Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security

Linux Worm Creating "Attack Network" 514

RomSteady writes "In what could be a case of the free pot calling the expensive kettle black, C|Net is reporting that a new Linux worm is "creating a rogue peer-to-peer network that has been used to attack other computers with a flood of data" and has already infected at least 3,500 servers. Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."
This discussion has been archived. No new comments can be posted.

Linux Worm Creating "Attack Network"

Comments Filter:
  • D'uh. (Score:4, Funny)

    by dsb3 ( 129585 ) on Sunday September 15, 2002 @12:34PM (#4261004) Homepage Journal
    Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux."

    D'uh. Go on, mod me down if you must.

    • Re:D'uh. (Score:2, Offtopic)

      by Sivar ( 316343 )
      D'uh.
      Agreed. But insightful?
      "Duh" +5 insightful?
    • Yes, but this is an historic day, since an editor pointed it out. I mean that without sarcasm too.

      It's common sense right? The more people use it, the more hacks and cracks will occur. I've been preaching for years, the more people see your software, the more they will mess with it. Linux is becoming very much main-stream and a viable option. The black hats are adjusting accordingly.

      • Ofcourse its common sense.
        But I *REALLY* cant picture the poster saying anything that kind had it been Windows affected by this virus. I mean really - it WOULDNT happen. Just keeping an open mind. Check the history - every Windows virus is announced with "Im glad Im using a secure OS link to debian.org" or something similar...
        • the irony of you pointing out that they usually say "I'm using a secure OS link to debian.org" is that if you've apt-get update/upgrade'd in the past month or so, you're fine. Debian seems to have been patched the day after/of the vulnerability announcement.

          Considering how many of the major distros have some sort of update tool, I'm really suprised this is as much of a problem as it is.

          So, I'm glad I'm using a secure OS [debian.org]. :)
          • LOL, well said. I did the same thing last week to my aplpha :) The question is now, do the Linux zealots who spent so much time laughing at IIs admins actually keep up on THEIR patches. One of the places the Linux world seemed so far advanced was virus protection. If that goes away what will be the incentive to get of the M$'s of the world ?
      • Re:D'uh. (Score:3, Insightful)

        by RomSteady ( 533144 )
        Sorry, but I'm not an editor. I read the article and submitted it, and while I was submitting it, a similar article appeared on the Apache sub-section.

        I am glad that they used my submission without censorship, though.

        One person farther down says that if something like this had been reported about Windows, it would have been Bill's fault, but when something happens on Linux, it's the sysadmin's fault. Personally, I think both are the sysadmin's fault. Nine times out of ten, patches are available for software shortly after the worm is first out there. If a sysadmin keeps up on his/her patches, the likelihood of infection/damage is very low.

        Personally, I'd be very happy if /. would stop attacking Microsoft and start attacking the people who make the actual attacks. However, the likelihood of that happening is slim to nil, I'm afraid.

    • by Anonymous Coward
      Free Pot!!!??
    • Re:D'uh. (Score:4, Insightful)

      by Yohahn ( 8680 ) on Sunday September 15, 2002 @01:49PM (#4261345) Homepage
      While the "Duh" is true. I think the relavent questions are:

      "How easily does a system lend itself to being upgraded out of the box, with no additional costs?"

      "How quickly can a patch be developed and published"

      "When I install the new patch am I going to have to accept some NEW BS license?"

      I still choose Debian GNU/linux because I believe that apt-get being as easy as it is will keep newbie Linux people upgrading regularly. This alone could have significant impact.

      • Re:D'uh. (Score:4, Insightful)

        by Jace of Fuse! ( 72042 ) on Sunday September 15, 2002 @03:58PM (#4261836) Homepage
        I still choose Debian GNU/linux because I believe that apt-get being as easy as it is will keep newbie Linux people upgrading regularly. This alone could have significant impact.

        While I actually agree with you -- I don't see how that is any easier than Windows popping up a requestor saying "YOUR CRITICAL UPDATES HAVE DOWNLOADED AND ARE READY TO INSTALL."

        True, there is a good chance the new terms of usage might require you hand over your newborn, or give your soul to Billy, but the newbie doesn't care about this.

        Linux users think they can topple the Windows empire because ethically, Free Software has a more solid foundation than Microsoft. But they seem to ignore the fact that this means nothing because most users have no ethics.

