Security

Open source under attack?


A nest of poisoned Web sites has been quietly attacking unsuspecting visitors using an arsenal of thirteen different exploits. If the site visitor has javascript enabled and is vulnerable to any of those exploits, then in no time at all their system will be compromised with a Trojan not yet recognised by many popular anti-virus packages. Once it's taken root the Trojan relays collected information such as credit card, bank account, and login details back to its master. Most won't be surprised by any of this. It seems living with the threat of Worms, Trojans and Bots is becoming an everyday thing to which everybody thinks they are immune. Unfortunately more of us are more vulnerable than we think--sure your anti-virus definitions may be up to date, but that doesn't help if the vulnerability being used to take over your machine is as of yet unknown. Apparently only three of the thirty three top anti-virus products caught the Trojan being installed in this instance.

It seems the Web sites infected so far have not been compromised in themselves, but rather it's the servers hosting them. Reading ScanSafe's STAT blog, I was interested to see that there is some question as to how the hosting servers were being manipulated. The belief is that a kernel-based root-kit is used to keep the compromised systems open to the attackers after the initial infection. ScanSafe noted that a few hours after making configuration changes to one of the infected servers, those changes mysteriously reversed themselves.

The infected groups of servers are running various different flavours of Linux, hosting many different versions of Apache. This means it's unlikely that the root vulnerability is in Apache. The servers are not all owned by one hosting company so direct infection via physical interference is unlikely. One piece of software which is common to all of the infected hosts is cPanel--ScanSafe think this is significant, but not necessarily the root source of compromise.

Reading through a hefty comments section on this subject over on The Register, I found the point of weakness is still a mystery. Some people are blaming out of date software and poor system administration while others are pointing towards something more serious than a few easy to 'brute force' passwords.

I'll certainly be interested to find out how these servers were compromised. It could be no more than a case of a few hacked servers; on the other hand, if the root compromise was the result of an unknown vulnerability in multiple versions of PHP or Apache, then this could be the tip of an epidemic!

77 comments
mikifin
mikifin

Now that Linux is on the rise and many people are using it (who don't have as much of a grasp on it as WinX) you don't think the really smart hackers are going to let that opportunity go untested?

hlhowell
hlhowell

I can find no attribution for this, and while it may be true, I am unsure of the source, thus the number of vulnerabilities is suspect as well. Is it just a FUD blog? Regards, Les H

michaelpo
michaelpo

does this affect windows only? unix, linux, osx affected?

flotsam70
flotsam70

Or just remove thyself from the Administrators group. Geez, how long is it going to take Windows users to "get" this? The account you use for Internet access should be a normal user (local Users group) and nothing more. That certainly isn't a cure-all, but it should be the first stop. Some people at Microsoft seem to get this, but Microsoft hasn't promoted this practice as much as they should. See http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx.

Jaqui
Jaqui

that will screw up most websites but stop you from getting infected, disable javascript. disable flash turn off activex addon support in windows based browsers that support it. 90% of the internet will cease to function, but then you can scream at the website owners for REQUIRING EXPLOITED technology.

JCitizen
JCitizen

a lot longer than windows, I should think not.

Deadly Ernest
Deadly Ernest

The hackers have been working on Linux based attacks for years as well, and they have managed a couple of times. however, Linux is not like Windows and is a much harder target to hit. Hitting Windows is like robbing the local 7-11, any fool can get a simple gun and stick it in the clerk's face. While hitting Linux is like robbing an armoured car, it takes a lot of skill, a lot of specialised equipment, and then you won't always manage it. One reason for this is that every time someone finds an actual weakness in the Linux kernel the code gets rewritten to remove the weakness and the kernel rebuilt around the new code, thus permanently removing that weakness. The second is that Linux is designed to be secure and have ALL interactions go through a proper security gateway before they do anything. Windows, on the other hand doesn't rewrite faulty code or rebuild the kernel from scratch, they just patch over the entrance hole made during the last breach, but leave the hole there to be used again when someone finds the covering tape. Also, Windows has many designed holes placed there during the writing to enable other MS applications to jump straight into the kernel without having to go through any security gateways. This is to enable the MS applications to run faster, and it does achieve this but at the expense of security. Essentially, Windows is faulty be design for internal profit reasons, while Linux is secure by design and accept people will find holes, but when any are found they remove them instead of papering over them like the MS people do.

