Slashdot Mirror
Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet
An anonymous reader writes Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals. The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities. Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet. The full advisory is available for download only with registration, but the (Akamai-owned) Prolexic page to do so is quite detailed.
So vulnerable servers get compromised. This is news? News worth registering to read? Hrmph.
A link to get a white paper needing a registration is even worse than linking to a paywall
Well if they just had installed Linux.... Oh, damn.
everyone knows only windows can get infected
Who says that I mind if my computer gets used to attack the RIAA?
After all these years of neckbeard fanbois telling me they don't get viruses, here's proof that linux too is vulnerable! Finally I can link to this article whenever I hear this bogus claim hahahaha. Because we all know in reality linux doesn't have many viruses because only less than 1% market share!
How is Ballmer responsible for this?
So, to remove this do I just have to do this? /sbin/iptables
sudo rm -r
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
How do these exist?
Is this it?
It little behooves the best of us to comment on the rest of us.
> may use infected Linux systems to launch DDoS attacks against the entertainment industry...
WHERE IS THE DOWNLOAD LINK?
Oh yes, I am familiar with this iptables malware. I once had a machine running using ipchains, but iptables somehow made its way on to my machine and pretty much just killed ipchains functionality. I could not get it working again no matter how hard I tried. In case it modified my kernel, I even downloaded the latest from kernel.org (2.4.x) and compiled a new one, but to no avail.
I gave up and went to Windows.
Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet.
What the hell is a vertical?
CVEs or it doesn't exist.
Any /. article that talks about security vulnerabilities or exploits and does not reference the relevant CVEs in the summary is a worthless piece of shit.
the growth in cynicism and rebellion has not been without cause
This infection seems to come through apache tomcat (java servlet/JSP) and/or apache Struts/Elasticsearch (java MVC framework/ java search lib).
It has a proper name according to This guy.
This threat is known as the infection of .IptabLex and .IptabLes ELF #DDoS backdoor trojan (malware).
From TFA.
"Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities"
Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java.
To me, that indicates a JAVA vulnerability, not a Linux vulnerability.
Death has been proven to be 99% fatal in lab rats.
Once again, every component compromised was a piece of Java software. When will people learn that running a JVM is the most insecure thing you can do on any system?
That is the summary and contains the link to the full advisory.
Spoiler Alert:
Bash commands
Two bash commands from PLXsert are designed to clean a system infected with the ELF IptabLes binary. After running these commands, system administrators are advised to reboot the system and run a thorough system inspection.
sudo find / -type f -name '.*ptabLe*' -exec rm -f {} ';'
ps -axu | awk '/\.IptabLe/ {print $2}' | sudo xargs kill -9
Don't worry. If your running systemd you should be protected because the hackers probably can figure out how to create their own systemd script or where to place there hooks in the systemd chain.
[Unit]
Description=Graphical Interface
Documentation=man:systemd.special(7)
Requires=multi-user.target
After=multi-user.target
Conflicts=rescue.target
Wants=display-manager.service
AllowIsolate=yes
Does it come before multi-user.target, After multi-user.target, What does it want? Display-manager.service? Certainly the can document it, and we know that it will require a multi-user.target of some sort. systemd is a far worst virus that this thing iptabLex thing will ever be. However, if that virus infects something in systemd, good luck finding it in that redirect maze.
Can someone show me how to respawn a getty using systemd? That seems like that would be important to know.
"... may use infected Linux systems to launch DDoS attacks against the entertainment industry... " Seriously? That's our worry? or whom you are trying to scare?
Not only was it virtually impossible to get rid of, MS in several cases argued that it was an integral part of the OS and therefore it could not be removed and replaced with any other browser.
Every server needs a dead operator's switch.
If the administrator deliberately activates software known to make a system (Linux, Windows, ...) vulnerable to compromise, that is NOT a compromised server, it is a honeypot. If you make a honeypot, you must mitigate any damage it may cause outside your domain.
Sue the admins of those systems into getting a job compatible with their IT skills (probably involving a toilet brush).
It's still compiling...
Simpler to lockdown desktops since you don't leave services/daemons running as "listeners" that *may* have security issues (like webservers for example, or database engines).
Is SeLinux turned on & 'to the max' by default in all Linux distros? No. Why's SeLinux even THERE in the 1st place then too?? Answer = Linux is *NOT* fully security-hardened from the get-go, despite your b.s. to that effect...
* How the HELL you got a +5 for your b.s. utterly astounds...
(Especially the CRAP about Win3.x being anything *remotely* like Windows NT-based OS' from MS onwards - not even REMOTELY the same other than the interface/shell in Windows NT 3.x/3.5x & Win3.x... lol!)
