Speedy Attack Targets Web Servers With Outdated Linux Kernels 93
alphadogg writes "Web servers running a long-outdated version of the Linux kernel were attacked with dramatic speed over two days last week, according to Cisco Systems. All the affected servers were running the 2.6 version, first released in December 2003. 'When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied,' Cisco said. After the Web server has been compromised, the attackers slip in a line of JavaScript to other JavaScript files within the website. That code bounces the website's visitors to a second compromised host. 'The two-stage process allows attackers to serve up a variety of malicious content to the visitor,' according to Cisco."
No Details (Score:5, Insightful)
So the webserver was compromised and JavaScript was inserted and their first thought is it's the kernel?
Re: (Score:3)
I admit, I have some fairly obsolete (and difficult to upgrade) linux boxes running in my lab, this is the kind of detail I would kinda like to know....
Re: (Score:1)
All Redhat/CentOS versions plus nearly 100% of linux-based routers run 2.6
Re: (Score:2)
Red Hat's version numbers may or may not be relevant when you're trying to find out whether your kernel is vulnerable. Red Hat back ports a lot of security fixes, but doesn't change the kernel number.
Worse than No Details: (Score:5, Informative)
It gets worse (or IMHO, less competent):
Author Comment FTFA (bottom of page - emphasis mine):
"We haven’t identified the initial attack vector. We have no reason to suspect that the attack isn’t via http. I’d be very interested to hear from any affected sys admins if they identify how the attackers gain access."
In other words, they don't even know if it's the effing kernel at this point -all they know is that 2,000 some-odd websites have been bit, and they all use the absolute most common kernel version for webservers on the planet (2.6.x).
Hell, for all we know it could be some commonly-shared crappy PHP script getting popped. :/
Re: (Score:2)
In other words, the article is content-free clickbait.
Re: (Score:2)
Re: (Score:2)
2.6.32.61 is a currently supported longterm kernel release from kernel.org.
Re: (Score:2)
Here is a short list of some of the actual compromised sites from the WhiteFir analysis report
Compromised Websites
archive.mrpools.co.uk Windows Server 2003
blueprintbowling.com Windows Server 2008 R2
hwy65mx.com Windows Server 2003
jandjpoolspa.com Windows Server 2003
mussotra.com Windows Server 2003
Second Compromised Websites
3d2print.eu FreeBSD
7va.cc Windows Server 2008 R2
babycaust.info Windows Server 2008
banderil.com.ar Windows Serv
Re: (Score:2)
Thanks, that does not look like an OS issue at all with that FreeBDS machine in there.
Re: (Score:2)
Yeah, the article is extremely uninformative. They say 2.6 and yet RHEL/CENTOS 6.5 are 2.6... so that meaning nothing as far as being "old" or "outdated".
More likely to be an Apache vulnerability, but who knows. Maybe some other article could shed some light on it.
Re:No Details (Score:5, Insightful)
You clearly don't understand the lifecycle of a production OS.
Re:No Details (Score:4, Insightful)
You clearly don't understand the lifecycle of a production OS.
...nor does he understand the concept of back-porting patches, apparently.
Re:No Details (Score:4, Insightful)
You clearly don't understand what it means to run real-world business IT infrastructure. Just because something is oldler doesn't mean it is "outdated" or "insecure". RHEL/CentOS update the packages for a long time making them relevant and still secure through backporting and patches.
Sometimes stability and reliability are far more important and efficient than constantly ripping everything out and starting over again every year or two. Besides, the more bleeding edge like Fedora and Ubuntu and Mint are more likely to have NEW security holes with less manpower behind them to fix it quickly.
There is a reason that RHEL and CentOS are so popular for servers and "utility" boxes.
Re: (Score:2)
Replying to self- my message above was in response to wolrahaes, not X0563511
For some reason, the indenting on Slashdot on this thread is broken. Sorry about that.
Re: (Score:2)
We all love to hate when that happens!
Re: (Score:2, Insightful)
Yeah, the article is extremely uninformative. They say 2.6 and yet RHEL/CENTOS 6.5 are 2.6... so that meaning nothing as far as being "old" or "outdated".
