Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Linux Worm Found in the Wild

CmdrTaco posted more than 10 years ago | from the random-dune-reference-here dept.

Apache 388

randomErr writes "The worms, Slapper.B and Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "

cancel ×

388 comments

Wow! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4326450)

I actually got a first post!!! Woohoo!!

Click here [bakla.net]

Rather Than A First Post (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4326452)

I'll just wait for first reply

Re:Rather Than A First Post (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4326456)

Hey!

I'm first reply!

Finally... (5, Funny)

TonyZahn (534930) | more than 10 years ago | (#4326454)

... we're starting to catch up with Microsoft in the vital worm-propagation field, where they've been unmatched for years. :-)

Laugh, it's a joke

Bravo (2)

dnoyeb (547705) | more than 10 years ago | (#4326468)

You think this is tied to the popularity increas of Linux in the userbase? The webservers have always been around...

Seems like the golves are coming off. Perhaps we need a sample of this worm to test its DNA and determine its origins ;)

Re:Bravo (2, Insightful)

Jugalator (259273) | more than 10 years ago | (#4326484)

You think this is tied to the popularity increas of Linux in the userbase?

Yes, just like in the case with Windows.

Re:Bravo (0)

Anonymous Coward | more than 10 years ago | (#4326662)

Bullshit. Windows servers make up less of the market than Linux.

And how fast did code red spread? Almost fifty thousand in a single day?
NONE were Linux. Popularity has nothing to do with Windows exploits. It's just so god damned easy.

Re:Bravo (1)

egreB (183751) | more than 10 years ago | (#4326683)

You didin't quite catch the next line in the grandparent post?

His point was that Linux has been widespread on webservers for a while now. It's not the ever-growing Linux userbase that's the _direct_ cause of this worm.

Though, you have a point. A growing Linux user base attracts the kind of people that creates worms as well.

Re:Bravo (0)

Anonymous Coward | more than 10 years ago | (#4326503)

Great spin!

1. Linux is catching up to windows! Ha ha...

2. Linux is so popular, sophisticated worms are appearing!

Go into politics - a bright future awaits. But give up on the idea of determining the worm's origins, you wouldn't be able to tell anyway.

We're not really catching up (5, Insightful)

Anonymous Coward | more than 10 years ago | (#4326597)

Code Red infected at least 400,000 Microsoft systems. I think it infected 40,000 in the first day. Nimda got something like 65,000 plus. Slapper has infected 7,000 to 11,000, depending upon who you listen to. Now take into consideration that Linux Apache systems host a significantly larger number of web sites than Windows systems do.

Slapper is a minor event. I see a constant stream of Microsoft security alerts go through my mailbox, and you don't hear a peep out of these Microsoft apologists and cheerleaders until a serious Open Source vulnerability occurs once or twice a year.

All complex software will have bugs. It seems to me that Open Source bugs get fixed quicker, and Open Source admins are more inclined to patch in a timely manner than Microsoft ones by at least one order of magnitude. What do you expect from Windows, though, when its target market is people who don't know how to use computers.

IF I EVER MEET YOU I WILL KICK YOUR ASS!!! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4326651)

Re:IF I EVER MEET YOU I WILL KICK YOUR ASS!!! (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4326673)

WHO SAID THAT?!

Finally (-1, Troll)

Anonymous Coward | more than 10 years ago | (#4326457)

.....linux is starting to become a destop OS

Re:Finally (0, Offtopic)

aivic (468344) | more than 10 years ago | (#4326573)

Linux can be utilized as a Desktop OS!

I can do everything virtually in Linux what I can do in Windows.

Theres only little in the field of capturing/encoding divx movies and graphical download managers, but I might be wrong there since I havent bothered to look.

I also have to give a lecture on the slapper worm in a couple weeks and I havent really started my presentation notes :(

Wish me LUCK!

Finally - Linux can be utilized as a Desktop OS! (0)

Anonymous Coward | more than 10 years ago | (#4326654)

No kidding! I was so glad to see that we get virii and worms, too. I mean, seriously. I was getting so tired of hearing my co-workers say "Hey, I've got the latest variation of the KleZ virus." "Oh yeah? Code red is still eating me alive!" As I just meekly stir my Dr. Pepper and saunter off...

Not anymore! I TOO am infected! HAHAHA!!! We can at last fully compete with the desktop market!

Oh wait... I guess it's a webserver virus, huh? Crap. Better luck next time, I guess.

A few hopes... (5, Funny)

Lethyos (408045) | more than 10 years ago | (#4326460)

1. That most system admins out there are bright enough to keep their machines up to date with the latest patches.

2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.