        If Unix is going to shoehorn it's self moreso into the desktop market, it's going to have to appeal more to the laziness of the masses and spend less time touting the ethical reasons. Things like Apt-Get are major steps in the right direction, though.
  • visioneers (Score:2, Insightful)

    by sstory ( 538486 )
    visioneers have been making analogies between networks and other systems for years, and lately, the internet has started to feel like an ecosystem, with predators, outbreaks, and the like.
  • I read about the SSL bug the other day and fixed it on the spot. (Good 'ol apt-get). Are there other ones that we should know about? Is there a way to check and see if a machine is still being impacted? I'd hate to be running anything mallicious, that's why I have a linux box. I can fix things quickly, most of the time...
    • by alvieboy ( 61292 ) on Sunday September 15, 2002 @12:41PM (#4261035) Homepage
      Yes.

      Read the CERT Advisory CA-2002-27.

      It's available here [cert.org]
    • This should have been made more clear in the CNET (and Slashdot) article! It's a known bug, and fixes have been available for some time now. The systems that are getting hit are the ones with lazy admins who don't promptly follow up on security patches.
      • by RestiffBard ( 110729 ) on Sunday September 15, 2002 @12:54PM (#4261095) Homepage
        slashdot needs a "true dat" moderation.
      • by coupland ( 160334 ) <dchase@h o t mail.com> on Sunday September 15, 2002 @01:03PM (#4261136) Journal

        The systems that are getting hit are the ones with lazy admins who don't promptly follow up on security patches.

        Why do topics like this always have to degenerate into a holier-than-thou diatribe by a self-righteous few? I'm running a vulnerable system and it isn't because I'm "lazy" as you so kindly put it. I run Linux on my *desktop* and use it to play Quake, surf the web, and share out some HTML pages for my family. I run RH7.2 (only one version behind, bub) and run Ximian Red Carpet and up2date regularly. But no, I don't read bugtraq for the sheer joy and I usually wait for RPMs to come out before I install a patch. The unfortunate downside to RPMs is that if you compile your own software the RPM database starts to choke on its biscuits. So maybe, just maybe it's not that people who don't upgrade same day aren't lazy. Maybe we just don't have as much time or interest as you to troll bugtraq or more so, troll /. acting all high and mighty because of the stinking version of OpenSSL they run.

        • When the so-called "lazy admin" is a grandpa running a supposedly plug-in-and-drop system in his little store, or someoone else who bought their hyperbolic nephew's line about how easy and wonderful Linux is, it really makes no sense to go about bashing them. For so many systems, the "admin" is just a regular schmoe. And attacking them for the vulnerability of their systems conveniently leaves the worm authors off the hook. Maybe we should blame geeks who got beaten up in high school for being too lazy to learn self-defense.
        • perhaps you could bring your self down to my level. i dont hangout reading bugtraq either. however, i have subscribed to redhats email lists so that i can get security [redhat.com] advisories. you know, the emails that say "hey there is a big fucking hole in your security. apply these packages to fix it".

          there are several maling lists [redhat.com] to choose from. the redhat watch list [redhat.com] will help you out with vulnerabilities.

          really though do you think this is self-righteous? i would say it is being responsable. i hate all of those self-righteous people in cars who use seatbealts. they just think they are all that and a bag of chips. grow up and be responsable.

          -you get an email about a vunerability
          -drop to a console and type the following:

          $su -
          $service httpd stop

          -then upgrade when you have the time.

          really now, how hard is that?
        • "I'm running a vulnerable system and it isn't because I'm "lazy" as you so kindly put it. I run Linux on my *desktop* and use it to play Quake, surf the web, and share out some HTML pages for my family."

          I agree with you about the attitude, but there's no reason a system used for what you're mentioning would be vulnerable. I'm horrible about updating my box, but since I have so few ports open and so few services running, no one can get to my box. Forwarding the range for the Neverwinter Nights server doesn't open up a whole lot of exploits. Well, except for all the buffer overflows I'm sure are there in their NWN server code....
        • Point taken but (Score:3, Insightful)

          by einhverfr ( 238914 )
          I am assuming you didn't install a web server, NFS Server, etc. if you never thought you's use them, right? Or if you did, you would turn them off, or at least use Red-Hat's built-in firewall rules to keep other people out.

          If you did any of these things, you are not directly vulnerable, and don't classify as lazy. But if you were running a production server and did not want to do a security patch because "there are no rpm's yet" then you would be lazy and I would berate you for it ;)

          So my point is-- you can't compare apples and oranges here, and security is important to everyone, but there are different ways of
          handling this security as appropriate for environment. If you think security doesn't matter, you are not lazy so much as clueless, but if you think that there is only one path to security, you are missing the point too.