APK
P.S.=> Lastly: *ANY* modern OS out there can be security-hardened, MORE - & yes - that includes Linux, hence my points on SeLinux above (as well as Windows - I know, I wrote the very FIRST online guides for doing it back in 1997 @ NTCompatible.com, which grew into these from circa 2006-2008 (got me PAID @ 1 spot online even, pretty cool) -> http://www.bing.com/search?q=%... )
... apk
From TFA. "Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities" Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java. To me, that indicates a JAVA vulnerability, not a Linux vulnerability.
Uh, no. It would be Struts/Tomcat architectural vulnerabilities. Not various versions of the Java Runtime have/had vulnerabilities, but in these particular cases, the vulnerabilities were within the software systems, not on the language they were written or the runtime that hosted them.
Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine
Holy misleading headline, Batman! Any server that's not maintained is vulnerable, how is this news other than it's a Linux server botnet? OMG unpatched servers are vulnerable to hackers!
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
If you tried to remove the browser, any program that embedded the browser control wouldn't work, and a ton of business software did just that. I know a whole lot of cadd software (in 2014) STILL embeds the browser control for fonts and text editing and a lot used it for their help systems. It was also used in a lot of places in windows because it was available. Stripping it out would require replacement with something that had the same quirks/bugs/features etc. Technically removing it was possible, practically removing it would cause major pain for businesses.
Software and security is nuanced and layered requiring thought and analysis. Commenting here is neither and there's certainly little thought.
Frankly I have to ask if that is even ethical, and while I realise computer security is a tough business, I expect a whole lot better attitude and behaviour from Akamai or an Akamai owned company.
It impedes the dissemination of critical information, which is primary goal of an advisory bulletin. Anything else is marketing, to and at the expense of those affected.
I understand that Akamai / Prolexic have invested their time and expertise into discovering / creating that information, and deserve recognition and acknowledgement for that effect, but the control and restriction of an security advisory is an ethical and moral decision, not a business decision.
In fact, given that it does appear to be marketing oriented, it may well have civil liability issues in some jurisdictions for failing to make the advisory more readily available. If this DDoS attack increases costs of any Akamai customers, there may well be a conflict of interest and/or breech of trust.
I expect better from CEO / co-founder Dr. Leighton, as I respect him and Akamai whom I have always found very professional.
This underlines an important point I made previously, that part of the problem here is C/C++ and its manual memory management. Ruby, Perl and Python eliminate a whole class of programming errors by doing memory management automatically, making it easier to develop secure applications. People laugh when you say the web browser should be written in Perl, as the web server should be, but its true. The result would be a safer, and even a faster system because a Perl program would lack as many memory leaks and therefore you would end up with less memory swapping as a result. So much for how much Slashdot people know about security, or good software design, that they would then that C/C++ is a good development environment for the web browser or web server, when it obviously is a source of huge numbers of vulnerabilities. People here must be totally inept or clueless to miss that Perl has automatic memory management, reference counting and automatic allocation that you eliminate hanging pointers and out of bound access errors.
So on the one hand we have asshats wanting to exploit your system and on the other we have asshats trying to opportunistially exploit this chance to dig for information about anyone wanting to know what's going on? Yeah, they obviously took the attack seriously... Screw 'em. They're both bad actors.
Since the problem appears to lie in Java libraries, I don't understand your argument at all.
I think we've pushed this "anyone can grow up to be president" thing too far.
I find it interesting that Akamai is complaining about server vulnerabilities, when something like 30% of all the alarms on our IPS are set off by hosts they control.
Sit, Ubuntu, sit. Good dog.
Any operating system has security holes... unix/linux has less... and you take a security risk when you outsource or just hire newbies out of school. You need to hire people who have been at it a while, pay them what they are worth.. and hire newbies for the sr. system engineers to mentor. they get what they get. and java... well.. Oracle Sucks.. we all know that. You can code around it.. just code with security in mind, close all security holes. don't run external processes as a trusted user.
Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals
Whatever happened to "the enemy of my enemy is my friend"?
Yes, there's technical solutions like the upcoming Tor-like anonymized version of tribler that will try to route around the Copyright Crooks-induced Internet Censorship.
When the copyright term is "forever minus a day", live every day like it's the last.
A DDOS attack against the most prolific scumbags in the entertainment industry, eh? How can I get infected? I'd be DELIGHTED to participate!