Of course, by the time you read this, the bug will have been patched. ;)

Re:A few hopes... (3, Insightful)

SystematicPsycho (456042) | more than 10 years ago | (#4326482)

It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm.

It would be preferrable to let the security at the bank to know that your about to commit armed robbery so they can stop you. Of course there is a difference between white and black hat hackers.

A spacious analogy. (2, Insightful)

Lethyos (408045) | more than 10 years ago | (#4326533)

A bank robbery is a different type of intrusion. You cannot threaten a computer to give you access. An armed bank robbery is a failure of humans, not security systems. I'm sure all the cameras and locking mechanisms on doors and vaults at a bank work just fine in an armed robbery. The humans unlock them out of self-preservation and the mechanisms do exactly what they are requested.

Exploiting a vulnerability like this is similar to walking down the ally behind the bank and finding an unlocked door that takes you straight into the vault. Some people (other politics aside such as "who would want to help such a stupid bank!?") would inform the bank, hoping to increase it's security. Typically in open source, when we find unlocked doors, we tell the maintainers as soon as possible. It's peer review.

I am not suggesting we do not release exploits though. Worms like this are a good practice run (and a great way of informing the sysadmins they need updates). *shrug*

Re:A few hopes... (5, Informative)

larien (5608) | more than 10 years ago | (#4326485)

The patches have been out for over a month, I'm pretty sure of that. I downloaded the patches as soon as Debian had the new ones online.

So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.

Re:A few hopes... (1)

BESTouff (531293) | more than 10 years ago | (#4326535)

Err ... exactely like for most windows exploits ?

Re:A few hopes... (4, Insightful)

jht (5006) | more than 10 years ago | (#4326563)

Problem is, it's a similar scenario to how Windows admins get burnt - it's just that there's usually a shorter interval between patch-exploit in the Windows admin world.

Any admin of either platform who uses best practices should be safe from most exploits. Shutdown unused services (and block the ports at your firewall if feasible), keep current on security patches, stay informed, and things should be manageable.

The catch is that just like there are clueless Windows admins, there are clueless Linux admins. And the clueless admins (for either platform) make their platform as a whole look bad.

Re:A few hopes... (2, Insightful)

pythorlh (236755) | more than 10 years ago | (#4326663)

The main difference that Microsoft encourages the development of clueless admins. The MCxx certifications are geared to producing admins that can pass a test, not admins who can effectively administrate. Yes, there exist lame Linux certs, too, and yes, we do have clueless Linux admins. But the whole community of Linux is based on educating the user, admin or not, about how to properly configure the system. Thus, a vastly smaller percentage of Linux admins end up clueless, and the ones that do really deserve what they get. MCxx admins often have the mistaken impression that they already know enough to do their job. Linux admins generally know what they don't know, and know who to go to to ask.

Re:A few hopes... (1)

divingbell (302643) | more than 10 years ago | (#4326675)

The patches have been out for over a month, I'm pretty sure of that. I downloaded the patches as soon as Debian had the new ones online.

So, in short, it's an old bug, it's been patched, and the only ones getting hit are people who haven't patched their openssl libraries.


I am really careful about keeping my systems up to date. This worm bit me none the less. Here is why: I am running redhat, and sometime in February I updated my system from rawhide. Then I upgraded to 7.3 when that came out. Problem is that some of those rawhide packades, including openssl, had a higher version-number than any official versions being rolled out from redhat since then. So when the patched openssl came out, my system (using up2date and autoupdate) ignored the new package.
I think I will try to stay away from rawhide in the future.

Re:A few hopes... (2)

MarkSyms (167054) | more than 10 years ago | (#4326487)

The bug was patched 2 months ago so I guess that is the case :>

Re:A few hopes... (2, Interesting)

Anonymous Coward | more than 10 years ago | (#4326490)

Whoever is writing these worms knows how much damage they're doing to open source.

Most likely they don't give a shit or didn't even consider it. Not everybody is politically motivated. Some people actually see computers as nothing more than a tool, and don't really care if we live in a communist "free" world or a market-driven capitalist one, as long as their computer helps them do what they want to do. It's just a hunk of silicon, steel and plastic - it has no soul, no social conscience and its configuration is no reflection on themselves.

What a revolutionary idea!
Having said that remember that people writing worms are not likely to care much about the effect of their actions, whether it's denying you connectivity or canonizing Bill Gates.

Re:A few hopes... (2)

sxpert (139117) | more than 10 years ago | (#4326574)

Whoever is writing these worms knows how much damage they're doing to open source.
Maybe these worms come from Microsoft themselves ?

Re:A few hopes... (0)

Anonymous Coward | more than 10 years ago | (#4326502)

Pfff.. it would also be better if people informed microsoft of _every_ exploit before releasing virii in the wild :)

i bet m$ developers made this worm to make friends!