          I did support for Windows for a while and I was amazed at how many compromized systems I found because home users thought "I don't need security." It is all fun and games until people start uploading illegal content (such as kiddie porn) onto your system of your account gets terminated with your ISP because someone used your system to attack another computer, etc.

          I don't care who you are-- security is important.
        • by bankman ( 136859 ) on Sunday September 15, 2002 @02:30PM (#4261491) Homepage
          Let me elaborate a bit here:

          You are running a computer that is connected to the Internet. For the sake of this argument it doesn't matter which system you favour. You are the admin of this machine.

          Like it or not, you have responsibility towards ALL other network peers (i.e. the whole Internet) to make your system as secure as possible. Consider malicious software that can start DoS attacks on other remote boxes. Your insecure machine is now causing trouble to others as well as yourself (degrading connectivity).

          Would you like this? Your answer could be: I don't care.

          Imagine someone else has a similarly unpatched/insecure system and is directing DoS attacks on your IP. Do you care now? I guess you would.

          The problem is that advertising and far too many teachers in "Internet for dummies" courses do not emphasize the fact that anyone with admin privileges on any computer (that is connected to the Internet) is effectively an administrator and has to act accordingly on issues like security. Point'n'Click installation doesn't make it any easier: You want to run a web server? Here you go.

          How many install software without knowing about the security implications of the stuff they are going to run? I guess far too many. If you had to read about a certain program BEFORE you install it, the manual or How-To can give you an idea of the security implications you are probably going to run into, thus alerting the admin (on a home system that means you) and increasing awareness.

          This could be a reason why Linux/Unix installations often seem to be more secure: You have to read a lot more before you can actually do something. This advantage, of course is slowly going away with point and click installations on Linux systems as distro installation programs become more user-friendly and everything gets installed via a graphical system. This might be ok for an advanced user, but could be dangerous in the hands of a novice (i.e. most home users).

          I guess you could compare it to driving a car, where you have to get a license in order to participate in public traffic, because you need to know about the rules and dangers beforehand. The impact your mistakes might have on others can be very serious.

          I don't want to lecture you, but I think it is important to increase awareness of security ramifications on boxes that are connected to others.
          • Like it or not, you have responsibility towards ALL other network peers (i.e. the whole Internet) to make your system as secure as possible.

            Sorry but I'm gagging uncontrollably at the thought of your saccharine love-fest. I am not here to protect *other* people's PCs from compromise, should I hold hands with other sysadmins and pray for the health of their machines while I'm at it? No. My machine isn't as secure as some but I try my best and check Red Carpet daily.

            Your argument is that as a user with a public IP address it's my responsibility to have every package on my system updated on a daily basis. Hence by your logic, if I'm not doing so then I don't have a right to be on the net. It's precisely this kind of jaded self-righteousness that people hate about a small handful of Linux geeks. When even Linux geeks are telling you to get a life, maybe you should consider it!

  • Unfortunately as more IIS admins move into the "cheap" linux arena, their bad habits will come with them (not that there aren't linux admins with bad security habits, too). We are going to see more and more of this as linux becomes the norm. My shop is looking at using embedded or firmware based linux (or single system images in the clusters) to combat any modifications. It will be interesting on monday to see how much our honeypot-tarpit has caught.
    • Now that's some spin!

    • This virus made several fatal errors in its execution--
      1: It did not delete its source code file on execution.
      2: It did not hide its binary very well.

      If the worm did these things it would have been MUCH harder to detect and deal with. As it is my servers are secure (no SSL for now, and I have the latest version of OpenSSL for when I want to re-impliment it), but I would have been worried to some extent if I could not have actially looked for bugtraq.c in the /tmp directory.

      Many trojans I am aware of do these things, though.
  • Well Duh! (Score:5, Insightful)

    by libertynews ( 304820 ) on Sunday September 15, 2002 @12:40PM (#4261027) Homepage
    Anyone who thinks that solely because they run open source they are immune to attack is an idiot. Look at how wide open a default RedHat 6.2 install is.

    This new attack is easily avoided by upgrading your OpenSSL version to 0.9.6e, and this should have been done by now. The hole has been known and example exploit available for a while now, as anyone who follows the bugtraq list would know.

    Security is an ongoing process. You have to stay on top of it if you run machines that are not turned off and locked in a basement. There is just no way around the fact that there will always be bugs in software, and these days that commonly means security holes as well.

