Novell OpenSUSE Server Hacked 329
abelikoff writes "Both LinuxWorld Australia and SuSE Linux Forums report that OpenSUSE website got hacked last night." This story was submitted quite a number of times.
This discussion has been archived.
No new comments can be posted.
Novell OpenSUSE Server Hacked
Related Links Top of the: day, week, month.
There is very little future in being right when your boss is wrong.
Don't blame LINUX (Score:2, Insightful)
Linux is near-flawless in terms of security.
Re:Don't blame LINUX (Score:2, Insightful)
so it could have been a linux flaw...
buy you're right, on most pc's the weakest link is the user...
Practical upshot? Am I safe? (Score:3, Insightful)
What is the practical upshot of all this? Is the damage limited to the "Give us nuclear rights" web defacement, or was that just a front to make people think nothing else was damaged?
I'm running SuSe 9.3, and this morning, I let the automated update program do it's thing. Did I download and install any breached files?
TFA don't say anything.
Comment removed (Score:5, Informative)
Re:Practical upshot? Am I safe? (Score:3, Interesting)
My question is: Why bother hacking a Wiki? Can't you just make your own changes to it anyway?
Re: (Score:2)
Re:Practical upshot? Am I safe? (Score:4, Insightful)
Your call for isolationism has a certain appeal. I'm generally a believer that far too many people are overly concerned with whats going on in their neighbor's yard. However, isolationism is not a panacea. Interestingly enough, the US' involvement in the Middle East began within decades of the formation of the US in the form of the Barbary Wars even though the new US Government often expressed a belief in isolationism. Yet they soon discovered that the US interacted in the world around them and could not be separate from it.
That's not to say that the US hasn't managed periods of isolationist policies. US history shows some remarkable stretches of isolationism. But such policies only served to create the hardest lesson in recent US history - World War II. The cost associated with World War II was only increased by attempts to limit direct involvement of the US in what was viewed to be an European affair (although Europeans themselves also contributed with their own reluctance to act).
World War II leads directly in to the Cold War and the US' attempts to curtail Soviet influence. And perhaps that is where the US commits the sins we will be paying for today and tomorrow. Although I find it rather interesting that when critics of US policy point to various fumbles and embarrassments, they fail to note Soviet involvement. Which isn't to say that the US is excused for their actions - but rather some perspective would provide a better understanding of why things were done.
So does the US have a "right" to dictate to others what they can and can not do? Hardly. There is such a thing as a sovereignty. But to claim that the US should have no involvement in the world around it is simply setting up the US to become victim to the day when its people and shores are under attack. I hate to sound anything like the Bush Administration. Yet there are certainly others who have less qualms about rights than the US. And history shows how that turns out for anyone who ignores it.
On Iraq, I mostly agree. The current Administration's handling of the situation is unsettling, to say the least. There seems to be a certain degree of willful ignorance and a lack of understanding and planning that shows itself not only in foreign policy, but domestic policy too.
However, Iraq was bound to happen. While critics of the Bush Administration are, more or less, right to criticize the reasoning given for this war - they tend to gloss over the fact that the Iraq war comes at an end of a CEASE FIRE agreed to in the early '90s. No folks, this is not a new thing; US military personnel have been in the region maintaining vigilance for over a decade without daily CNN coverage. That entire time is under a state of war. And during that time, Saddam willfully defied UN mandates and conditions of that cease fire agreement.
Yet Saddam was probably not intended to stay in power. The Senior Bush was wise enough to not completely dismantle the world's fourth largest standing army, and create a vacuum for neighboring influence (such as Iran). And it was probably wise to try and void the troubles we are facing today by giving the Iraqi people a chance to handle Saddam themselves. But Saddam is exceptionally gifted at survival (and also ruthlessly brutal). It would take direct involvement to remove Saddam's regime after all.
There might be a slim chance that the Iraqi government to be will become a secular democracy, with enough economic power behind it to flourish. There are possible echoes of Germany and Japan. But the reality is that the odds are against this happening. Partly due to external influences. And (arguably) largely due to the planning of the Bush Administration.
What about Iran? I don't find it too surprising that Iran's intentions meet a certain degree of skepticism. It seems odd that Iran's quest for energy would have to involve a process that can be directly applied to acquiring massively powerful weapons when it is itself the World's fourth largest producer of fossil fuel (right behind the US - Iraq is at 14th) as well as having ample opportunity to develop other alternative (and less dangerous) alternative energy systems.
Re:Practical upshot? Am I safe? (Score:2, Insightful)
That would explain why the French and Japanese have abandoned it.
Nuclear power is orders of magnitude safer than it was decades ago. I'd much rather have a source of energy with a waste that I can dispose of in a controlled fashion rather than one which pours pollutants into the air we breathe. The only reason we don't use more nuclear energy here in the US is because of politics, not science or practicality.