After all, now the open source community and microsoft have something in common. they both suck when it comes to security ;-)

Re:A few hopes... (2)

Lethyos (408045) | more than 10 years ago | (#4326556)

Pfff.. it would also be better if people informed microsoft of _every_ exploit before releasing virii in the wild :)

I know of many examples, but it's minutes before I leave for work and I cannot cite them. But I'm hoping that you (and many others) are aware that many hackers who have found exploits in Microsoft products do inform Microsoft of the problem before releasing the exploit. Microsoft turn around and ignore them and do nothing until the hacker releases the exploit out into the open. With Microsoft, you don't get anything patched unless it makes a bad PR spin.

One such example of this was the Win32 message system allowing code to elevate its privs by sending commands to higher-priv'ed processes. It was posted to /. a few weeks ago.

The most important thing to point out is ... (1)

matjac (606938) | more than 10 years ago | (#4326505)

"Of course, by the time you read this, the bug will have been patched. ;)" This is the most significant benefit (to me atleast). In fact, I think that to most people, the biggest of open source is the rapid deployment of bug fixes, patches etc. rather than cheap or free software. Without open source, I'm afraid most of us would be stuck in a world of buggy software that only works when it feels like it. Oh Wait a minute... What? "Windows has encounterd a problem..." Anyway, the point is that I have never heard of MS, Oracle, or any of the other major software companies ever having a patch within hours much less days for anything.

Re:A few hopes... (5, Funny)

Elphin (7066) | more than 10 years ago | (#4326515)

> It would have been preferrable to inform
> the OpenSSL people first, wait a month,
> then release the worm.

Dear OpenSSL,

We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip) ...ONE BILLION DOLLARS!

Kind regards,

Dr Evil

Seriously though, I think I'm correct in saying that slapper exploits a flaw in OpenSSL patched well before the first slapper outbreak.

Re:A few hopes... (2, Insightful)

BESTouff (531293) | more than 10 years ago | (#4326602)

Dear OpenSSL,

We are about to release an "internet worm" which will wreak havoc on the worldwide "internet" if you don't pay a ransom of... (place little finger on lower lip) ...ONE BILLION DOLLARS!

Kind regards,

Dr Evil Don't forget to half-close your eyes

Re:A few hopes... (3, Insightful)

AndrewHowe (60826) | more than 10 years ago | (#4326605)

If Open Source claims that it is somehow better at dealing with this sort of thing, and it turns out that it isn't, then it deserves the "damage" you speak of. Why should Open Source be immune from criticism? Live by the sword, die by the sword.

Re:A few hopes... (1)

jmcnamera (519408) | more than 10 years ago | (#4326622)

All of what you said could be said of Microsoft and Windows administrators, but of course we'd never say that...

Part of the problem is that servers which are already in use often never get patched. This applies to any OS.

Management at one large ISP I once worked with wanted new stuff put in to make themselves look good to their bosses. Patches just took time away from that, and didn't make anyone look good, thus it didn't happen. Until Code Red that is and probably they will panic after this one.

Re:A few hopes... (0)

GravySkin (516381) | more than 10 years ago | (#4326667)

"2. Whoever is writing these worms knows how much damage they're doing to open source. It would have been preferrable to inform the OpenSSL people first, wait a month, then release the worm."

You hypocrite. When people released and wanted to release Windows flaws without giving MS any time to develop a patch, Open source voices said that it was good and it would help show how much slower proprietary closed source companies were to patch vulnerabilities. Now that the shoe is on the other foot...

Damage to open source... The worms are showing how insecure it is too. There is no perfect operating system.

Where's all the yammering now? (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#4326465)

I guess not even open source solutions can cure lazy admin syndrome, eh?

Re:Where's all the yammering now? (0)

Anonymous Coward | more than 10 years ago | (#4326554)

I guess not even open source solutions can cure lazy admin syndrome, eh?

When was it stated that it would?

Re:Where's all the yammering now? (0)

Anonymous Coward | more than 10 years ago | (#4326617)

Yammer yammer yammer!

No wait! "Developers! Developers! Developers! Developers!" -- Steve "Monkey Boy" Balmer

Misread (1)

tzanger (1575) | more than 10 years ago | (#4326470)

"The worms, Slapper.B and Slapper.C, which exploits a known buffer overrun vulnerability in the Secure Sockets Layer 2.0 (SSLv2) handshake process has infected thousands of Web servers worldwide, according to Helsinki-based F-Secure Corp., a computer and network security company. "

Time to grab a coffee.. I thought it said "thanks to Helsinki-based F-Secure Corp." :-)

Re:Misread (1, Funny)

Anonymous Coward | more than 10 years ago | (#4326493)

Time to grab a coffee.. I thought it said "thanks to Helsinki-based F-Secure Corp." :-)

Good idea. Get me one too.