    • And FYI, it communicates with its bretheren on UDP port 2002, and leaves itself running as a program alled 'bugtraq' with its source in /tmp/.bugtraq

      Or at least the version of it recently discussed on bugtraq had this behavior.
      • Re:Well Duh! (Score:2, Interesting)

        by FlyGirl ( 11285 )
        Correct... And someone elsewehre posted a REAL simple "vaccination" until you can upgrade your server/ssl. Since it gets in through apache and creates a "/tmp/.bugtraq.c" that it then uses gcc to compile, just execute the following commands as root:

        #touch /tmp/.bugtraq
        #chmod 000 /tmp/.bugtraq

        That should make it impossible for it to create the executable -- and the presence of the .c will show you if it has attacked your system.

        (Note: This is a preventitive measure of this specific worm. All someone would have to do is change the filenames that it uses to get around this, so fix it properly asap)
  • Get ready for more (Score:4, Interesting)

    by IamTheRealMike ( 537420 ) on Sunday September 15, 2002 @12:41PM (#4261036)
    Well, it had to happen eventually. Hopefully people will stop saying things like "Linux stops you from being hacked", or "there are no viruses for Linux". That was always a risky line to play, as it was only really relevant when Linux was small and entirely populated by extremely competent people.

    That said, this has to be the coolest worm ever! No way! I mean, it actually has like a hive mind. I wonder if it has a queen?

    • by Subcarrier ( 262294 ) on Sunday September 15, 2002 @01:01PM (#4261132)
      That said, this has to be the coolest worm ever! No way! I mean, it actually has like a hive mind. I wonder if it has a queen?

      No, probably not a queen. But it might a pimple faced prince, lurking somewhere in his parents' basement.
      • No, probably not a queen. But it might a pimple faced prince, lurking somewhere in his parents' basement.

        That pimple faced prince might still be a queen. You know -- the kind that dresses in womens clothing and keeps people in deep pits in their basement while exclaiming things like "It puts the lotion on its skin!"

  • I don't like... (Score:5, Insightful)

    by GearheadX ( 414240 ) on Sunday September 15, 2002 @12:42PM (#4261043)
    The idea of calling this a 'rogue peer-to-peer network' .. They didn't call it a P2P network when all those Windows exploits were bringing the net to its knees in noise, why start calling a simliar bug that now?

    Newspeak...

    I'm sorry, but sometimes 'Crimethink' isn't the whole story.
    • Re:I don't like... (Score:2, Insightful)

      by semaj ( 172655 )
      The idea of calling this a 'rogue peer-to-peer network' .. They didn't call it a P2P network when all those Windows exploits were bringing the net to its knees in noise, why start calling a simliar bug that now?

      Because this worm creates a virtual network for itself, and individual machines can send messages to others on the virtual network, with commands or messages.
    • Re:I don't like... (Score:4, Insightful)

      by Clue4All ( 580842 ) on Sunday September 15, 2002 @12:54PM (#4261098) Homepage
      They didn't call it a P2P network when all those Windows exploits were bringing the net to its knees in noise, why start calling a simliar bug that now?

      How about because neither Nimda nor Code Red were peer to peer networks, they just attacked nearby subnets indiscriminately. This creates a peer to peer network that an attacker can harness to DOS machines.
    • Re:I don't like... (Score:5, Informative)

      by AltismoMaster ( 569463 ) <slashdot@vole n o .com> on Sunday September 15, 2002 @01:22PM (#4261218)
      Du'h, well maybee because it actually says peer to peer... Here are the comments in the source code (found at incidents.org [incidents.org]
      Peer-to-peer UDP Distributed Denial of Service (PUD)
      by contem@efnet

      Virtually connects computers via the udp protocol on the
      specified port. Uses a newly created peer-to-peer protocol that
      incorperates uses on unstable or dead computers. The program is
      ran with the parameters of another ip on the virtual network. If
      running on the first computer, run with the ip 127.0.0.1 or some
      other type of local address. Ex:

      Computer A: ./program 127.0.0.1
      Computer B: ./program Computer_A
      Computer C: ./program Computer_A
      Computer D: ./program Computer_C

      Any form of that will work. The linking process works by
      giving each computer the list of avaliable computers, then
      using a technique called broadcast segmentation combined with TCP
      like functionality to insure that another computer on the network
      receives the broadcast packet, segments it again and recreates
      the packet to send to other hosts. That technique can be used to
      support over 16 million simutaniously connected computers.

      Thanks to ensane and st for donating shells and test beds
      for this program. And for the admins who removed me because I
      was testing this program (you know who you are) need to watch
      their backs.