Not to say anything about Iran h
Re:Don't blame LINUX (Score:5, Insightful)
Linux is near-flawless in terms of security.
You don't follow security mailing lists, do you? Most Linux distros have decent security but "near-flawless"?
Re:Don't blame LINUX (Score:2)
Just for reference... Netcraft says the site was running Apache/2.0.49 for Linux/SuSE.
Which part actually got hacked, the OS or the webserver itself??
Re:Don't blame LINUX (Score:3, Informative)
Only those Iranians and the SUSE people know
Re:Don't blame LINUX (Score:5, Insightful)
Re:Don't blame LINUX (Score:2)
http://defaced.projectgamma.com/ [projectgamma.com]
http://www.zone-h.com/en/defacements [zone-h.com]
burnin
Re:Don't blame LINUX (Score:2)
Didn't RTFA but another poster mentionend something like "the Wiki server was hacked".
So I would put my money on an exploit of one of the recent Twiki vulnerabilities.
I know some websites that got hacked because of them.
near-flawless? (Score:4, Insightful)
Its the job of the administrators to mitigate and compensate for known, and unknown, security flaws.
Re:Don't blame LINUX (Score:2)
If there is one thing we can learn from history, its that anything flawless in its day has been prooven flawed eventually.
In the computer world its only that much more of a smack in the face.
Linux exploits are found all the time, and yes, maybe they are found less often, or fixed faster than on other operating systems (..maybe..) but they exist, and always will.
Don't Blame Windows (Score:3, Insightful)
Re:Don't blame LINUX (Score:5, Funny)
Isn't this the same flaw Windows has?
Hey, (Score:5, Funny)
Re:Don't blame LINUX (Score:2)
Yes. But it's not the only one. Many people can say "I know how to configure Windows, I didn't get any virus or worm yet"
I just say: wait till you get hit (it's "when" not "if") and then that will shatter any confidence you have in Windows and in your ability to secure it.
Re:Don't blame LINUX (Score:3, Interesting)
Re:Don't blame LINUX (Score:3, Insightful)
How secure by default? (Score:4, Informative)
It's a reasonable question to ask.
Yes, fundamentally it's true that configuration management has a significant effect on security. To be precise, this is not a flaw, but a characteristic. A site which is in full control of system configuration will have formal security advantages over one which isn't, and this is universally true regardless of platform.
However, the story is told from a much different perspective when it comes to evaluating the security of a given platform. Configuration remains a major factor in security, but it has to be weighed in light of platform capability. So, for example, a very simple network appliance with a very small configuration space has the prospect of being very secure. An ideal appliance cannot be configured insecurely. In practice, that may or not be the case, depending as always on design tradeoffs and correctness of implementation.
Apart from pure appliances, all computing platforms must, for reasons of generality, offer configuration possibilities that put some security tradeoffs in the hands of site administrators. Such is the case for both Linux and Windows, so indeed poor administration can always result in poor security on a sufficiently general platform.
The practical focus, therefore, has turned to how securely these platforms are configured by default. Interestingly, even though Windows is marketed for nonexpert use, it has a long tradition of being configured insecure by default, exactly the opposite of what would be appropriate for a nonexpert market. It also, in my opinion, embodies a lot of fundamentally insecure design tradeoffs, neglecting principles such as modularity, containment, and least privilege, for example. These are extremely deep design problems, not easily fixed.
Linux and Unix, although designed by developers for developers, and therefore intended for expert use, have a record of delivering much better security by default. I can think of lots of particular exceptions, but they have tended to be minor design tradeoffs that could be, and were, easily corrected. Security incident statistics seem to reinforce these observations very strongly.
In my line of work, I get to see what goes on behind the scenes at a lot of sites. It's not often that I come upon a site which is not suffering to some significant degree from a chronic neglect of configuration management. All discussion of platform characteristics aside, this is a real problem on the ground for security.
The issue, in terms of value for effort, then becomes to identify which of these sites is (a) at most immediate risk, and (b) has the best potential of improvement. In the former case, I find that the answer is Windows, and in the latter, it's Linux.
Don't blame Windows (Score:2, Redundant)
Re:Don't blame LINUX (Score:2)
Re:Don't blame LINUX (Score:2)
Re:Don't blame LINUX (Score:2)
*sigh* (Score:5, Insightful)
Re:*sigh* (Score:3, Funny)
I got a translation right here: (Score:2)
Re:*sigh* (Score:5, Insightful)
Re:*sigh* (Score:4, Insightful)
I'm too idealist for my own good.
Re:*sigh* (Score:2, Insightful)
It doesn't take a genius... (Score:2)
ouch (Score:5, Funny)
They could just run OpenBSD [openbsd.org].
Re:ouch (Score:2)
Re:ouch (Score:2)
Or I suppose its more likely you don't have a clue and there is a greater probability that the exploit was in the php application they were running on top of linux+apache and rather than being hacked the website was defaced.
