I've been trying to locate this/these articles
|
Author | Content |
---|---|
tracyanne Jan 23, 2008 11:25 PM EDT |
My boss mentioned this to me the other day, and like the cat that got the cream (he's a Windows/IIS diehard) mentioned that it was Apache web servers that were the vector. Thanks for posting this, it make interesting and rather scary reading. |
Bob_Robertson Jan 24, 2008 6:42 AM EDT |
From the articles, the Apache vulnerabilities used are very limited: Known (somehow!) user/pass combinations and dynamic module loading. Not even root-kits on the Apache servers! Fascinating. It hadn't even occurred to me that it might be being done to discredit F/OSS, since the end-target vulnerabilities are all Windows. If this is as good as a mass Linux attack can get, I'm very happy. Now, how about Apache quickly making dynamic loading _not_ the default, and convincing these administrators to change all their passwords? |
NoDough Jan 24, 2008 9:37 AM EDT |
> Known (somehow!) user/pass combinations... Usually that means somebody didn't bother changing the default. |
Bob_Robertson Jan 24, 2008 10:15 AM EDT |
> Usually that means somebody didn't bother changing the default. First thing I do on any machine, remove FTP and telnet, RPC and every other such thing I can find, then enable only SSH. SSH has file transfer just as good as FTP, it's cross platform and F/OSS available for everything, no reason to use passwords or even standard ports. Oh well. "Security Is Inconvenient." |
herzeleid Jan 24, 2008 10:24 AM EDT |
> Usually that means somebody didn't bother changing the default. What default? By default the account passwords are disabled on any distro I've seen. There is something fishy about this so-called report. Too much missing information, too vague about the details. > First thing I do on any machine, remove FTP and telnet, RPC and every other such thing I can find, then enable only SSH. Ouch. an nfs or nis server without rpc is going to be sort of crippled ;) Hey, just kidding, maybe you don't need a server. In any case, I just use firewall rules to protect access to such services. Actually I don't even enable telnet, no need for that sort of thing in this millennium. |
azerthoth Jan 24, 2008 10:39 AM EDT |
Personally I'd like to see a little more info on the cpanel connection, since 100% of the compromised systems reviewed according to the article were all running it. It may not actually be cpanel but it is common to all. Not knocking cpanel, I have used it and like it, especially with the php mysql plugin (cant remember the name off the top of my head). |
NoDough Jan 24, 2008 11:21 AM EDT |
> What default? By default the account passwords are disabled on any distro I've seen. In the distro, yes. But what about in the handy-dandy packages that install 40 different pieces of software to give you a working widget? Mind you, I don't know this is the case. I'm guessing. But based on past experience I think it's a pretty good guess. Anyone know if cpanel is this way? |
Sander_Marechal Jan 24, 2008 1:04 PM EDT |
I spent some time reading the various forums on this. Looks like this has been roaming since mid november at least. There is a rootkit, a linux kernel module that rewrites anything that comes out of apache to add the IE exploits and that remembers IP addresses of visitors it already served the exploit so it doesn;t server someone twice. It's stored somewhere in the kernel as well. The problem isn't the rootkit. The problem is how they got the rootkit on the machines in the first place. |
tuxchick Jan 24, 2008 1:56 PM EDT |
wow tracyanne, how lucky you are to have such a mature, reasonable boss. Sheesh. I guess he missed the part where Apache is merely the vector, and Windows and Windows apps are the targets. Oh, and how Linux in general is still about a million exploits behind windoze :) |
herzeleid Jan 24, 2008 2:33 PM EDT |
Quoting: There is a rootkit, a linux kernel module that rewrites anything that comes out of apache to add the IE exploits and that remembers IP addresses of visitors it already served the exploit so it doesn;t server someone twice. It's stored somewhere in the kernel as well.This is news - everything I'd read so far sounds like maybe default cpanel passwords were used to gain access to hosted linux servers, nothing more. Do you have any URLs with more information about this supposed rootkit? |
Sander_Marechal Jan 24, 2008 2:50 PM EDT |
This thread on WebHostingTalk: http://www.webhostingtalk.com/showthread.php?t=651748 There's some other good info in the comments on El Reg: http://www.theregister.co.uk/2008/01/11/mysterious_web_infec... There's more links leading away from those two. The rootkit writes the IP addresses of visitors to /dev/kmem which is usually writable in default kernel configurations. A quick way to stop this thing is to compile a monolitic kernel (no mocule loading) and prevent writing to /dev/kmem by using grsec: http://www.grsecurity.net/ After that, monitor the kernel and watch for failed module loads. |
herzeleid Jan 24, 2008 3:19 PM EDT |
hmm still inconclusive - I read some speculation about kernel modules and /dev/kmem but have seen nothing so far that requires super-user access - and nothing that can't be accounted for if a bad guy were simply to log into cpanel with a stolen password, and load a clever custom apache module which then serves up the attacks. |
Sander_Marechal Jan 24, 2008 10:14 PM EDT |
AFACT from the threads, they didn't find any apache module on the effected servers. Only a kernel module. |
tracyanne Jan 25, 2008 3:58 AM EDT |
Quoting:wow tracyanne, how lucky you are to have such a mature, reasonable boss. No no no, I'm the unreasonable immature fanatical one.... I like Linux. He does however hope that the "Linux People" don't try to sweep this under the carpet, like Microsoft so unfairly gets accused of doing. |
techiem2 Jan 25, 2008 7:49 AM EDT |
Heh...I wonder if you could compile a list of current unpatched exploits for Apache vs IIS.... That might be interesting. I mean..it's one thing to have an exploit that requires a kernel module (and thus most likely root privs), it's another to have an exploit that allows you to do the same thing by say sending a bad url to the server or some such... |
herzeleid Jan 25, 2008 12:41 PM EDT |
> AFACT from the threads, they didn't find any apache module on the effected servers. Only a kernel module. It seems odd that they would implement that apache-specific functionality at such a low level - but then again, maybe that functionality is complex enough that it made more sense to do it in the kernel. Like you said, the exploit in and of itself, if it is a kernel module, shows what we already knew: that the super user can load modules to do all sorts of clever tricks with the linux kernel - the real question is how the bad guys got root. I still suspect a default cpanel password, or something of the sort, meaning there was no remote root exploit, only what amounts to a stolen password. |
Sander_Marechal Jan 26, 2008 3:52 AM EDT |
That's possible but not very likely. The WHT thread stated that many of the servers that were rootkitted were shared hosting servers from big name webhosters. I find it unlikely that a major hoster would leave his cpanel open to such an attack, although my latest "adventures" with ipower and ipowerweb made it painfully clear just how dumb they can be. That said, such shared servers are a *very* attractive target to crackers. Load in one rootkit and you've just infected 300+ websites to dole out your IE malware. It's entirely possible that such large webhosters don't keep up with the latest version of everything on their rather large server park. They may have had local priviledge exploits that are already fixed. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!