      I am not responsible for any harm caused by this program!
      I made this program to demonstrate peer-to-peer communication and
      should not be used in real life. It is an education program that
      should never even be ran at all, nor used in any way, shape or
      form. It is not the authors fault if it was used for any purposes
      other than educational.

      • Re:I don't like... (Score:3, Insightful)

        by GearheadX ( 414240 )
        Now this is a depressing bit of source code commentary... If it was supposed to be 'educational' he should have been operating in a network removed from any external connections.

        Words.

        Deeds.

        Ah well. People are like stars. There are som that are bright and then there are those that are dim.
        • Now this is a depressing bit of source code commentary... If it was supposed to be 'educational' he should have been operating in a network removed from any external connections.

          The person who wrote that comment and the person who added the exploit code are not necessarily the same.
      • Copyright 2002, Microsoft Corporation.

        Well, not really, but it all has a Microsoft stink to it. Buzwords like "peer to peer" used to describe computers that simply broadcast a huge list if indeed the list is not cenralized. The term admins. Using UDP [pcwebopaedia.com] for TCP [pcwebopaedia.com], the dude is a moron.

        The proported author is a liar and the comments should be ignored. They tell "admins" who removed the autor to watch their backs, then claim the program is for educational purposes and should never be "ran at all". Yeah right.

        Thank you CNET for naming peer to peer, Apatche and Linux. Looks like all the criticism about not naming Microsoft operating systems and specific Microsoft applications as the weakenesses exploited has sunk in. For this article two of the three things CNet wishes to bash are in the headline! Nice work CNet, keep being direct like that and you might gain some credibility - not really!

  • The Diierence.... (Score:5, Insightful)

    by the eric conspiracy ( 20178 ) on Sunday September 15, 2002 @12:49PM (#4261072)
    Seems it is true...the security of your web server depends on how effective you are at keeping up to date on patches, no matter if you are running Windows or Linux.

    I'd agree with that statement - the difference being that with the Windows patch you may need to restart your server (bad), and you may have to swallow a new EULA (could be VERY bad).

    • by twitter ( 104583 ) on Sunday September 15, 2002 @03:48PM (#4261795) Homepage Journal
      The other small difference between Windows and Linux as operating systems: The one hundred billions other exploits that all M$ boxes have in software that should not be running on a server, can't be removed from the server, and show up as headlines every freaking month. Why, pray tell, should a server run a GUI or a browser ALL THE TIME? I know, it's a small difference that the average user might not notice in terms of privacy, stability and security. That would be because the average user does not run a stable secure and privacy protecting operating system and has no idea of what it would be like to not be asked by tech support, "have you tried rebooting your computer?"

      By the way, who says this attack won't affect Apache on Windows, Sun, True Unix, etc?

      "You looked at your network settings, you should reboot your computer now."

  • Attack filter list (Score:4, Interesting)

    by inkfox ( 580440 ) on Sunday September 15, 2002 @12:50PM (#4261082) Homepage
    You can get a current list of the top C networks which are participating in attacks of various sorts from dshield.org [dshield.org]. Depending on your application, it may be advantageous to just add a cron job which grabs this and feeds it to your firewall rules, hosts.deny or access control lists.
  • Today's software is too complex to be comprehended by the human mind in all its permutation of states. Add in network effects when this software runs alongside other software, and on multiple machines, and the following conversation will always be accurate:

    Question: Does software package XYZ contain show-stopping security holes?

    Answer: Yes.

    Throw in clueless admins, and you've got a big barrel of fun. Open source can't help you here.

    This doesn't mean that open-source software isn't better for other reasons, but I've always shied away from saying open-source is more secure because I don't believe any piece of software is truly secure these days. So what if IIS has ten root holes and Apache has one (hypothetically)? You're still insecure.

    Anyway, why are they calling it a P2P attack network? Aren't ALL worms peer-to-peer??? I don't remember Code Red checking in to an "attack server" before connecting to other IP addresses.

  • by Scrameustache ( 459504 ) on Sunday September 15, 2002 @12:57PM (#4261114) Homepage Journal
    Don't say "free pot" if you don't mean it!

    : (
  • First of all this is kind of a repeat but anyway...
    NOTE: These instructions are for all current and recent Symantec antivirus products, including the Symantec AntiVirus and Norton AntiVirus product lines.

    1. Update the virus definitions.
    2. Run a full system scan, and delete all files that are detected as Linux.Slapper.Worm.