Re:Misread (1, Funny)

Anonymous Coward | more than 10 years ago | (#4326495)

LTROL [ltrol.com]

True (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#4326472)

The true story of slapper is here [slashdot.org]

use chkrootkit to see if you've gotten it (5, Informative)

motorsabbath (243336) | more than 10 years ago | (#4326474)

http://www.chkrootkit.org/

version 0.37 has been updated to find the slapper - JB

rooted ? (0, Troll)

BESTouff (531293) | more than 10 years ago | (#4326589)

chrootkit.org doesn't anwer ... maybe it's been rooted ?

Oh wait, it's on a +5 /. post..

Re:rooted ? (1)

motorsabbath (243336) | more than 10 years ago | (#4326630)

DRAT!

Sorry - it was a typo (and I think they're /.'d):

http://www.chkrootkit.org

mirror (2)

digitalsushi (137809) | more than 10 years ago | (#4326604)

being a good samaritan. no www prefix so browsers won't auto link it, no http prefix for same reason. please do not convert to hyperlink. digitalsushi.com/chkrootkit.tar.gz will leave up for 24 hours, or when i just cant take the abuse anymore.

Re:mirror (2, Informative)

gimpboy (34912) | more than 10 years ago | (#4326650)

here is the list of mirrors from the main page:


here is my mirror of the source:
http://sage.che.pitt.edu/~harrold/tmp/chr ootkit.ta r.gz

oh no! (0, Funny)

Anonymous Coward | more than 10 years ago | (#4326477)

This is the sort of thing that makes open source (and linux) look amateurish, unprofessional, and insecure. Coming only a day after Microsoft's jihad against Open Source, though, could it be a coincidence?


What do you think are the chances Microsoft employees are contributing buggy patches to key open source projects, causing buffer overruns and worms? It looks like they've found Open Source's achilles heel :(


So what can we do about it? Maybe we should abandon the GPL (which allows anyone to contribute ticking timebomb patches) and use a better license, such as the Microsoft Shared Source license. That may be the only way to save linux!

Re:oh no! (5, Funny)

Jim Norton (453484) | more than 10 years ago | (#4326488)

This is the sort of thing that makes open source (and linux) look amateurish, unprofessional, and insecure.

I wonder how Windows must look then. Yikes!

Re:oh no! (3, Insightful)

Anonymous Conrad (600139) | more than 10 years ago | (#4326522)

I think you're being *way* too paranoid.

What do you think are the chances Microsoft employees are contributing buggy patches to key open source projects, causing buffer overruns and worms?

Almost nil.

Even if they are, the maintainers share the blame for not reviewing them properly.

Re:oh no! (0)

Anonymous Coward | more than 10 years ago | (#4326687)

I think this should have been filed under Funny.

Linux? (2, Funny)

e8johan (605347) | more than 10 years ago | (#4326478)

I'd say that this looks more like an Apache worm than a Linux worm. It does not seem too bad though, "Get your Apache systems patched and update your antivirus software and you should be fine." (from the Slapper.C article).

This shows that Linux+Apache is so widely accepted that it is a legitimate virus target. Enjoy it!

Spin it... (1)

essiescreet (553257) | more than 10 years ago | (#4326489)

It does not seem too bad though

You should put this on your resume when you apply at Microsoft...

Why the F___? (0)

Anonymous Coward | more than 10 years ago | (#4326619)

Why the F___ is this being called a LINUX worm, when in fact it is an SSL worm?

This is not a problem. (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#4326479)

Frankly, I don't feel that this is as big of a problem as Winblows worms. (Notice that I say "Winblows" to further advance my point that I don't like Winblows.) Firstly, the average Linux user is far more educated and intelligent than the average Winblows user (or "luser" as they should be called). Secondly, all Linux users immediately install all patches and keep all of their software at the latest version. You snooze, you lose, you run Winblows.

Re:This is not a problem. (1)

nullgel (602884) | more than 10 years ago | (#4326552)

I thought it was, Linux-user == Luser?

Re:This is not a problem. (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#4326638)

The worm is gods way of destroying the linux fags

Poor security. (2, Funny)

Anonymous Coward | more than 10 years ago | (#4326480)

Well, this is just another example of the slow reaction of closed-source vendors to threats like...

Oh, what?

Open Source isn't perfect? Everything on Slashdot isn't true?

Maybe I really can leave my Mom's basement, then.

