Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Speedy Attack Targets Web Servers With Outdated Linux Kernels

Soulskill posted about 7 months ago | from the update-your-junk dept.

Security 93

alphadogg writes "Web servers running a long-outdated version of the Linux kernel were attacked with dramatic speed over two days last week, according to Cisco Systems. All the affected servers were running the 2.6 version, first released in December 2003. 'When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied,' Cisco said. After the Web server has been compromised, the attackers slip in a line of JavaScript to other JavaScript files within the website. That code bounces the website's visitors to a second compromised host. 'The two-stage process allows attackers to serve up a variety of malicious content to the visitor,' according to Cisco."

cancel ×

93 comments

Sorry! There are no comments related to the filter you selected.

No Details (4, Insightful)

OverlordQ (264228) | about 7 months ago | (#46545951)

So the webserver was compromised and JavaScript was inserted and their first thought is it's the kernel?

Re:No Details (2)

jythie (914043) | about 7 months ago | (#46545973)

It would have been nice if they at least said WHICH kernel versions, or which web server, or which version of web server.

I admit, I have some fairly obsolete (and difficult to upgrade) linux boxes running in my lab, this is the kind of detail I would kinda like to know....

Re:No Details (1)

Anonymous Coward | about 7 months ago | (#46546137)

All Redhat/CentOS versions plus nearly 100% of linux-based routers run 2.6

Re:No Details (1)

93 Escort Wagon (326346) | about 7 months ago | (#46546179)

Red Hat's version numbers may or may not be relevant when you're trying to find out whether your kernel is vulnerable. Red Hat back ports a lot of security fixes, but doesn't change the kernel number.

Worse than No Details: (5, Informative)

Penguinisto (415985) | about 7 months ago | (#46546649)

It gets worse (or IMHO, less competent):

Author Comment FTFA (bottom of page - emphasis mine):

"We haven’t identified the initial attack vector. We have no reason to suspect that the attack isn’t via http. I’d be very interested to hear from any affected sys admins if they identify how the attackers gain access."

In other words, they don't even know if it's the effing kernel at this point -all they know is that 2,000 some-odd websites have been bit, and they all use the absolute most common kernel version for webservers on the planet (2.6.x).

  Hell, for all we know it could be some commonly-shared crappy PHP script getting popped. :/

Re:Worse than No Details: (1)

Nimey (114278) | about 7 months ago | (#46547981)

In other words, the article is content-free clickbait.

Re:Worse than No Details: (2)

Barsteward (969998) | about 7 months ago | (#46549687)

Correct. here is a good analysis of the stupid report http://www.whitefirdesign.com/... [whitefirdesign.com]

Re:No Details (1)

gweihir (88907) | about 7 months ago | (#46549733)

2.6.32.61 is a currently supported longterm kernel release from kernel.org.

Re:No Details (2)

Barsteward (969998) | about 7 months ago | (#46550025)

Don't worry, its a crap report with no real analysis.
Here is a short list of some of the actual compromised sites from the WhiteFir analysis report
Compromised Websites

archive.mrpools.co.uk Windows Server 2003
blueprintbowling.com Windows Server 2008 R2
hwy65mx.com Windows Server 2003
jandjpoolspa.com Windows Server 2003
mussotra.com Windows Server 2003

Second Compromised Websites

3d2print.eu FreeBSD
7va.cc Windows Server 2008 R2
babycaust.info Windows Server 2008
banderil.com.ar Windows Server 2008 R2
c2consultores.com.ar Windows Server 2008 R2

Re:No Details (1)

gweihir (88907) | about 7 months ago | (#46551823)

Thanks, that does not look like an OS issue at all with that FreeBDS machine in there.

Re:No Details (1)

markdavis (642305) | about 7 months ago | (#46545977)

Yeah, the article is extremely uninformative. They say 2.6 and yet RHEL/CENTOS 6.5 are 2.6... so that meaning nothing as far as being "old" or "outdated".

More likely to be an Apache vulnerability, but who knows. Maybe some other article could shed some light on it.