    I wasn't aware there was a norton anti-virus program for linux. I could be wrong but I checked around their site and google and found nothing. Thats really not great removal tips. However I very much agree with their little 8 step or whatever program. About making people aware of attachments, running extra services, etc.
  • ...and I'm being quite serious... I think this is created by the **IA and pushed by the press as a "P2P Horror". Why wouldn't they spend a few $$$ to have some blackhats code this up?

    Now world+dog knows about the terror-istic "P2P" and "Linux." Horror of horrors! This is the exact kind of terror that Palladium would fix! Just think, right now in the world are millions of boxen, and their users are in full control to do as they please! Shock! Horror!

    But you think the press would report on this openly and honestly, and would not be bought by the **IA? Really? So Time and Newsweek (AOL-TimeWarner), MSNBC (Micro$oft)... yeah, real OPEN reporting. More news on how the world works, whoever buys the most expensive advertising in your magazine gets the best bits of news and controls it. Look at PC Ragazine... whoever gets the glossy inside cover advert (usually Dell boxen or NEC montitors) always get "Editors Choice").

    • Yeah, they went to all this trouble so CNET could call this P2P and a couple thousand cnet readers could maybe somehow form a tie in their minds, there is no possible way this is a worm just like dozens of other worms people have written.
      • I don't want to sound a "Black helicopters follow me everywhere!" kinda guy, it's just that **IA for sure have a PR machine with millions behind it, with the aim of protecting BILLIONS. Napster, Aimster, et. al are dead. Decentralized P2P is the next big target. If they can't stop it at the company level (Napster, Aimster) they will try to stop the people with the pipes (Verizon, providers et. al). Doesn't every bit of press help? No, their goal is not to get one CNet article out. But time again and again, putting anything akin to "P2P=Terrorism" over the AP newswire will help them in their goal.

  • How can you tell if your box has been hit with this?

    If yes, how do you clean it up?
  • Keeping up on patches is one thing. A very important thing. More important however is correctly configuring everything. Microsoft has a handy program called baseline that is free and automatically checks out your windows system for mis-configurations that cause security holes. For example having guest accounts or mis-configured sharing on certaint folders.
    I know a lot of you people like to bash windows as being insecure or unstable. But I can't tell you how many times people have come to me and showed me problems with windows boxen that were simply misconfigurations. My win2k box (that I'm using right now) might be old and slow, but it's a rock. Configuration is key. Especially all the hidden options in deep down dialog boxes.

    Nothing, not even the best linux, is secure out of the box.
  • I might be a Linux advocate, but this is the real question... Does it effect Apache for Windows and other platforms? Perhaps the media is immefiately associating Apache with Linux- something that it is not really even part of.

    I would suspect that the worm would possibly effect the ports too. Does anyone have any info on that?
    • The advisory mentions that the worm compiles code on the infected machine. Since the executable will need to be a Linux one, I would guess that the worm can only infect linux machines.

    • > I might be a Linux advocate,

      Hello. I'm a cross-platform advocate. Now that we've got _that_
      settled...

      > but this is the real question... Does it effect Apache for
      > Windows and other platforms? Perhaps the media is immefiately
      > associating Apache with Linux- something that it is not really
      > even part of.

      The slapper worm appears to specifically look for Linux systems
      running Apache, or so the article seems to indicate, but the
      vulnerability (which was covered on /. a while back IIRC) is in
      OpenSSL, if I understand correctly. So it does affect other
      systems than just Linux, but not most Windows systems. (With
      Cygwin, it is possible to run an OpenSSL server on Windows, but
      that's another can of worms.)

      > I would suspect that the worm would possibly effect the ports
      > too. Does anyone have any info on that?

      Whether Slapper does or (more likely) doesn't, the vulnerability
      that makes the worm _possible_ is an issue for any system that
      uses OpenSSL. Therefore, if you use OpenSSL on a system that
      has secure ports open to the internet, you should either patch
      it or upgrade it. Known vulnerabilities should be fixed, whether
      or not there's an exploit in the wild. That's basic security
      practice, right up there with turning off unused services.

      Didn't Apple release a security update for 10.1.5 that fixes
      the OpenSSL issue? Or was that the OpenSSH issue? Or was it
      the same issue? I'm confused now...
  • so it's allegedly talking on UDP port 2002 with the other nodes.

    so you do, of course, have a firewall that blocks everything but the few ports you need.

    you don't? what the fuck are you doing on the 'net?
    careless driving is illegal. careless server administration should probably be, too.
    • Umm... doesn't this depend on how the communication is initiated? EG. My firewall prevents me from hosting UT games, unless I open up specific ports for it - but I can play UT over the net with anyone without opening up anything special.