And if that turns out to be the case then it would have made no difference whether they were running on linux, BSD, or any other OS. The s
Re:ouch (Score:2)
New features or safety
Safety or new features
gaw, what a choice!
Re:ouch (Score:2)
How does this help ? (Score:4, Insightful)
Re:How does this help ? (Score:2, Funny)
Re: (Score:2)
Re:How does this help ? (Score:3, Insightful)
Why? because it does not happen often to a major linux site. It would be like having millions stolen from a site that runs a none Windows such as a unix site. It will make news just because it is none windows.
Rights or not (Score:4, Funny)
Re:Rights or not (Score:5, Funny)
Step away from the fissionable material...It is obviously causing you brain damage.
Re:Rights or not (Score:3, Funny)
Right, so how good is your Arabic again?
Re:Rights or not (Score:3, Insightful)
Re:Rights or not (Score:5, Insightful)
Re:Rights or not (Score:2)
Rob.
Re:Rights or not (Score:5, Interesting)
Especially since Iranians a) speak Farsi, not Arabic, and b) aren't Arabs.
how rude..... (Score:2, Insightful)
Re:how rude..... (Score:2)
I'm convinced! (Score:4, Funny)
Novell Wiki was hacked too. (Score:4, Funny)
Site is currently down.
Details of the hack? (Score:5, Interesting)
Re:Details of the hack? (Score:2)
ssh scan (Score:5, Informative)
I see these attacks all the time on all Internet facing servers.
Lol thanks, that explains a lot of log entries (Score:2)
Goes to show that you always need to check your machine. I had no need for remote ssh access so why did I leave it enabled.
Oh well, luckily I have no business with the arab nations so they are now all banned. Blame the ISP in question for not reacting.
Re:Lol thanks, that explains a lot of log entries (Score:2)
sshd should ofcourse be all:deny except a list of IP's you trust, and not allow:all except a list of IP's you don't trust.
Re:ssh scan (Score:4, Insightful)
Any security admin worth their salt would have turned this off when it was installed - not to reduce break-ins (although it does help mitigate a weak root password), but to provide an audit trail for people who are allowed to use root.
*sigh*
Re:ssh scan (Score:2)
Yeah, much better with a bunch of sudo-users so instead one root password you now have bunch of them. Besides, they should disable password login in any case.
Re:ssh scan (Score:2)
Re:ssh scan (Score:2)
Re:ssh scan (Score:5, Informative)
In the case of three admins, you would end up with three accounts that could be exploited, rather increasing if anything the risk of direct ssh exploits.
Once the bad guy is in, he has all the local exploit possibilities to gain root, so your already in trouble if they get in.
So as long as you do ssh with passwords, disalowing root-login dosent really buy you any security, but it hassels the admins each and every day.
On the other hand, prefered method would be to login with keys and disallow passwords completely whenever possible.
Re:ssh scan (Score:5, Informative)
One could try to use a non-root user to bruteforce their way into my system, but they'll either get one (probably created by an application) with
Re:ssh scan (Score:5, Informative)
You must not have much experience with sudo. One of the benefits of it is that it allows you to give root permission to people for specific tasks that they would need that access level for. While there are certainly a lot of people who set their sudoers file to "allow all" for everyone, if sudo is properly implemented no one should be able to do anything they don't NEED to do as root. Sudo also has the benefit of keeping track of what users used it to do what tasks, making it easier to trace the path an attack came from.
Gogo0 also mentioned an added benefit to this scheme so I'm not going to repeat it here.
Re:ssh scan (Score:3, Informative)
The two biggies are greater control over what can and can't be executed with root privileges and an audit trail.
Re:ssh scan (Score:2, Informative)
1: change default ssh port
2: disallow direct root logins via ssh
Those 2 simple principles prevent many things.
Re:ssh scan (Score:3, Insightful)
3. install a port knocking [portknocking.org] daemon, like fwknop [cipherdyne.org], or knockd [zeroflux.org]
Re:ssh scan (Score:2)
Not perfect but works well for me.
Re:echo "PermitRootLogin no" /etc/ssh/sshd_config (Score:2, Informative)
different hacks, different times (Score:5, Informative)
Steven
OpenSUSE website Hacked? No. (Score:5, Informative)
From TFA:
"The employees that set it up apparently had no idea of security," Brandon said. "But what is really surprising is that Novell would allow employees to set up game servers on their corporate network and then allow the public to access it."
"There was no major breach of security here," Barney said. "Needless to say, we are taking the appropriate steps" to address the situation.
That IS the breach of security. (Score:5, Interesting)
Re:OpenSUSE website Hacked? No. (Score:4, Informative)
No big deal (Score:2)
Re:No big deal (Score:2)
Such servers, even if allowed on a corporate network, should be in a locked down DMZ area of their network, and any such machines should not have the same logins or passwords as other machines. Public SSH key access is preferred if the machine has to have user accounts.
