Speedy Attack Targets Web Servers With Outdated Linux Kernels 93
alphadogg writes "Web servers running a long-outdated version of the Linux kernel were attacked with dramatic speed over two days last week, according to Cisco Systems. All the affected servers were running the 2.6 version, first released in December 2003. 'When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied,' Cisco said. After the Web server has been compromised, the attackers slip in a line of JavaScript to other JavaScript files within the website. That code bounces the website's visitors to a second compromised host. 'The two-stage process allows attackers to serve up a variety of malicious content to the visitor,' according to Cisco."
No Details (Score:5, Insightful)
So the webserver was compromised and JavaScript was inserted and their first thought is it's the kernel?
horrible article, author has no idea about 2.6 (Score:5, Insightful)
"All of the affected web servers that we have examined use the Linux 2.6 kernel."
Right, because RHEL (and Centos) run 2.6.... so sampling ANY number of servers is likely going to show that they run 2.6.
Is Slashdot just a click redirector these days? Do 'editors' remotely 'edit' anything?
Re:No Details (Score:5, Insightful)
You clearly don't understand the lifecycle of a production OS.
Re:No Details (Score:2, Insightful)
Yeah, the article is extremely uninformative. They say 2.6 and yet RHEL/CENTOS 6.5 are 2.6... so that meaning nothing as far as being "old" or "outdated".
Well it sort of does. RHEL is intentionally outdated because that's what their market wants. It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.
"Doing it right" includes not "upgrading" things that aren't broke, or "just cuz".
The idea is to split "change for the sake of change" and "change for stability and security reasons" into separate buckets.
You don't rip out all the "old" appliances in your house each time a newer one comes out do you? You'd cause more damage moving things around then you'd gain from the new features trickling in. You fix them in place until the cost to do so is more than buying a newer one. That's just common sense. "Upgrading" software is in no way free, when you actually need it to work.
Re:No Details (Score:5, Insightful)
Age of the code and the level of patches are two different things
Older code has had more time for vulnerabilities to be found and patched.
Newer code is, well, newer and has had less time for vulnerabilities to be patched.
In general if you want to maximise vulnerability, run the oldest code, but apply no patches. The next most vulnerable general case would be to run the newest code because you are playing with untested fire and risking zero day exploits.
In production systems it is usually best to run code that is old enough to be stable, well tested and well patched.
There are counter examples when a long unknown exploit is discoverd, but the same kind of exploits could live in brand new code as well. However new code could contain some really simple exploits that will be patched pretty quickly. You don't want your production system to be the system opening up the tickets with support that find the exploit is the root cause. Because that means you've got to explain to your customers why their credit card numbers have all been stolen.
Re:Slashdot continues its decline (Score:4, Insightful)
You didn't read the article, did you? TFS is vague, but so is the article. The article contains no details about the vulnerability. It only contains information about the severity and locations of the attacks. Comments on the article add "Version 2.6.18 appeared to be particularly prevalent." The article is shockingly limited on details.
Slashdot's editors are often appear to be asleep at the wheel, but this time the editors weren't adding anything that wasn't in the original article.
Re:No Details (Score:4, Insightful)
You clearly don't understand the lifecycle of a production OS.
...nor does he understand the concept of back-porting patches, apparently.
Re:No Details (Score:4, Insightful)
You clearly don't understand what it means to run real-world business IT infrastructure. Just because something is oldler doesn't mean it is "outdated" or "insecure". RHEL/CentOS update the packages for a long time making them relevant and still secure through backporting and patches.
Sometimes stability and reliability are far more important and efficient than constantly ripping everything out and starting over again every year or two. Besides, the more bleeding edge like Fedora and Ubuntu and Mint are more likely to have NEW security holes with less manpower behind them to fix it quickly.
There is a reason that RHEL and CentOS are so popular for servers and "utility" boxes.