Re:Poor security. (1)

MindFlayR (611340) | more than 10 years ago | (#4326511)

do detect the worm, simply make a ls -al in /tmp
you will find .bugtraq.c file etc etc
and btw, the t-phile about the worm isn't more on slashdot

Re:Poor security. (-1)

Anonymous Coward | more than 10 years ago | (#4326691)

Open Source isn't perfect? Everything on Slashdot isn't true?

Seems to me that the only people who have ever said anything about OS being perfect here are the trolls.

Drastic measures. (-1, Flamebait)

caluml (551744) | more than 10 years ago | (#4326481)

I'm all for Worms that remove boot.ini or uninstall lilo, and then reboot the affected machines.

If people can't keep their machines patched, they shouldn't be allowed on the internet.

I know I shouldn't say it out loud, but....

Re:Drastic measures. (1)

james_underscore (468915) | more than 10 years ago | (#4326516)

Haha, I suppose you run a web server do you, and you're sure its totally secure?

Ok, lets say you're right, you're on your honour to tell us all next time you get a virus and if and when that happens you have to cancel your ISP subscription and never get a new one, ever (only after sending a story too slashdot about how you got rooted though, so we can all have a good giggle).

People make mistakes. People take summer holidays from their jobs and virus's spread when they're not there.

Besides which, without viruses, programmers and security professionals wouldn't have nearly as unpredictable jobs!

Response Time (1, Insightful)

Anonymous Coward | more than 10 years ago | (#4326483)

Happily, we know about this worm now. A fix can be issued quickly and without months of waiting.What's interesting to me is the nature of the worm. It has to compile itself everytime it spreads? Why would anyone have gcc available on their web server?

How does this worm affect the cryptographic security of the machine? Should affected webservers get new certificates?

Re:Response Time (2)

Kanon (152815) | more than 10 years ago | (#4326679)

Why would anyone have gcc available on their web server?

Err. To compile the webserver. Unless I'm missing something

what a bunch of sooks (-1, Troll)

Anonymous Coward | more than 10 years ago | (#4326491)

Every reply goes along the lines of 'Come on guys, stop writing worms targetted for open src projects your ruining it, please stop it now pleeez' OR 'well windows blah blah Microsoft blah blah bugs blah blah worms blah blah virus blah '.

Same mantra applies to Linux and MS sysadmins: (5, Informative)

bittmann (118697) | more than 10 years ago | (#4326496)

1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have "helpfully" been activated in the base install); and

2) Keep up to date on your patch levels.

You don't have to be bleeding-edge on patches, but when a security vulnerability with malicious code in the wild has been detected, it's time to *DO* something about it!

Really, I wonder how many of these infected websites were actually USING SSL, as opposed to having that port hot but unused...

Re:Same mantra applies to Linux and MS sysadmins: (5, Informative)

petard (117521) | more than 10 years ago | (#4326620)

I would add the following:

3) Don't install a development environment (e.g. gcc, which is required for this worm to propogate) on a publically exposed web server!

Obviously, this won't work for people with only one box who want to run their personal web server off of it as well as do their dev work there, but for *real* servers this is a good practice. People who must have compilers on their web server are probably not using SSL, as you stated :-).

If you must use a compiler on your web server, FFS run the publically accessible service in a chroot jail [tldp.org] !

Re:Same mantra applies to Linux and MS sysadmins: (2)

rmadmin (532701) | more than 10 years ago | (#4326668)

1) Don't enable services and features you don't need (or in MS sysadmin speak--DISABLE all of the services and features you don't need that have " helpfully" been activated in the base install);

Or in Solaris sysadmin speak, or in redhat sysadmin speak. For instance, solaris tends to run NFS stuffs by default. And Redhat (probably a few other distro's too), tend to have a dozen or so unused services running.

The Worm (4, Insightful)

CTRamsden (461135) | more than 10 years ago | (#4326500)

I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'

Seems to me like older anti-MS comments are coming around and biting people in the ass.

Re:The Worm (1, Funny)

Anonymous Coward | more than 10 years ago | (#4326545)

I find it terribly amusing that you find this terribly amusing. Why so much interest? Did your solitaire game blue screen?

Re:The Worm (1)

dpt (165990) | more than 10 years ago | (#4326553)

This was already fixed long ago, you half-wit!

Re:The bite (0)

Anonymous Coward | more than 10 years ago | (#4326566)

So, did the bite hurt, ass?

Re:The Worm (1)

CTRamsden (461135) | more than 10 years ago | (#4326572)

You ask why so much interest. Could you perhaps be more specific? Why so much interest in open-source, or worms, or the ever-prevalent hypocritical comments that are made by a few ignorant people claiming to be on the side of open-source?

In response to your second question (did my solitaire game blue-screen): No, it didn't. It hasn't since I upgraded from 98 to 2000 and later from 2000 to XP.

