Slashdot Mirror
Akamai Warns: Linux Systems Infiltrated and Controlled In a DDoS Botnet
An anonymous reader writes Akamai Technologies is alerting enterprises to a high-risk threat of IptabLes and IptabLex infections on Linux systems. Malicious actors may use infected Linux systems to launch DDoS attacks against the entertainment industry and other verticals. The mass infestation of IptabLes and IptabLex seems to have been driven by a large number of Linux-based web servers being compromised, mainly by exploits of Apache Struts, Tomcat and Elasticsearch vulnerabilities. Attackers have used the Linux vulnerabilities on unmaintained servers to gain access, escalate privileges to allow remote control of the machine, and then drop malicious code into the system and run it. As a result, a system could then be controlled remotely as part of a DDoS botnet. The full advisory is available for download only with registration, but the (Akamai-owned) Prolexic page to do so is quite detailed.
So, to remove this do I just have to do this? /sbin/iptables
sudo rm -r
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
They should have installed Gentoo!
In hopes that the 'malicious actors' would get tired of waiting for the required binaries to be built and give up?
Never start vast projects with half-vast ideas.
It's news because it illustrates that, as much as Linux users like to throw stones at Windows, they too are vulnerable. Anyone can pick through the source and find security holes what can be exploited - perhaps even much more subtle ones than anyone would ever find on Windows.
Not a Linux apologist (Windows pays my bills), but in defense of Linux, these were programs running on Linux that had exploits. Of course, many of the exploits in Windows are through programs running on Windows and not the OS itself.......but Linux fanboys wouldn't be as quick to point that out.
The people that have their servers compromised in this way are amateurs and shouldn't have put their servers on the web, EVER. This is roughly equivalent to fielding IIS from 2001 on windows XP and not keeping your patch set up to date. You are going to be hacked.
Any sysadmin who is thinking about it, would put a web server and all it's components in a chroot jail and force it to run in user space and set up to refuse interactive logins for this user.. That way any "escalations" of privilege won't get you much more than the web server. It's easy, quick and effective.
So this isn't a really fair comparison you are making. Linux is BY DEFAULT more secure than Windows, mainly by design. Microsoft has made great strides of late, but fundamentally they are starting from a weak position (remember Windows 3.1?) and you have to install components to make it more secure, where Linux starts secure and gets security downgrades when you install and configure stuff. Either way, if you don't manage your server, you will have problems.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
From TFA.
"Attackers have exploited Linux servers that run unpatched versions of Apache Struts and Tomcat with vulnerabilities"
Apache Struts, Tomcat, and elasticsearch (mentioned in the summary) are all written in java.
To me, that indicates a JAVA vulnerability, not a Linux vulnerability.
Death has been proven to be 99% fatal in lab rats.
Yes, but there is a logical reason for this.
Linux and Windows approach security in totally different ways. When you load a Linux kernel, it's secure, it starts that way. When you load windows, it's NOT secure, you have to load other stuff to make it secure.
So, if you have a Linux box that get's hacked, the admin really is a lot more responsible for this. He/she left the hole open for the attacker to get in. Sure, there are times when we don't know the hole exists, but the admin loaded the software.
Windows boxes? They come out of the install process wide open with a whole raft of dangerous services turned on. Not to mention they are starting from the security posture of Windows 3.1 and have been trying to put up defenses since. They have made a lot of progress, but it's still harder to shore up a bad design then it is to loosen up a secure design.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Are porn sites part of "entertainment industry"? If so, this is a serious threat and it needs dealt with ASAP.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
I prefer to throw at the users. The chance to hit the culprit is so much higher.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This used to be true, it's by far no longer the case.
It's the ancient battle of usability vs. security. The most secure system is by design also the least usable one. And that's where the two systems came from. Windows was once "usability trumps security, no matter what". Linux was the exact opposite. Hence the reputation of Linux that you need to have a masters in CS to boot the damn thing, and for a network connection nothing less than a doctorate will do.