Re:No Details (-1, Troll)

wolrahnaes (632574) | about 7 months ago | (#46546109)

Yeah, the article is extremely uninformative. They say 2.6 and yet RHEL/CENTOS 6.5 are 2.6... so that meaning nothing as far as being "old" or "outdated".

Well it sort of does. RHEL is intentionally outdated because that's what their market wants. It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.

Re:No Details (4, Insightful)

X0563511 (793323) | about 7 months ago | (#46546145)

You clearly don't understand the lifecycle of a production OS.

Re:No Details (3, Insightful)

Penguinisto (415985) | about 7 months ago | (#46546659)

You clearly don't understand the lifecycle of a production OS.

...nor does he understand the concept of back-porting patches, apparently.

Re:No Details (3, Insightful)

markdavis (642305) | about 7 months ago | (#46547327)

You clearly don't understand what it means to run real-world business IT infrastructure. Just because something is oldler doesn't mean it is "outdated" or "insecure". RHEL/CentOS update the packages for a long time making them relevant and still secure through backporting and patches.

Sometimes stability and reliability are far more important and efficient than constantly ripping everything out and starting over again every year or two. Besides, the more bleeding edge like Fedora and Ubuntu and Mint are more likely to have NEW security holes with less manpower behind them to fix it quickly.

There is a reason that RHEL and CentOS are so popular for servers and "utility" boxes.

Re:No Details (1)

markdavis (642305) | about 7 months ago | (#46549075)

Replying to self- my message above was in response to wolrahaes, not X0563511

For some reason, the indenting on Slashdot on this thread is broken. Sorry about that.

Re:No Details (1)

X0563511 (793323) | about 7 months ago | (#46562635)

We all love to hate when that happens!

Re:No Details (2, Insightful)

Anonymous Coward | about 7 months ago | (#46546225)

Yeah, the article is extremely uninformative. They say 2.6 and yet RHEL/CENTOS 6.5 are 2.6... so that meaning nothing as far as being "old" or "outdated".

Well it sort of does. RHEL is intentionally outdated because that's what their market wants. It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.

"Doing it right" includes not "upgrading" things that aren't broke, or "just cuz".

The idea is to split "change for the sake of change" and "change for stability and security reasons" into separate buckets.

You don't rip out all the "old" appliances in your house each time a newer one comes out do you? You'd cause more damage moving things around then you'd gain from the new features trickling in. You fix them in place until the cost to do so is more than buying a newer one. That's just common sense. "Upgrading" software is in no way free, when you actually need it to work.

Re:No Details (4, Insightful)

number6x (626555) | about 7 months ago | (#46546237)

Age of the code and the level of patches are two different things

Older code has had more time for vulnerabilities to be found and patched.

Newer code is, well, newer and has had less time for vulnerabilities to be patched.

In general if you want to maximise vulnerability, run the oldest code, but apply no patches. The next most vulnerable general case would be to run the newest code because you are playing with untested fire and risking zero day exploits.

In production systems it is usually best to run code that is old enough to be stable, well tested and well patched.

There are counter examples when a long unknown exploit is discoverd, but the same kind of exploits could live in brand new code as well. However new code could contain some really simple exploits that will be patched pretty quickly. You don't want your production system to be the system opening up the tickets with support that find the exploit is the root cause. Because that means you've got to explain to your customers why their credit card numbers have all been stolen.

Re:No Details (1)

mlts (1038732) | about 7 months ago | (#46546457)

Maybe with the conventional model of "it builds! Ship it!" and bottom dollar offshored dev houses, this is understandable, but a well written program, this shouldn't be the case.

Ideally, a program should be written, alpha tested, beta tested, then the version 1.0.0 release put out, which would really be 1.14.102 by today's standards.

A good example of this is Netware 3.1.1. It is pointless to bother with by today's standards, but it had an extremely long life without needing constant updates for security issues.