Re:The Worm (1)

CTRamsden (461135) | more than 10 years ago | (#4326582)

As for being fixed long ago... MS releases patches as well, and many times the worms propogate because of many sysadmin's who don't apply said patches -- this is a similar case.

Re:The Worm (2)

the_rev_matt (239420) | more than 10 years ago | (#4326596)

Yes, two or three minor worms in an optional component of an open source server are certainly as big a deal as the literally thousands of virii/security holes/etc in the fundamental core of Windows. The several thousand servers that have been infected with Slapper.b/c certainly compare in scope to the hundreds of thousands, if not millions, affected by Code Red/Nimda/I Love You/etc.

Re:The Worm (5, Insightful)

chrysrobyn (106763) | more than 10 years ago | (#4326599)

I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.'

I am the administrator for two Linux servers, a Slackware 7.0 box and a Debian Woody box. I'm scared that I'll get rooted again, but do you know what I'm thinking anyway? "Bring it on." Let these worms propagate, let some publicity get out, and let the patches come. They will come, just as they always have. I'll be a wget %1;upgradepkg %1 or apt-get update;apt-get upgrade away from being back up to speed.

The open-source community, contrary to your assertion, has for years said two things 1) Lazy admins risk getting hacked and 2) Open source patches flow more freely than closed source ones. I don't think the number of holes against NT 4.0 (for example) is criticised, but rather the length of time between exploit and patch-- the criticism is of the number of documented, unpatched holes. If you show me a list of documented, unpatched holes, I'll show you a mailing list / IRC channel / news group that just found a list of things to do for the afternoon. Inexperienced teenagers (a large subset of all teenagers) and newbies are unable to refute your statement that Linux is as bad as Windows and resort to childish retorts and pleas for silence.

Bring it on, hackers, help us audit the code. Win prestige for you, win a better OS for us.

Questions: (2, Interesting)

Black Parrot (19622) | more than 10 years ago | (#4326601)


> I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.'...

  1. How many Apache exploits per IIS exploit?
  2. What are the average turnaround times for security updates for Apache and IIS?
  3. How much other stuff gets broken by an Apache update and a IIS update?

Re:The Worm (1, Insightful)

Anonymous Coward | more than 10 years ago | (#4326609)

What I find amusing is that this is called a "Linux Worm" when in reality, it's an Apache+SSL problem, NOT a problem with Linux itself.

You cannot compare this to Windows holes, which are usually actual flaws with Windows (since Microsoft is so hell-bent on "integrating" everything with the operating system).

Re:The Worm (2)

mgkimsal2 (200677) | more than 10 years ago | (#4326631)

'Do you know how much you're hurting the open-source movement? Please stop.'

I don't think I've *ever* heard anyone say that - certainly not at the local LUG meetings or amongst other fellow users in the area. Maybe it's a Michigan thing, but I can not ever recall hearing or reading comments like that.

Re:The Worm (2)

justsomebody (525308) | more than 10 years ago | (#4326649)

What I find terribly amusing is your lack of knowledge. Patch is more than one month old.

This virus is not hurting Linux comunity. It just shows that there's too few holes for virus writers to be original. Last 3 viruses where using the same one hole. That's more promoting than demoting.

Well, for bad admins. I fell it's ok if they get infected. And for users, they don't have web server, but if they have, they should click Update icon sometimes.

Re:The Worm (2)

gosand (234100) | more than 10 years ago | (#4326652)

I find it terribly amusing how for years the open-source community has used the larger number of holes found in Windows systems as one of their arguments against it. Yet now when the open-source community is also plagued with the same thing the comments tend to be along the line of 'Windows still sux.' and 'Do you know how much you're hurting the open-source movement? Please stop.' Seems to me like older anti-MS comments are coming around and biting people in the ass.

Hardly. The inability to properly admin a system is biting them in the ass. The comments to Microsoft sucking when it comes to security still apply. When someone says that Linux is more secure than Windows, that is not saying it is perfect. Nobody in their right mind would say that any OS is totally secure. The difference is, it is a Linux community. People who find exploits should alert the community before releasing the information in the wild. The same applies to Windows, Microsoft should be alerted to the problem well before everyone else is. The difference is, the Open Source community will quickly patch it, Microsoft will do whatever they want to do.

There is nothing wrong with yelling at people about keeping their systems up to date. It is just bad practice to not keep up with patches. With Open Source, you can do that - with Windows, you can only do that if Microsoft provides you with patches. The OSS community has absolutely no say in how MS decides to handle vulnerabilities, but we do have a voice in our own community.

And if you think a worm or two means that now Linux is catching up to MS in the number of vulnerabilities, you are living in a dream world. Plagued? Please. At least the OSS community isn't delusional and says "there are no bugs".