Various distributions now made it all a bit easier while at the same time Windows tightened security quite a bit (I mean, look back at Win95 and tell me they didn't...). The are approaching each other... if they haven't met already in the middle between the two extremes.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
> may use infected Linux systems to launch DDoS attacks against the entertainment industry...
WHERE IS THE DOWNLOAD LINK?
It's behind a registration form so that the fine folks at Prolexic can get your PII for marketing purposes. One of the *many* benefits is that once you register, nice folks from Prolexic will send you emails and maybe even call you on the phone to let you know about all the wonderful products and services you can buy from them.
So many vendors just report this kind of stuff to CERT so it gets assigned a stupid CVE number and all the details are then available without the consumer of information giving up any PII that can be used to sell them stuff. Stupid vendors!
Prolexic is using a real vulnerability to enhance their contacts DB and increase the surface area of their sales efforts. Disgusting.
No, no, you're not thinking; you're just being logical. --Niels Bohr
Yes, but there is a logical reason for this.
Linux and Windows approach security in totally different ways. When you load a Linux kernel, it's secure, it starts that way. When you load windows, it's NOT secure, you have to load other stuff to make it secure.
Sorry, but that is BS. When you load Linux it comes up with a security model through which there has already (by design) been punched a big hole: SUID. When you load Windows it comes up with a security model which has no need for such a massive hole. Countless otherwise benign bug has been turned into total system compromise bugs because of SUID.
Under Windows, all kernel objects types are securable with security descriptors. Linux was designed with only file system permissions. Processes did not have security descriptors, and such objects need to be mapped to files and filepermissions used to (inadequately) describe access permissions.
Windows services run in a separate session - interprocess communication is severely restricted. A process in another session cannot break through to e.g. the desktop, i.e. a daemon/background service cannot interact with the desktop. There is no such isolation in Linux unless you run SELinux. In Windows it is the default.
Most Windows services run under service hardening. Even custom sites you set up will by default run under service hardening. Under service hardening an ad-hoc identity is implicitly created for the service/website and this identity has no permissions whatsoever by default. It has to be granted any access permission it needs. You'd have to run SELinux or apparmor with a significant amount of configuration to achieve the same level of isolation under Linux. Under Windows it is default and straightforward.
Windows has mandatory DEP, much stronger ASLR, stack and heap encryption/checksumming and several other mitigation technologies not found in Linux. On by default.
Windows boxes? They come out of the install process wide open with a whole raft of dangerous services turned on. Not to mention they are starting from the security posture of Windows 3.1
What century do you live in? Since Windows Server 2008 (!) only the minimal set of services are turned on, and *no* network facing services until you configure them.
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Let me see, last time I loaded Windows 8 pro, there was a raft of services turned on for me by default.
Windows 8, Windows 7 and even Windows Vista comes up and asks you if you *want* to turn on services. If you answer no, it will not have any network ports listening. Get it yet? That's the *desktop user* targeted operating systems.
Windows Server comes by default with NO network services turned on by default, and NO listening ports. Get it yet?
Linux *desktop user* targeted distros do turn on network services. Get it yet?
Yes the distribution may turn on some services
Yes, indeed. Get it yet?
Linux distributions targeted at "servers" generally come w/o any services even installed by default.
Yes. Just like the Windows Server versions. Get it?
If you go to "desktop" installs, where Windows 8 Pro lives, Linux comes out of the normal distribution much more locked down and secure
Nope. Linux lacks many, many of the security features in Windows 8. In distros using apparmor it only protects some of the daemons. Windows 8 comes with Mandatory Integrity Control built-in sandboxing.
Windows 8 supports multiple (and simultaneous) network firewall profiles which are automatically selected based on where you are: On a corporate network SMB services may be available, on a public network without a trusted domain controller it selects the public (locked down) profile. Linux does not.