      If the worm talks on UDP port 2002 only after doing some sort of initial setup through a commonly open port (like port 80), wouldn't that be possible with most people's firewall config?
  • The SecurityResponse article mentions that for SuSE distributions, the following are affected:

    Apache 1.3.12, 1.3.17, 1.3.19, 1.3.20, 1.3.23

    I just checked my version of Apache for SuSE 7.3, and it's 1.3.20-60.

    I know that distributions tend to release their own versions of things with important patches included, but other than digging into the release notes for apache for a while till I can find the answer I need, is there any way to know whether the "-60" addresses this problem?

    Or, as another option, might there be anything that accurately TESTS for this weakness and provides a result?

    Keeping up with patches is good! Being able to accurately TEST the security of the compromised code after those patches are applied is better.

    • You're running a version of Apache that has had a known hole for months now. 1.3.26 is the version you should be up to right now. The -60 afterwards is just a packaging number in case they release a different build of that software (there were 59 other ones built by them before they got to one they liked). To test vulnerability, go get the exploit (almost always a proof-of-concept exists) and attack yourself with it. Be sure to check your SSL version if you're running SSL on there as well.

      And yes, keeping up with patches is good. You should try to practice it. Also, subscribe to BugTraq.

      • by GigsVT ( 208848 ) on Sunday September 15, 2002 @01:48PM (#4261337) Journal
        You are full of shit. Distros roll patches and bugfixes back into the stable and tested version, and release a new -subversion. Try using a modern distro sometime. I can't believe you flamed that guy, out of your own ignorance.

        openssl-0.9.6b-28 is the current red hat version, and it is fully fixed.

        It even shows the old version if you run openssl version:
        OpenSSL 0.9.6b [engine] 9 Jul 2001

        It is, however completely patched, and came out in early August.

        Modern distros value stability in current releases, and will not upgrade to the latest version just to get a bugfix. This is the value they add, you don't have to worry about a security patch breaking some critical functionality. /me puts the cluestick back in its holster.
  • Further Info (Score:5, Informative)

    by cr@ckwhore ( 165454 ) on Sunday September 15, 2002 @01:19PM (#4261201) Homepage
    The worm exploits OpenSSL via http port 80. The exploit writes c source files to /tmp, I believe the program is named bugtraq.c. Then, the exploit compiles the program into a hidden binary /tmp/.bugtraq which is executed.

    Once the program is running, it accepts commands on UDP port 2002.

    Simple solution, so your bandwidth won't be exploited for a DDOS, block UDP port 2002.

    The worm can be used for multiple purposes, including execution of arbitrary commands on your machine, various flood attacks, etc.

    You need to patch your machine, before a more dangerous worm comes along. If you can't patch right away, at least block UDP port 2002.

    Additionally, your /tmp (if located on a separate partition) should be mounted noexec.
  • it's interesting to follow the development of viruses. First came the plain old viruses that used warez to spread (yes, they infected other apps too.. but warez was the major distribution channel) there were all kinds of viruses, those that played songs at certain times or made your screen do funny things, most of them harmless in many ways.

    Then came the time of harmful viruses, the ones that formatted your HD on certain event.

    Now then, it came the time of internet, and worms came. Worms spread through different holes in machines, mostly e-mail readers. (everyone had them.. most of them had holes.. tsk tsk..)

    The worms itself evolved in many ways, others became DDOS tools, others just spread. Most of them were a pain anyways, as they affected more than the people with buggy software.

    Oh well, it's a challenge to write a worm/virus that can spread without anyone noticing it before it's too late. Believe me, we have thought it over and over.. tried to think of a method to spread, one without any way of backtracking the worm, allowing the worm to spread with different methods, through different holes and allowing the creator of the worm to update copies of the worm while it's spreading. Interesting thought to play around with.
  • by Oliver Defacszio ( 550941 ) on Sunday September 15, 2002 @01:28PM (#4261243)
    Should we immediately start referring to Linux (et al) as an easy touch for these worms? This is now two serious vulnerabilities in the last three days. Sure, there are fixes available, but there are also fixes quickly available for similar Windows holes and, yet, when "sysadmins" don't apply them, everyone blames Microsoft. So, that means Linux sucks too, right?