A missed chance for some bad humor (2, Redundant)

shren (134692) | more than 10 years ago | (#4326504)

According to researchers at F-Secure, the Slapper.B worm variant is able to retrieve its source code from a Web page after the worm has been removed from infected servers. The worm uses a common free software utility, wget, to retrieve its source code from an infected Web page in the home.ro domain.

Administrators of the domain, which is located in Romania, have been notified and the infected page has been deleted from the site, according to F-Secure.

They should have replaced the code for the worm with code that pops up a window that says "Patch your server, you halfwit!"

what does it look like? (5, Interesting)

Anonymous Coward | more than 10 years ago | (#4326550)

What should I look for in my apache logs to see if Im being "hit" by it? Anyone have an example?

your friendly neighborhood AC

Re:what does it look like? (1)

frog51 (51816) | more than 10 years ago | (#4326681)

See earlier post and use the latest chkrootkit. It's that easy to check.

Re:what does it look like? (2, Informative)

EkiM in De (574327) | more than 10 years ago | (#4326682)

Well I'm not entirely sure but I found that in my error_log a couple of bad hits from other Apache Servers. I found the Apache Test page on these servers which I suspect is a bit of a giveaway that perhaps these are not active servers.
Anyway I could be completely wrong, but since these hits were from Web servers I kind of suspect that these servers have not been patched.... God I hope that the log entries below don't indicate that I've been hit and damaged
Anyway the hits looked like this:
[Mon Sep 23 08:16:53 2002] [error] [client xx.xx.xx.xx] client sent HTTP/1.1 req
uest without hostname (see RFC2616 section 14.23): /
[Mon Sep 23 08:16:53 2002] [error] [client xx.xx.xx.xx] client sent HTTP/1.1 req
uest without hostname (see RFC2616 section 14.23): /
[Mon Sep 23 08:16:53 2002] [error] [client xx.xx.xx.xx] client sent HTTP/1.1 req
uest without hostname (see RFC2616 section 14.23): /
[Mon Sep 23 08:17:04 2002] [error] mod_ssl: SSL handshake failed (server www.example.com:443, client xx.xx.xx.xx) (OpenSSL library error follows)
[Mon Sep 23 08:17:04 2002] [error] OpenSSL: error:1406B458:lib(20):func(107):rea
son(1112)
[ Mon Sep 23 08:17:18 2002] [error] mod_ssl: SSL handshake failed (server www.example.com:443, client xx.xx.xx.xx) (OpenSSL library error follows)
[Mon Sep 23 08:17:18 2002] [error] OpenSSL: error:1406B458:lib(20):func(107):rea
son(1112)
[ Mon Sep 23 08:17:18 2002] [error] mod_ssl: SSL handshake failed (server www.example.com:443, client xx.xx.xx.xx) (OpenSSL library error follows)
[Mon Sep 23 08:17:18 2002] [error] OpenSSL: error:1406B458:lib(20):func(107):rea
son(1112)

Re:what does it look like? (3, Informative)

ceejayoz (567949) | more than 10 years ago | (#4326690)

Posted earlier in the thread:

to detect the worm, simply do a ls -al in /tmp
you will find .bugtraq.c file etc etc

It's a distro problem, not a linux problem (5, Insightful)

tshoppa (513863) | more than 10 years ago | (#4326568)

The problem is that many (most? all?) the big-name distros have Apache built with mod_ssl on them. Even though I would guess that only a tiny percent of all web servers need SSL. (Admittedly that tiny percent is very important, as no money transactions should be going on without security...)

IMHO if you need SSL on a webserver, you should be forced to go through the download + build + cert process yourself.

Re:It's a distro problem, not a linux problem (2)

Hard_Code (49548) | more than 10 years ago | (#4326606)

"IMHO if you need SSL on a webserver, you should be forced to go through the download + build + cert process yourself."

At some point you have to unless you want to run with a phony snakeoil cert.

How to test yourself (5, Informative)

pbur (88030) | more than 10 years ago | (#4326571)

If you were like me and wondered if after the OpenSSL upgrade that you actually patched everything right, you can compile and run this program to find out:

http://cert.uni-stuttgart.de/advisories/openssl- ss lv2-master/openssl-sslv2-master.c

It will connect to your HTTPS server and check it. Unfortunatly, it won't connect to SSH. It helped me make sure I was patched up at least for apache.

And I have never quite understood why the advisory says to recompile your apps as well. If they are using the Shared Library, where the problem actually exists, then they get the upgrade by default. Now, if you had some static compiles, then sure.