I still cannot believe that the DEFAULT behavior of a Windows box is to have the main user be an Administrator
Good you do not believe it, because it is false. This is one of the hardest things for Linux fanatics to understand: Windows has tokens and with UAC even if you do log in with an account with administrative rights, the token will not have administrative rights. This means that the processes started by the shell will not have administrative rights. Get it yet?
Linux is not like this, and most desktop distributions today don't allow you to login as root.
No, but they do allow you to elevate to root as effective user - using sudo or other SUID utilities, which is a blatant violating of one of the most fundamental security principles: Least privilege.
In Linux you elevate to the highest, unrestricted and all-powerfull user just to change your own password??? Have you any idea how f* up that is?
Get it yet?
Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*
Windows 8 isn't a server. You're comparing apples to oranges, and being intellectually dishonest, and you know it.
The truth is: you haven't used Windows Server 2008, you haven't used Windows Server 2012, and you (obviously from your grandparent post) have absolutely NO idea what you are talking about when it comes to Windows Server security.
And instead of just admitting as much and bowing-out gracefully, you pull the "hahaha you are wrong but it's a waste of time to argue with you!" card. Disgusting.
Comment of the year
Mostly valid points. None of them invalidate the parent's point. If there is a significant infection of malware, then it is newsworthy. What factors led to the infection don't make it unnewsworthy.
"These[server systems] are easier to lock down, since there are no users downloading cool stuff and bringing in malware." Your comparing desktop usage to server usage. Regardless of Linux or Windows the same issues are there for each usage scenario.
-Desktop: If there is a vulnerability in a Linux or Windows desktop, the usage pattern of users is going to be a pathway onto the machine for malware. These days you could probably take any average user since most are unfamiliar with desktops, stick them with a desktop of any OS flavor, and they will in both cases go to a browser and do things that put the system at risk. These days they implement similar levels of security. Many flavors of both prompt you to escalate an process to root/admin privilage, so each are vulnerable to users unwisely escalating software of questionable sources.
-Server: If there is a vulnerability in a server, regardless of OS, "a remote exploit is required to bring down a server system". This doesn't invalidate the parent's point.
Parent's point is that it is newsworthy because many naive individuals in the Linux community likes to purport that Linux is somehow invulnerable to such exploits. When I say "many naive" I don't mean to say all Linux users are naive, just that there are a fair share who don't understand that Linux and software running on Linux has the same potential to harbor undiscovered vulnerabilities as any other competing OS/software.
This means they make blanket statements about how this or that security problem effecting Windows isn't a concern for Linux. They don't know about clarifying criteria that Linux is more secure under the circumstances that you maintain updates and properly administer WAN facing interfaces.
The result is you have individuals running unmaintained Linux servers because they think they are more secure, but which require significantly more attention than similar Windows counterparts. So you have two factors working against the security of Linux, misinformation, and ease of maintenance.
Even in situation where you have a capable staff who understand the importance of maintaining updates. If you have updates that are fragile and require lots of testing, require alot of babysitting to apply, or are in other ways difficult to automate in a reliable way, then you are going to occasionally create situations for admins where their manpower isn't enough to get to those updates immediately. That's not to imply that Windows updates don't sometimes break things and require testing, but I would say they are easier to automate overall and more reliable. Probably due to the fact there are far fewer flavors of Windows, so updates which do have issues are quickly hotfixed. When I've had updates on Linux fail, sometimes there is a good bit of manual work to back them out, fix whatever went wrong, and re apply them.
I am not trying to say Windows is better than Linux, as I am not trying to do a compelte comparison of the two, but simply pointing out that this article highlights some of the factors that contribute to the formation of such an infection. Certainly Windows has some of these same issues as well and we've seen infections that targeted machines that weren't up to date. However, I think Windows has done a better job at least with the automatic updates to address this kind of problem. It certainly isn't always perfect, but its pretty good.