Re:No Details (1)

DaveV1.0 (203135) | about 7 months ago | (#46546669)

Mquote>Ideally, a program should be written, alpha tested, beta tested, then the version 1.0.0 release put out, which would really be 1.14.102 by today's standards.

No. Apparently, by today's standards, the release would be 0.135.2314

It's impossible to find all bugs before release. (0)

Anonymous Coward | about 7 months ago | (#46547225)

A good example of this is Netware 3.1.1. It is pointless to bother with by today's standards, but it had an extremely long life without needing constant updates for security issues.

Maybe that's because it was a LAN networking stack that ran IPX/SPX and didn't connect to the global Internet using TCP/IP.

And personally I updated it quite a bit, thank you.

Are you trolling?

Re:No Details (4, Funny)

Nimey (114278) | about 7 months ago | (#46546239)

Spot the guy who's never done professional IT.

Re:No Details (1)

WaffleMonster (969671) | about 7 months ago | (#46546931)

Well it sort of does. RHEL is intentionally outdated because that's what their market wants. It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.

Even if everyone was forced to upgrade to the current version of everything I doubt it would have much impact on "hacked together shit that runs their business"

What does "doing it right" even mean? Says who? You? Objective function of any business is nominally to make money. Not everyone has the same set of problems, not everyone benefits equally from application of the latest and greatest technology. At some juncture you may reach the point of diminishing returns after which platform "improvements" become a liability negatively effecting the business by introduction of unnecessary risk and expenditures.

It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.

Depressingly little has materially changed in the last decade aside from the ebb and flow of annoying fads promulgated by marketeers and the legion of lemmings following in their footsteps.

While I hope to be proven wrong I fully expect all "advancements" from here on out to be incremental and of questionable or even negative value.

PHP (0)

Anonymous Coward | about 7 months ago | (#46546049)

PHP is mentioned in the article. 1000x times more likely the attacker's initial entry point was a vulnerable PHP app. Some recent local privilege escalation exploits for linux were published a couple weeks ago, thats the only part relevant to the kernel. Yes, the author is an idiot.

Re:No Details (0)

Anonymous Coward | about 7 months ago | (#46546053)

It sure would be nice to know if this is a local exploit or remote exploit. A local exploit on a vulnerable kernel would be difficult to pull if the web server running in userland is djb publicfile.

Re:No Details (1)

sgt scrub (869860) | about 7 months ago | (#46547353)

Nobody in the security sector that I know believes there is a relationship between the kernel version and the attacks. The only reason I could see anyone mentioning it is if they had some reason for people to see Linux negatively. The vast majority of IPS/Firewalls out there taking Ciso space in the datacenters are based on Linux. I do know no of any of them that are not running kernel 2.6.X.

where's the door? (1)

invictusvoyd (3546069) | about 7 months ago | (#46545965)

No mention of how the 2.6 kernel was compromised . Besides 2.6 is quite ancient by any standards . Why'd anyone want to run it?

Re:where's the door? (1)

higuita (129722) | about 7 months ago | (#46546029)

because is the default kernel from RHEL: 2.6.18-238.12.1.el5

Re:where's the door? (1)

X0563511 (793323) | about 7 months ago | (#46546147)

EL5 is, while supported, getting a bit old. Hell, EL7 is just around the corner!

Re:where's the door? (3, Interesting)

hermitdev (2792385) | about 7 months ago | (#46546315)

While it is supported, and RH claims backwards compatibility, they do have an annoying habit of breaking things. I remember going from a point minor version of RHEL 5 (I think it was 5.5 to 5.6; it might have been an earlier release) to the next, and they broke the behavior of semaphores. In the prior version, a "sem_wait" would block until the semaphore was signaled, in the next version, it'd indicate errno EAGAIN. This was an unexpected change and required code changes for my company's apps at the time to busy wait when trying to acquire a semaphore.

Re:where's the door? (1)

dbIII (701233) | about 7 months ago | (#46548549)

That's what you need to run the current version of some commercial software. While I don't have it on a webserver I do have centos5 (designed to be very similar to RHEL5) on a lot of machines. Of course they use an old version of java as well.
Yes, I'd run 100% open source if there were not certain constraints if only to get off the old platform (and avoid shit like having to wait three months to get a software licence key!).