    Let's face some facts, there are probably more "forgotten" Linux servers than Windows ones, simply because Linux can run unattended for months at a time and Windows cannot. Making the reasonable assumption that a sizable number of these neglected machines will not be fixed, suddenly Linux and OSS looks no better than the Windows machines that are still infected with Nimda or something similar because no one has been bothered to apply patches.

    I await your wrath for being reasonable.

    • by shepd ( 155729 ) <slashdot.org@gma i l .com> on Sunday September 15, 2002 @02:04PM (#4261400) Homepage Journal
      >So, that means Linux sucks too, right?

      No, Linus didn't make Apache or the OpenSSL library (the real problem).

      If anyone deserves the blame for this, its the OpenSSL team [openssl.org] themselves (and I would hedge a bet more of them work for BSD rather than Linux, just by the license). They caused the vulnerability. One would think that a team of programmers who are trying to create a set of high-security tools wouldn't _ever_ have a buffer overflow. That's the kind of mistake a green programmer like myself would make.

      The fact is people blame Microsoft for Nimda because Microsoft made the vulnerable IIS webserver. Blame went where blame was due.

      So, anyways, blame the right people. Microsoft for IIS, OpenSSL team for OpenSSL.
      • One would think that a team of programmers who are trying to create a set of high-security tools wouldn't _ever_ have a buffer overflow.


        It seems to me that it has been thoroughly proven that programmers are incapable of handling memory management on their own. The number of problaems that buffer overflows, memory leaks, and other such problems have caused is staggering. I don't care how great you think you are, you shouldn't be doing your own memory management. Given enough time you'll fuck something up.

    • I don't agree with the part that says the Windows machines can't run a few months without attendance, since I once ran my WinXP professional box where I do development and play games for a month.

      I had to reboot once because I wanted to install the new Detonators, but it was rock stable and it obviously didn't leak any memory or ressources since it would be slow after a month of use if it did.

      Even tought you could say that I wouldn't have to reboot under Linux to make the change, keep in mind that you rarely need to upgrade the video on your server and most drivers can be installed under XP without a reboot. (this bit added to avoid linux zealots)
  • Guess I'll have to migrate AGAIN, back to IIS!
  • by b1t r0t ( 216468 )
    I think it should be important to mention if this is an X86-only exploit. Open source software isn't the answer to this kind of problem. CPU diversity is at least as important. If you were a script kiddie, would you rather write shellcode for one heavily used CPU architecture, or half a dozen CPU architectures?

    Right now, almost all (non-script language) viruses are for X86. Most root exploits are for X86, with a few more for SPARC.

    I had two boxes get rooted last year thanks to bugs in SSH, but I doubt it will happen again after I replace them with Macs running OS X. But I am glad I never got around to installing OpenSSL with Apache.

  • Self Destruct (Score:5, Interesting)

    by devnullkac ( 223246 ) on Sunday September 15, 2002 @02:50PM (#4261574) Homepage

    Another evil plan with a big red Self Destruct button: one of the supported remote instructions for the network is "run a command" (0x24). All you have to do is find an entry point and command it to killall -9 .bugtraq and the command will propagate through the network, killing itself. Doesn't keep it from regenerating on the original https vulnerability vector, but we could perhaps slow down the DDoS attacks.

  • But, in the long run, you really need to upgrade OpenSSL.

    Anyway:

    su -
    cd /tmp
    ls -a .bugtraq*

    If there is anything in your /tmp directory named .bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...

    If you haven't been compromised yet:

    touch /tmp/.bugtraq.c
    chmod 000 /tmp/.bugtraq.c
    chown root.root /tmp/.bugtraq.c

    then...

    which gcc
    and, chmod 700 that file.

    This means that normal users will not be able to compile c code. If this is unacceptable, you can undo it after you get OpenSSL up to date.
    • If there is anything in your /tmp directory named .bugtraq.c and you didn't put it there, it's too late, you're rooted. Time to unplug the network cable...

      I didn't see this described as a root exploit. Did I miss something?

  • Anyone else find it somewhat ironic that the url for this article about a linux worm is msn-cnet.com? Dont get me wrong, I love linux more than windows....I just found that kinda funny...heh
  • How Come? (Score:3, Interesting)

    by hooded1 ( 89250 ) on Sunday September 15, 2002 @03:31PM (#4261735) Homepage
    How come when there is a worm or virus on Windows it is because Microsoft is grossley negligent and has no understanding of security, yet when there is a linux worm it is because of no fault of the developers but instead the fault of the 'lazy' sys admins whos machines became infected. This is flamebait, but it would be nice to have some standards on slashdot.

Have you reconsidered a computer career?

Working...