Well it sort of does. RHEL is intentionally outdated because that's what their market wants. It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.
"Doing it right" includes not "upgrading" things that aren't broke, or "just cuz".
The idea is to split "change for the sake of change" and "change for stability and security reasons" into separate buckets.
You don't rip out all the "old" appliances in your house each time a newer one comes out do you? You'd cause more damage moving things around then you'd gain from the new features trickling in. You fix them in place until the cost to do so is more than buying a newer one. That's just common sense. "Upg
Re:No Details (Score:5, Insightful)
Age of the code and the level of patches are two different things
Older code has had more time for vulnerabilities to be found and patched.
Newer code is, well, newer and has had less time for vulnerabilities to be patched.
In general if you want to maximise vulnerability, run the oldest code, but apply no patches. The next most vulnerable general case would be to run the newest code because you are playing with untested fire and risking zero day exploits.
In production systems it is usually best to run code that is old enough to be stable, well tested and well patched.
There are counter examples when a long unknown exploit is discoverd, but the same kind of exploits could live in brand new code as well. However new code could contain some really simple exploits that will be patched pretty quickly. You don't want your production system to be the system opening up the tickets with support that find the exploit is the root cause. Because that means you've got to explain to your customers why their credit card numbers have all been stolen.
Re: (Score:2)
Maybe with the conventional model of "it builds! Ship it!" and bottom dollar offshored dev houses, this is understandable, but a well written program, this shouldn't be the case.
Ideally, a program should be written, alpha tested, beta tested, then the version 1.0.0 release put out, which would really be 1.14.102 by today's standards.
A good example of this is Netware 3.1.1. It is pointless to bother with by today's standards, but it had an extremely long life without needing constant updates for security i
Re: (Score:2)
No. Apparently, by today's standards, the release would be 0.135.2314
Re:No Details (Score:5, Funny)
Spot the guy who's never done professional IT.
Re: (Score:2)
Well it sort of does. RHEL is intentionally outdated because that's what their market wants. It's stupid, I know, but there are a lot of people out there who still really want a world where software never updates so the hacked together shit that runs their business can keep running rather than doing it right.
Even if everyone was forced to upgrade to the current version of everything I doubt it would have much impact on "hacked together shit that runs their business"
What does "doing it right" even mean? Says who? You? Objective function of any business is nominally to make money. Not everyone has the same set of problems, not everyone benefits equally from application of the latest and greatest technology. At some juncture you may reach the point of diminishing returns after which platform "improvements" be
Re: (Score:2)
Nobody in the security sector that I know believes there is a relationship between the kernel version and the attacks. The only reason I could see anyone mentioning it is if they had some reason for people to see Linux negatively. The vast majority of IPS/Firewalls out there taking Ciso space in the datacenters are based on Linux. I do know no of any of them that are not running kernel 2.6.X.
where's the door? (Score:1)
Re: (Score:2)
because is the default kernel from RHEL: 2.6.18-238.12.1.el5
Re: (Score:2)
EL5 is, while supported, getting a bit old. Hell, EL7 is just around the corner!
Re:where's the door? (Score:4, Interesting)
Re: (Score:2)
Yes, I'd run 100% open source if there were not certain constraints if only to get off the old platform (and avoid shit like having to wait three months to get a software licence key!).
Re:where's the door? (Score:5, Informative)
I think its pretty unfair to refer to kernel 2.6, subversions of 2.6 were in use in one form or another from 2003 to 2011, 3.0 was brought about because Linus randomly decided to up the version number one day, not because of any single significant change. Plenty of old distros that still have security support are running 2.6 kernels that are regularly patched and completely up to date security wise.
Re: (Score:2)
2.6.32 is still being updated, probably because that's the version in current RHEL and so Red Hat's willing to help. None of the other 2.6 kernels still are.
Re: (Score:1)
Anything worth having has been updated to later kernels long ago. And yes that is meant to apply the logic backwards, if your shit hasn't been updated to work beyond 2.6 by 2014 then whoever's supporting it is fucking useless. If it's not supported anymore, then you need to be looking for a replacement.
Software is a moving target, anything designed without that in mind has failed from the start.