Re:where's the door? (5, Informative)

Anonymous Coward | about 7 months ago | (#46546031)

I think its pretty unfair to refer to kernel 2.6, subversions of 2.6 were in use in one form or another from 2003 to 2011, 3.0 was brought about because Linus randomly decided to up the version number one day, not because of any single significant change. Plenty of old distros that still have security support are running 2.6 kernels that are regularly patched and completely up to date security wise.

Re:where's the door? (0)

Anonymous Coward | about 7 months ago | (#46546529)

My understanding is that the 2.6 longterm kernel is still getting updates from that level as well. So really, it is the distros and the official 2.6 that are both getting patches.

Re:where's the door? (1)

Nimey (114278) | about 7 months ago | (#46547995)

2.6.32 is still being updated, probably because that's the version in current RHEL and so Red Hat's willing to help. None of the other 2.6 kernels still are.

Re:where's the door? (0)

Anonymous Coward | about 7 months ago | (#46546083)

Why'd anyone want to run it?

Binary blob kernel modules, eh.

Re:where's the door? (0)

wolrahnaes (632574) | about 7 months ago | (#46546291)

Anything worth having has been updated to later kernels long ago. And yes that is meant to apply the logic backwards, if your shit hasn't been updated to work beyond 2.6 by 2014 then whoever's supporting it is fucking useless. If it's not supported anymore, then you need to be looking for a replacement.

Software is a moving target, anything designed without that in mind has failed from the start.

Re:where's the door? (1)

dbIII (701233) | about 7 months ago | (#46548563)

then whoever's supporting it is fucking useless

That's the story in general for commercial engineering and geophysical software. It's not just on the linux side. Some stuff was only fixed to run on Win7 a short time before Win8 came out.

Re:where's the door? (1)

jythie (914043) | about 7 months ago | (#46546115)

The same could be asked for why anyone would take down perfectly good, functioning servers to upgrade them to 3?

Re:where's the door? (0)

Anonymous Coward | about 7 months ago | (#46546505)

My servers are functioning too well. If I install some patches, maybe something will break! Then I can have some fun fixing something! Maybe everything will break! Then I can have a lot of fun restoring everything from backup! Even if nothing breaks, I'll still have the thrill of suspense between shutdown and reboot! No matter what happens, I won't be bored anymore.

Re:where's the door? (1)

gweihir (88907) | about 7 months ago | (#46549741)

2.6.32.61 is a currently supported longterm kernel from kernel.org. 2.6.32 in some variant is used in many virtual server setups.

Slashdot continues its decline (4, Informative)

Nimey (114278) | about 7 months ago | (#46546025)

All the affected servers were running the 2.6 version, first released in December 2003.

Not even wrong. I guarandamntee you that none of the affected computers were actually running 2.6.0, and it wouldn't have been /that/ long ago that such an obviously stupid and ill-researched claim wouldn't have been posted.

Soulskill, you /do/ understand that there were forty different versions of Linux in the 2.6 series, do you not? You do understand that the final 2.6 release was in August 2011 and it was numbered 2.6.39.4, which I know because I did 5 minutes of basic Googling?

Re:Slashdot continues its decline (-1)

Anonymous Coward | about 7 months ago | (#46546135)

Wow, the linux kernel truly is a fragmented piece of shit.

Re:Slashdot continues its decline (0)

Anonymous Coward | about 7 months ago | (#46546251)

That's what happens to old software projects, they get fat and bloated with loads and loads of versions. Remember when Linux was just a hobby, not big and professional like GNU? Let's all run a HURD kernel, nobody's attacking web servers running HURD!

Re:Slashdot continues its decline (0)

Anonymous Coward | about 7 months ago | (#46546469)

compared to the windows kernel, which at the moment is version 6.1.7601.18229 on my win 7 machine

Re:Slashdot continues its decline (0)

Anonymous Coward | about 7 months ago | (#46546543)

Yeah but Windows NT started counting at 3.1.