Re:No big deal (Score:2)
This would not have happened if ... (Score:2, Funny)
They have a website (Score:3, Informative)
Re:They have a website (Score:2)
Nope, it isn't in Iran (Score:3, Interesting)
Dear Sir/Madam:
The OpenSuSE website was defaced either today or yesterday by an Iranian
hacker clan whose website is located on your servers. I checked the
whois data for the hacker clan's domain (ihsteam.com):
Majid NT
Bl Sajjad-milad 7 no. 12
Maybe they were just tired of the poor performance (Score:5, Funny)
Maybe they were just trying to lend a hand with the administration . . . .
Blog of the hacker (Score:2, Informative)
He is a movie fan and was just accepted to a university.
Some bits of information can be found here:
http://www.zone-h.org/en/defacements/view/id=29173 90/ [zone-h.org]
Besides the OpenSuSE website they also hacked into wiki.novell.com and forge.novell.com.
Too bad that the Iranian hackers used OpenSuSE for their political stuff. It seems a bit misplaced, what does a linux distribution has to do with the question whether
Re:Blog of the hacker (Score:2)
Told you so (Score:3, Funny)
Not Good for Iran (Score:5, Insightful)
If you're going to hack websites, don't try to justify your idiotic hobby by turning it into a political posterboard. It has the opposite effect you're looking for. The thing that scares people most is unpredictable behavior. If Iran were calm, clear in stating there intentions, and followed all the diplomatic protocols with a smile there would be no way for anyone to stop them from builting reactors (wheather it be for processing fuel for weapons or not). But stupid stuff like this make Iranians look like evil subversives. Just look at the graphic they posted. It looks like the shadow of some kind of daemon with horns. This is not a good image for Iran.
Or if it's a different group impersonating iranians, you're just losers.
The SSH root password was god (Score:2, Informative)
Alot of people are reluctant to use a firewall, even though you can easily do it with SuSE and YaST2.
I have the pay version of SuSE9.3 Pro, which is well worth the $99 price tag.
I mostly run fedora core boxes though, and this is a really good alternative to other ipta
The public image of the open source community. (Score:5, Interesting)
Now, perhaps this is just a case of amateurs being allowed to join a community that mainly consisted of academics and professionals. The high standards that the open source community once enjoyed are being degraded on a daily basis by developers who cannot write secure code (ie. many PHP developers), by developers who blatantly insult and ridicule their users (ie. the KOffice example earlier in this post), or companies that provide insecure, open source-based products.
Is there much that can be done about this? I'm not sure.
Re:The public image of the open source community. (Score:2)
That incident would be no different than an Apple employee actively stating that he was working on iTunes, only to turn around and publically insult an iTunes user. It would make Apple look horrible.
Public insults are not the
Re:Oh sweet sweet irony... (Score:3, Funny)
Re:Oh sweet sweet irony... (Score:3, Insightful)
If a Microsoft windows 2003 site, running Windows 2003 was the victim, then yeah, I think it would make the front page.
Re:Oh sweet sweet irony... (Score:5, Funny)
No, it wouldn't. People would get pissed about having to dig through 100000 stories of "Yet another cheesy Windows server hacked" until they found a real story.
Re: (Score:2)
Re:Oh sweet sweet irony... (Score:2)
Re:script kiddies (Score:4, Funny)
Don't you mean ./t3h_l33t_5cr1pxx0r?
Re:Linux Secure By Design? (Score:5, Interesting)
All these Worms on the net is a perfect example. And when you get down to it, even some of the poor administration is Microsoft's fault for making it "so easy you don't need an experienced technician...." When in fact they bury stuff so deep unless you know where it is, the necessary changes don't get made leaving everything as default.
I can't even begin to count how many times I've gone to a customer's location where they had an employee that was a self proclaimed geek that did all the setup and everything was not only wrong, it opened gaping holes on their network. Including things like having a USER logging in as Administrator on the server and using it as a workstation.
Plus I won't go into all the people who hold an MCSE that never touched a computer until they went to a 2 week bootcamp on how to pass the tests.
But, point in fact, any closed source application is subject to flaws that don't get patched because it's a small enough flaw that putting a programmer on it to fix it would cost more than keeping the flaw hidden.
Re:Linux Secure By Design? (Score:2)
The argument is not so much pro-linux, as much as it is "Windows? Are you fucking crazy?"
Linux can be very secure if configured and admin'd properly, and given the same resources far more secure than windows. The argument is that it's the closest to a mainstream alternative with market presence and a large application base.
Not holier than thou, just holier than
Re:Linux Secure By Design? (Score:2)
Re:As you can see (Score:5, Insightful)
Regards,
Steve