Re: (Score:2)
That's the story in general for commercial engineering and geophysical software. It's not just on the linux side. Some stuff was only fixed to run on Win7 a short time before Win8 came out.
Re: (Score:2)
Re: (Score:2)
2.6.32.61 is a currently supported longterm kernel from kernel.org. 2.6.32 in some variant is used in many virtual server setups.
Slashdot continues its decline (Score:5, Informative)
All the affected servers were running the 2.6 version, first released in December 2003.
Not even wrong. I guarandamntee you that none of the affected computers were actually running 2.6.0, and it wouldn't have been /that/ long ago that such an obviously stupid and ill-researched claim wouldn't have been posted.
Soulskill, you /do/ understand that there were forty different versions of Linux in the 2.6 series, do you not? You do understand that the final 2.6 release was in August 2011 and it was numbered 2.6.39.4, which I know because I did 5 minutes of basic Googling?
Re:Slashdot continues its decline (Score:4, Insightful)
You didn't read the article, did you? TFS is vague, but so is the article. The article contains no details about the vulnerability. It only contains information about the severity and locations of the attacks. Comments on the article add "Version 2.6.18 appeared to be particularly prevalent." The article is shockingly limited on details.
Slashdot's editors are often appear to be asleep at the wheel, but this time the editors weren't adding anything that wasn't in the original article.
Re: (Score:2)
I did read the article, actually. My point stands: in the mythical olden days of Slashdot, this post wouldn't have happened, because not only was the summary crap, so was the article.
Re: (Score:1)
Re: (Score:2)
Soulskill didn't write "the 2.6.0 version," he wrote "the 2.6 version." As in potentially 2.6.0 through 2.6.39.4. When posters refer to Windows, you don't automatically assume Windows 1.0. When posters refer to Windows XP, you don't automatically assume Windows XP RTM. Why would you
Re: (Score:2)
And an unfortunate submission with "Michael" rather than "Martin" sucks the air out of the room. Wheeee...
Re: (Score:3)
That's exactly my point. "The 2.6 version" is meaningless and Soulskill should have known better; there's a huge difference between 2.6.0 and 2.6.39.
Re: (Score:2)
No, you're point is to completely ignore TFA's statement that "We saw affected machines with a whole range of kernel 2.6 subversions."
There's no point in demanding that the summary list the 36 subversions that are vulnerable and/or the 4 which are not when the source article does not include any such information to begin with. Any whoever moderated your subsequent replay as insightful is a moron.
Re: (Score:2)
If that's what TFA meant then that's what it should have said. As to the summary, instead of "the 2.6 version" (quoting TFA) it should have said something like "many Linux kernels in the 2.6 series", which would at least have not sounded so naively ignorant.
Since TFA didn't bother clearly saying what versions are vulnerable (except, as you assert, in the comments) then it wasn't worthy of a /. post, which is my whole fucking point. English, motherfucker, do you speak it?
Re: (Score:2)
Your point never addressed whether the TFA was worthy of a /. post. Your point was directed at the article summary and Soulskill's editing up until 8:04 EDT. Once you finally notices that TFA contracted your rant, you suddenly chose to attack it. I can't read something that hasn't been writt
Re: (Score:1)
I'm sorry, I can't hear you through all the cocks in your mouth.
Re: (Score:2)
And a 10 second look at www.kernel.org shows you that 2.6.32.61 is a currently supported longterm kernel version, with last update mid of 2013. This thing may be old, but it is not abandoned or insecure.
horrible article, author has no idea about 2.6 (Score:5, Insightful)
"All of the affected web servers that we have examined use the Linux 2.6 kernel."
Right, because RHEL (and Centos) run 2.6.... so sampling ANY number of servers is likely going to show that they run 2.6.
Is Slashdot just a click redirector these days? Do 'editors' remotely 'edit' anything?
Re: (Score:2)
Do 'editors' remotely 'edit' anything?
Only when they feel like it.
Re: (Score:2)
... which is never.
Re: (Score:2)
Anecdotally, I once submitted a story and whichever editor was on duty totally sliced-and-diced my prose.
Re: (Score:3)
TFA tells us nothing. Even the followup about 2.6.18 being the worst culprit and the note that upgrading the kernel will not help makes it even more pointless.