Re:Slashdot continues its decline (1)

AlphaBro (2809233) | about 7 months ago | (#46547279)

I don't think you understand the fragmentation he is referring to.

Re:Slashdot continues its decline (0)

Anonymous Coward | about 7 months ago | (#46546219)

Why should Soulskill Google anything when he can get his lackey Nimey to do it for him?

Re:Slashdot continues its decline (3, Insightful)

Bacon Bits (926911) | about 7 months ago | (#46546439)

You didn't read the article, did you? TFS is vague, but so is the article. The article contains no details about the vulnerability. It only contains information about the severity and locations of the attacks. Comments on the article add "Version 2.6.18 appeared to be particularly prevalent." The article is shockingly limited on details.

Slashdot's editors are often appear to be asleep at the wheel, but this time the editors weren't adding anything that wasn't in the original article.

Re:Slashdot continues its decline (1)

Nimey (114278) | about 7 months ago | (#46546609)

I did read the article, actually. My point stands: in the mythical olden days of Slashdot, this post wouldn't have happened, because not only was the summary crap, so was the article.

Re:Slashdot continues its decline (0)

Anonymous Coward | about 7 months ago | (#46547607)

See you at

http://soylentnews.org/ [soylentnews.org]

and

http://pipedot.org/ [pipedot.org]

then

Re:Slashdot continues its decline (1)

Barsteward (969998) | about 7 months ago | (#46550031)

its total crap - read this analysis of the report... http://www.whitefirdesign.com/... [whitefirdesign.com]

Re:Slashdot continues its decline (1)

DRJlaw (946416) | about 7 months ago | (#46546737)

Not even wrong. I guarandamntee you that none of the affected computers were actually running 2.6.0, and it wouldn't have been /that/ long ago that such an obviously stupid and ill-researched claim wouldn't have been posted.

Soulskill didn't write "the 2.6.0 version," he wrote "the 2.6 version." As in potentially 2.6.0 through 2.6.39.4. When posters refer to Windows, you don't automatically assume Windows 1.0. When posters refer to Windows XP, you don't automatically assume Windows XP RTM. Why would you assume that someone referring to "the 2.6 version," when there never was a single "2.6" version, is referring to 2.6.0 versus most of the 2.6 subversions?

FYI, from an author comment in TFA:
"Thanks for the comment. We saw affected machines with a whole range of kernel 2.6 subversions. Version 2.6.18 appeared to be particularly prevalent."

You may have done five minutes of googling, but you didn't do 5 minutes of reading, and you for sure didn't read the article's clear statement that "All of the affected web servers that we have examined use the Linux 2.6 kernel."

Now go flame Michael Lee so that we can watch him destroy you...

Re:Slashdot continues its decline (1)

DRJlaw (946416) | about 7 months ago | (#46546755)

And an unfortunate submission with "Michael" rather than "Martin" sucks the air out of the room. Wheeee...

Re:Slashdot continues its decline (2)

Nimey (114278) | about 7 months ago | (#46546763)

That's exactly my point. "The 2.6 version" is meaningless and Soulskill should have known better; there's a huge difference between 2.6.0 and 2.6.39.

Re:Slashdot continues its decline (1)

DRJlaw (946416) | about 7 months ago | (#46547879)

No, you're point is to completely ignore TFA's statement that "We saw affected machines with a whole range of kernel 2.6 subversions."

There's no point in demanding that the summary list the 36 subversions that are vulnerable and/or the 4 which are not when the source article does not include any such information to begin with. Any whoever moderated your subsequent replay as insightful is a moron.

Re:Slashdot continues its decline (1)

Nimey (114278) | about 7 months ago | (#46547973)

If that's what TFA meant then that's what it should have said. As to the summary, instead of "the 2.6 version" (quoting TFA) it should have said something like "many Linux kernels in the 2.6 series", which would at least have not sounded so naively ignorant.