I agree with the notion that C and C++ are dangerous security risks in the hands of most developers. They normally use raw arrays and raw pointers. The U.S. military (which NSA-GCHQ is part of), Chinese intelligence and the Russkie mafia really, really like this practice. They call it the "cyber war domain". Little coincidence that Bell Labs, a U.S.G. branch at that time, develop this stuff. They apparently had nightmares of millions of C64 and Amiga computers being used as soft-SIGABAs, which would have turned them blind, sigint-/comint-wise.
BUT, Perl is no ideal fix. Rather, its lack of type safety opens up lots of new exploit opportunities. It has been designed by an Ex-NSA contractor, Larry Wall.
And, you can do memory-safe languages/untimes very nicely WITHOUT Garbage Collection: Just use reference-counted memory management. You need to break pointer cycles yourself, though.
Professor Wirth of ETH Zürich had the basics of this technology done in the 80s. It was called PASCAL and ADA. Here is a slightly improved variant of this kind of language (includes some good features of C++ such as Destructors):
http://sourceforge.net/p/sappeurcompiler/code-0/HEAD/tree/
And yeah, quite prototypical, but it demonstrates what is possible outside the World Of C Pain. If you really want to use it, drop me an email and I will assist you into getting it running on you *nix platform or cygwin. I once even had it running on Windows. Not pretty, but effective.
Frank Gerlach
frankgerlach74@web.de
Württemberg
Germany
Because they have rolled lots of unnecessary stuff right into the Windows Kernel: GUI rendering, font parsing (enabling some very nice drive-by exploits for browsers once) and a whole bunch of other nasty "design" decisions. Or should we call it "anti-patterns" ?
Only Win 8 has brought software stores (10 years after Linux) and Sandboxing is still the exception, not the rule. Compare that to Linux, where you have at least 2 major infrastructures (AppArmor and SE Linux). Plus you can build your own sandboxing using the the LSM API. Do you finally have this in Windows ???
Your sales argument is that "every monkey can operate a computer". They might be able to turn it on, but sure as hell a monkey will configure it insecurely. You NEED a CS degree to set up a secure computer. Linux or otherwise.
And yeah, Windows still is a shithole of insecurity. You folks still cannot break it to users that they need an admin and a normal account. Instead you do this UAC crapola.
So, go back under your rock and leave the adults alone.
...they elevated Guest print jobs to Admin rights in Windows ? So that StuxNet could do its work ?
We have AppArmor on Linux - it is rather simple and straightforward. Lock all the SW crappiles into their respective sandboxes.
...take the time to create an AppArmor profile for your application. Then the maximum damage is limited to what you allowed in the AppArmor profile. User-based security actually is a quite shitty concept. What is the business of Acrobat Reader in reading my VHDL and my CATIA files ?
I once did it for firefox and it was a two-day effort. Firefox can be considered a complex program relative to AppArmor.
...Akamai got a big discount (for their Windows licenses) or a check from Microsoft under the condition that they badmouth the Linux OS, when the problem was actually one of some hipster library developers. The same problem would probably exist on Windows and MacOS, if you ran Struts on these platforms.
We have seen this pattern with various assortments of PHP shite like phpMyAdmin and those PHP-web-server consoles for the shell-illiterates of the "business world". Those who are not able to do their work via ssh+shell scripts.
Don't get me started on the PHP shite in general.
Yeah, nothing new in the Corrupt Western World of 2014.
Well-written modern C++ does not have manual memory management.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
O, I only had Samba and a python app on the 1 server, no apache, tomcat or elastic.
The progression goes like this..
1. Unix was developed on the Digital Equipment Corp PDP-11 hardware in about 1970. Unix started as a multi-user system that supported memory segment protection between user processes and kernel space.
2. VMS followed on the next generation of DEC hardware the VAX-11780, which made it's appearance in the late 1970's. This system introduced Virtual Memory spaces for user processes. (Thus it's name Virtual Memory System) VMS was not first in being muti-user, commercially that was Unix.
3. Windows NT arrived in the late 80's, and not surprisingly ran on DEC VAX hardware as well as x86 based systems, as the chief engineer of NT came out of the VMS development team at DEC.
So NT got this idea from VMS which got it from Unix....
Unix was never implemented for PDP-11 by DEC. 3rd parties adapted several versions so that they could run on the PDP-11. A number of generations of "realtime" operating systems were developed by DEC for the PDP-11 and later the VAX-11 series.
Dave Cutler was on the teams for many of these OSes. Dave Cutler left for Microsoft to design Windows NT. Dave Cutler *never* implemented an OS for PDP-11 based on Unix. In fact, he *disliked* Unix.
And no, Unix did not invent access control. I sense that you need Unix to be some type of god-like hero. It is an operating system, and an aging one at that. Cool off.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*