My fix: yum upgrade, and if the update does grab a new kernel, reboot. There was a kernel bug (long since patched) a few years ago that allowed attacks past even SELinux... but if one is running a recent distro, this shouldn't be an issue.
Of course, one should doublecheck what is likely the real culprit... applications like apache and its modules,
It would be nice to know what Web Server... (Score:3)
"We think you're door is unlocked but we won't say which house it is or where it's located."
Talk about vague.
Re: (Score:2)
Re: (Score:2)
One edge of that sword is a lot duller than the other. The cracker community is likely already well aware of how the exploit works (they do talk with each other frequently, after all), so it would most likely be a case of telling them what they already know.
Re: (Score:2)
If you don't know what the exploit is, then why are you implicating the 2.6 kernel? Particularly when that's not much better than just saying "the kernel", as 2.6 covers a ton of versions.
The implication is that you have some idea of what the exploit looks like. If that's true, you could be more helpful. If that's not true, you're misleading people.
My suspicion is that this is yet another scare story intended to help the sale of Cisco products, and that it's based on almost nothing.
Re: (Score:2)
Have you not looked in access logs or firewall logs? chances are whoever is exploiting this is also actively scanning for it...
Painfully stupid (Score:1)
Re: (Score:2)
Lets say you had root, to get a redirect in apache you'd need to:
* edit the config file, bounce the server as root, leaving a change in the config and a bounce record in the server log .htaccess file, possibly edit the config to respect the .htaccess file and the subsequent bounce as root, leaving possibly a new file on the filesystem that can be detected
or
* create a
or
* edit a javascript file that's likely to be a
The Internet of things... (Score:2)
Becomes The Internet of unpatched easily pwned things.
Not only Linux (Score:2)
Re: (Score:2)
So then it's very likely not a kernel exploit.
Re: (Score:1)
I found a compromised website on my companies shared hosting platform (which runs a 2.6 kernel (Debian/oldstable)). But the files where "infected" by a ftp account via proftpd on a machine running a 3.2 kernel (Debian/stable), the login was right on the first try. My guess is malware on the site owners machines stealing ftp logins (which is old news).
Re: (Score:3)
Oh, hell, looking through that list... there are Windows Server installations in there as well!
Apache bug? (Score:3)
From the comments on the announce page, since (almost) nobody will go over there.
So, it looks like the "old 2.6.x kernel releases" was really just a signal for "old nonupdated code".
BTW: for those who bitch about "well the 2.6 line was patched and maintained all the way to 2011" they do have a line where they imply the 2.6 kernels are early kernels, not the latter 2.6.20 whatever ones, but it's not a well written article and is easy to miss.
Advert for Cisco Web Security (Score:3)
Okay, so between 2003 and 2011 there have probably been 3 dozen versions of that kernel. The overwhelming majority of Linux based web servers run the vetted, thoroughly tested and patched, tried and true 2.6 series Linux Kernel. This makes me concerned Cisco doesn't understand what it means to run a production system. Also, what do they even mean by "web server" are we to assume Apache? Because there are alternatives in use... lots. Considering most Linux based web servers are running a variation of the 2.6 kernel, then of course that's where they will the find the attacks (Duh anyone?). I would be much more interested in what web server we are talking about and any commonality between them over the kernel of the operating system. I am shaking my head trying to figure what this article is really trying to communicate especially since they practically shoot down most of their article with the "Update" at the top.
Oh, I get it now.
Windows runs 2.6 kernel? (Score:1)
Read the comments first. (Score:4, Interesting)
The comments at the end of the CISCO article flush out the fact that they noticed a line of malicious javascript at the end of a large number of .js files but they have no idea how it got there.
In fact the list of JS files given include many that are not even running on Linux servers.
The author is irresponsible at best, and incompetent at worst...
Re: (Score:1)
The comments at the end of the CISCO article flush out the fact that they noticed a line of malicious javascript at the end of a large number of .js files but they have no idea how it got there.
In fact the list of JS files given include many that are not even running on Linux servers.
The author is irresponsible at best, and incompetent at worst...
You are absolutely correct. I am appalled that /. even posted this with the title they used.