Since TFA didn't bother clearly saying what versions are vulnerable (except, as you assert, in the comments) then it wasn't worthy of a /. post, which is my whole fucking point. English, motherfucker, do you speak it?

Re:Slashdot continues its decline (1)

DRJlaw (946416) | about 7 months ago | (#46548941)

Since TFA didn't bother clearly saying what versions are vulnerable (except, as you assert, in the comments) then it wasn't worthy of a /. post, which is my whole fucking point. English, motherfucker, do you speak it?

Your point never addressed whether the TFA was worthy of a /. post. Your point was directed at the article summary and Soulskill's editing up until 8:04 EDT. Once you finally notices that TFA contracted your rant, you suddenly chose to attack it. I can't read something that hasn't been written yet. And speaking is not involved at all. Idiot.

Re:Slashdot continues its decline (0)

Nimey (114278) | about 7 months ago | (#46551805)

I'm sorry, I can't hear you through all the cocks in your mouth.

Re:Slashdot continues its decline (1)

gweihir (88907) | about 7 months ago | (#46549747)

And a 10 second look at www.kernel.org shows you that 2.6.32.61 is a currently supported longterm kernel version, with last update mid of 2013. This thing may be old, but it is not abandoned or insecure.

horrible article, author has no idea about 2.6 (5, Insightful)

Gothmolly (148874) | about 7 months ago | (#46546057)

"All of the affected web servers that we have examined use the Linux 2.6 kernel."

Right, because RHEL (and Centos) run 2.6.... so sampling ANY number of servers is likely going to show that they run 2.6.

Is Slashdot just a click redirector these days? Do 'editors' remotely 'edit' anything?

Re:horrible article, author has no idea about 2.6 (1)

Nimey (114278) | about 7 months ago | (#46546073)

Do 'editors' remotely 'edit' anything?

Only when they feel like it.

Re:horrible article, author has no idea about 2.6 (1)

X0563511 (793323) | about 7 months ago | (#46546153)

... which is never.

Re:horrible article, author has no idea about 2.6 (1)

Nimey (114278) | about 7 months ago | (#46546233)

Anecdotally, I once submitted a story and whichever editor was on duty totally sliced-and-diced my prose.

Re:horrible article, author has no idea about 2.6 (2)

mlts (1038732) | about 7 months ago | (#46546213)

TFA tells us nothing. Even the followup about 2.6.18 being the worst culprit and the note that upgrading the kernel will not help makes it even more pointless.

My fix: yum upgrade, and if the update does grab a new kernel, reboot. There was a kernel bug (long since patched) a few years ago that allowed attacks past even SELinux... but if one is running a recent distro, this shouldn't be an issue.

Of course, one should doublecheck what is likely the real culprit... applications like apache and its modules, and perhaps check for compromised credentials [1].

[1]: On Internet-facing machines, if possible, I configure ssh to only allow public/private keys and no passwords. That way, if the remote machine gets completely pwned, the attacker will have my SSH public key, which is a lot less of an issue than having a hashed password list.

Re:horrible article, author has no idea about 2.6 (0)

Anonymous Coward | about 7 months ago | (#46562801)

Even the followup about 2.6.18 being the worst culprit and the note that upgrading the kernel will not help makes it even more pointless.

Yep.

RHEL 5.10 (latest update in the 5 series, very much supported) uses the 2.6.18 kernel.

But it's heavily patched with back-ported fixes and currently sits at internal version 371.6.1, released recently.

The base 2.6.18 kernel is old, but the latest RHEL 5.10 version of it isn't.

TFA is a horrible, useless pile of steaming crap.

It would be nice to know what Web Server... (2)

Virtucon (127420) | about 7 months ago | (#46546071)

"We think you're door is unlocked but we won't say which house it is or where it's located."

Talk about vague.

Re:It would be nice to know what Web Server... (0)

Anonymous Coward | about 7 months ago | (#46546107)

A vague reminder to lock your door, er, upgrade your kernel! Good advice.

