more interested in what web server we are talking about and any commonality between them over the kernel of the operating system. I am shaking my head trying to figure what this article is really trying to communicate especially since they practically shoot down most of their article with the "Update" at the top.

Although users of Cisco’s Cloud Web Security solution are protected from this attack...

Oh, I get it now.

Read the comments first.

[shipofgold]

The comments at the end of the CISCO article flush out the fact that they noticed a line of malicious javascript at the end of a large number of .js files but they have no idea how it got there.

In fact the list of JS files given include many that are not even running on Linux servers.

The author is irresponsible at best, and incompetent at worst...