Pbur

Re:How to test yourself (2)

pbur (88030) | more than 10 years ago | (#4326590)

Ok, /. put an extra space in the URL after "openssl-ss". I will make a link URL: The Link [uni-stuttgart.de]

Keep your anti virus software up to date also.... (1)

HeyZuess (35885) | more than 10 years ago | (#4326576)

I find it somewhat odd that each advisory from an anti-virus vendor concerning the slapper worm advises to not only patch your software, but also keep your antivirus software current.

If the software is patched then antivirus software is irrelevent.

How big is the antivirus software market for linux?

Funny (2)

justsomebody (525308) | more than 10 years ago | (#4326578)

Usualy it takes at least half of hour to release patch when hole is discovered.

This time patch was month or so too fast for Slapper.B and C. Does this mean that Open Source gets better and better?

p.s. I hate lame unintuitive virus writers without imagination

Maybe that's why I can't get the Apache website ? (0, Troll)

loom (35551) | more than 10 years ago | (#4326580)


I've been having trouble connecting to http://www.apache.org this morning. Maybe that's why ?

Everybody knows... (-1, Troll)

Anonymous Coward | more than 10 years ago | (#4326594)

In case you didn't know, a certain Redmond company is actually funding these things...

comparison (4, Insightful)

Tom (822) | more than 10 years ago | (#4326616)

To all those who will no doubt post "see, CodeRed can happen to Linux, too" - here is some enlightenment:

There are currently an estimated 10,000 hosts infected with Slapper (any variant).

According to DShield's CodeRed history page [dshield.org] , around 25,000 windos hosts are still estimated as CodeRed infected, one year after the event.
According to news.com [com.com] , at the peak we had over 350,000 infected machines.

10,000 is about 2% of 350,000. No, Slapper is in not even comparable to CodeRed when it comes to spread, neither speed nor coverage.

It does, however, proof two things:

a) The Linux world is susceptible to the same generic diseases
b) For various reasons (more variety, better sysadmins, better security in general), it coped much better with an actual outbreak.

Re:comparison (3, Informative)

larien (5608) | more than 10 years ago | (#4326684)

It doesn't prove that much as there may be fewer Apache-SSL sites on linux than there are IIS sites. Code Red hit all IIS boxes, Slapper only hits Apache on linux, and even then, it requires the presence of gcc and some other conditions to be met before it works.

That said, I would like to see a more in-depth analysis of the proportions of machines which have been hit and are infected. Also, we should bear in mind that the impact is much less on linux as Apache normally runs as a non-root user while IIS almost always runs as a system/admin user.

Re:comparison (1)

Lester67 (218549) | more than 10 years ago | (#4326689)

So you are saying you've hit the peak number of infections?

That's a ballsy statement... considering this worm is only on its second variant.... so far.

Old news (2, Informative)

MiniChaz (163137) | more than 10 years ago | (#4326629)

Lets just hope Taco isn't doing too much sys admin work these days because this is really old news. Slapper was spotted over a week ago and the news appeared on LWN at the URL below.

http://www.lwn.net/Articles/10026/

Thanks.

But... (1)

Evro (18923) | more than 10 years ago | (#4326635)

What about this ZDNet/CNET story [com.com] which says
A Linux worm that started spreading a week ago has reached a plateau after infecting about 7,000 servers and turning the hosts into a peer-to-peer network that could be used to attack other computers.

Known as Linux.Slapper.Worm, Slapper and Apache/mod_ssl, the worm's spread has fallen far short of the biggest attackers in recent times. For example, Code Red infected 400,000 servers last summer. And according to the National Strategy to Secure Cyberspace, the Nimda virus compromised 86,000 systems last fall.
If these "new" worms exploit the same hole in OpenSSL, wouldn't one expect them to have a similarly low plateau? And for the record, exactly what configurations are vulnerable? If you have Apache compiled with mod_ssl, but don't do "apachectl startssl", are you vulnerable?

Goodie. (-1, Troll)

Anonymous Coward | more than 10 years ago | (#4326685)

1. System Administrators are still idiots. I highly suspect it's the MSCE-turned-Linux people, but I've seen my share of 'linux gurus' who are too damned lazy to update bugfixes.

2. Code Red? Heh. This is so pathetically small compared to Code Red. However, I have no doubt that this could've been a Code Red. CR got a lot of people's arses reamed about not installing security updates.

3. To all the people sucking down the chocolate of Gates' arse, erm, count the number of Apache worms compared to the number of IIS worms. Throw in Evo worms vs. Lookout! worms too, if you wish. Oh how the tables haven't turned!

4. Time to put sticky notes on the monitors of admins to remind them to check for freakin' updates. Or maybe someone could make a worm that figures out the distro and then runs the appropriate utility as a cron job.

Remember, kids! Not even Linux can cause certain people to see an increase in grey matter.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...