Re:It would be nice to know what Web Server... (1)

jones_supa (887896) | about 7 months ago | (#46546275)

These are always a double-edged sword. When releasing accurate details, you help administrators to secure their servers, but at the same time you give attackers more information to help them conduct their attack.

Re:It would be nice to know what Web Server... (1)

JohnFen (1641097) | about 7 months ago | (#46547305)

One edge of that sword is a lot duller than the other. The cracker community is likely already well aware of how the exploit works (they do talk with each other frequently, after all), so it would most likely be a case of telling them what they already know.

Re:It would be nice to know what Web Server... (0)

Cisco_Martin (3587257) | about 7 months ago | (#46546797)

Hi, I'm one of the authors of the blog. If I knew what vulnerability was being exploited, I'd tell you. We can observe the increase in websites exhibiting a common compromise, but we don't know the steps that have led to the compromise. I would love to hear from anyone who has identified that their server was compromised and has more information. Thanks, Martin Lee

Re:It would be nice to know what Web Server... (1)

JohnFen (1641097) | about 7 months ago | (#46547275)

If you don't know what the exploit is, then why are you implicating the 2.6 kernel? Particularly when that's not much better than just saying "the kernel", as 2.6 covers a ton of versions.

The implication is that you have some idea of what the exploit looks like. If that's true, you could be more helpful. If that's not true, you're misleading people.

My suspicion is that this is yet another scare story intended to help the sale of Cisco products, and that it's based on almost nothing.

Re:It would be nice to know what Web Server... (1)

Bert64 (520050) | about 7 months ago | (#46547401)

Have you not looked in access logs or firewall logs? chances are whoever is exploiting this is also actively scanning for it...

Re:It would be nice to know what Web Server... (0)

Anonymous Coward | about 7 months ago | (#46546923)

Warning: LOCK YOUR DOOR!!!

There may be a security issue with a specific brand of door lock, but we're not sure which model it might be.

We know this lock is really old. They were first made in 2003. So you should get a new lock even though they were still making and selling this lock up until maybe two years ago.

It's also possible the act of locking the door may trigger the security issue and make it easy for a burglar to open the door and change the settings in your TV remote control so you will see more advertisements than normal.

PHP+SQL exploits != kernel (0)

Anonymous Coward | about 7 months ago | (#46546223)

Slashdot fails again.

Re:PHP+SQL exploits != kernel (0)

Anonymous Coward | about 7 months ago | (#46546395)

But the Mysql and the Php are the M and the P in the LAMP so they must be two of the four kernels of web serving.

Painfully stupid (1)

radioact69 (1220518) | about 7 months ago | (#46546427)

Danger! 2.6 kernel! MASSIVE INFECTIONS! While we're at it, lets talk about Windows XP...

Re:Painfully stupid (0)

Anonymous Coward | about 7 months ago | (#46546565)

Let's run Windows 2000 instead! It doesn't have security flaws anymore!

Re:Painfully stupid (0)

Anonymous Coward | about 7 months ago | (#46546993)

What's the difference? It's all 2.6 ... err NT5 anyways.

Why? (0)

Anonymous Coward | about 7 months ago | (#46546491)

If you have root on a webserver, why do you need javascript to do the redirect?

The webserver is perfectly capable of doing that on its own.

Re:Why? (0)

Anonymous Coward | about 7 months ago | (#46546601)

root? who said root? i see not root

Re:Why? (1)

cant_get_a_good_nick (172131) | about 7 months ago | (#46547347)

If you have root on a webserver, why do you need javascript to do the redirect?

Lets say you had root, to get a redirect in apache you'd need to:

* edit the config file, bounce the server as root, leaving a change in the config and a bounce record in the server log
  or
* create a .htaccess file, possibly edit the config to respect the .htaccess file and the subsequent bounce as root, leaving possibly a new file on the filesystem that can be detected
  or
* edit a javascript file that's likely to be around and edited anyway.

The latter is most likely to evade detection. Besides, no one said they had root.

2003 (0)

Anonymous Coward | about 7 months ago | (#46546739)

Wow a shitty year and shitty software.

The Internet of things... (1)

cant_get_a_good_nick (172131) | about 7 months ago | (#46546793)

Becomes The Internet of unpatched easily pwned things.

Not only Linux (2)

avij (105924) | about 7 months ago | (#46547203)

There is a list of affected sites linked in the comments. The first one on the list is running FreeBSD. I did not bother checking the rest.

Re:Not only Linux (1)

JohnFen (1641097) | about 7 months ago | (#46547293)

So then it's very likely not a kernel exploit.

Re:Not only Linux (1)

kwark (512736) | about 7 months ago | (#46547409)

I found a compromised website on my companies shared hosting platform (which runs a 2.6 kernel (Debian/oldstable)). But the files where "infected" by a ftp account via proftpd on a machine running a 3.2 kernel (Debian/stable), the login was right on the first try. My guess is malware on the site owners machines stealing ftp logins (which is old news).

Re:Not only Linux (2)

JohnFen (1641097) | about 7 months ago | (#46547371)

Oh, hell, looking through that list... there are Windows Server installations in there as well!

Apache bug? (2)

cant_get_a_good_nick (172131) | about 7 months ago | (#46547247)

From the comments on the announce page, since (almost) nobody will go over there.

The first site on compromise_1.txt [cisco.com] seems to be running “Apache/2.2.26 (FreeBSD) DAV/2 mod_ssl/2.2.26 OpenSSL/0.9.8y”, which does not quite sound like it’d be running Linux at all. As others have already pointed out, I would not blame this on a Linux kernel bug yet.

So, it looks like the "old 2.6.x kernel releases" was really just a signal for "old nonupdated code".

BTW: for those who bitch about "well the 2.6 line was patched and maintained all the way to 2011" they do have a line where they imply the 2.6 kernels are early kernels, not the latter 2.6.20 whatever ones, but it's not a well written article and is easy to miss.

Advert for Cisco Web Security (2)

wjcofkc (964165) | about 7 months ago | (#46547269)

FTFA:

All of the affected web servers that we have examined use the Linux 2.6 kernel.

For clarity, the old kernel is a common indicator on the compromised hosts.

Okay, so between 2003 and 2011 there have probably been 3 dozen versions of that kernel. The overwhelming majority of Linux based web servers run the vetted, thoroughly tested and patched, tried and true 2.6 series Linux Kernel. This makes me concerned Cisco doesn't understand what it means to run a production system. Also, what do they even mean by "web server" are we to assume Apache? Because there are alternatives in use... lots. Considering most Linux based web servers are running a variation of the 2.6 kernel, then of course that's where they will the find the attacks (Duh anyone?). I would be much more interested in what web server we are talking about and any commonality between them over the kernel of the operating system. I am shaking my head trying to figure what this article is really trying to communicate especially since they practically shoot down most of their article with the "Update" at the top.

Although users of Cisco’s Cloud Web Security solution are protected from this attack...

Oh, I get it now.

Windows runs 2.6 kernel? (1)

freak0fnature (1838248) | about 7 months ago | (#46547535)

I didn't realize Windows servers were running Linux 2.6 under the hood...fascinating! http://www.whitefirdesign.com/... [whitefirdesign.com]

Read the comments first. (3, Interesting)

shipofgold (911683) | about 7 months ago | (#46548711)

The comments at the end of the CISCO article flush out the fact that they noticed a line of malicious javascript at the end of a large number of .js files but they have no idea how it got there.

In fact the list of JS files given include many that are not even running on Linux servers.

The author is irresponsible at best, and incompetent at worst...

Re:Read the comments first. (1)

sclark46 (969374) | about 7 months ago | (#46551023)

The comments at the end of the CISCO article flush out the fact that they noticed a line of malicious javascript at the end of a large number of .js files but they have no idea how it got there.

In fact the list of JS files given include many that are not even running on Linux servers.

The author is irresponsible at best, and incompetent at worst...

You are absolutely correct. I am appalled that /. even posted this with the title they used.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?