Justin Fielding
Justin Fielding

From what I can make out so far it's only Linux servers that have been affected.

DanLM
DanLM

I'm taking it from the way the article is written(Open Source) that the infections are occurring on Unix/Linux and the open software they are using(PHP, Apache, ...). Could be wrong, but I have read a couple other articles on it and I came away with the same impression. From desktop stand point? I'm going to say windows only are being infected by the redirect. Dan

Deadly Ernest
Deadly Ernest

At present in Windows you get given an automatic administrator account and have to go about creating a non administrator account then have issues about switching accounts when you wish to load software etc. Why not do the same as some Linux distros have been doing for years and have your basic account work in the basic mode with the ability to upgrade to administrator just for the action required when you want to add software. The need arises and the system asks if you want to upgrade, then you decide yes or know. With Linux you know the very moment something tries to upgrade status rights and you can jump on it straight away. With Windows you rarely get told as it just gets refused - if you're that lucky.

JCitizen
JCitizen

accounts among 300 or so users the rest were restricted accounts. The only problem was, I was one of the admins and should have made a restricted account for myself while I was surfing outside the LAN. The web sites I was going to were a lot more dangerous than the social workers. As Jaqui said Active Directory made things easier, and we had very few problems with that and the other security policies and topology we used. We wouldn't purchase software that couldn't be operated in a least user privelege environment.

Neon Samurai
Neon Samurai

Without an AD, it seems that windows users are required to be admin. I likely missed something but the last time I tried, most of the programs I ran as a regular user freaked out because I wasn't admin and they couldn't do something they needed. That was after installing the programs under the Administrator account specifically for use by any user on the system. With an AD or server to authenticate against, it goes much more smoothly; just another way to make sure the customer buys MS only.

Jaqui
Jaqui

in a properly used multiuser operating system, since each non admin user is in a sandbox already and can only affect themselves. the *x chroot is the best sandbox model when you look at it, a complete lockout of the working environment from the real os, not just for an application, but for everything. picture a VM of the installed os for each user.

Justin James
Justin James

IE 7 runs in an extremely sandboxed mode on Vista. Firefox *might*, but I am not positive (I know Microsoft volunteered to make some engineers available to the Firefox team to show them how to do it, they originally declined IIR). I think the jury is still out on the effectiveness, but sandboxing typically is not a bad thing. J.Ja

normhaga
normhaga

My business web site does use javascript but it is designed to operate with scripting turned off. With JS turned off a little unobtrusive dialog shows at the top of the page informing users that the site would work better with JS enabled and the more aesthetic functions such as the animated button links do not open and close when you mouse over, but if you click a link it does work. I do not use Flash or Silverlight, instead I choose to use animated gifs. If a user has animation disabled in their broweser the image still shows, it just is not animated. On the other hand because I use every browser security tool I can lay my paws on, the web site was designed (and is still being dessgned) to function in a high security environment.

verd
verd

You do it first and let us know how you make out....

Deadly Ernest
Deadly Ernest

business owner why their page doesn't display in a standard browser. Then i explain that since I can't see anything useful about their business I must assume they're not very competent and I'm taking my business elsewhere. Some do respond and ask what the problem is, and some of them do take action to have it fixed by going to different web page designers.

jmgarvin
jmgarvin

I'm a big fan of server side scripting and not screwing around with the crap that is ActiveX, Flash, or javascript. To be honest, I'm not a big fan of the way ASP does a lot of things either ;-)

Justin Fielding
Justin Fielding

If you were going to follow that kind of logic then the ultimate fix is to avoid using the Internet.

kandyass
kandyass

Linux distros wont support the self propagating worms as well as windows, or in the same way, I have no doubt that a determined criminal org could sneak their code into a repository and get people to install it. I also know for a fact that there are permission elevation vulnerabilities on many linux systems. Social engineering is hacking too. It will happen, it will be handled better I believe than it is in the proprietary world.

Deadly Ernest
Deadly Ernest

application installed on them. Which tends to suggest the management application is what's at risk and not the Linux OS itself. And the problem seems to relate to people breaking the passwords on the user accounts in the application to then upload files onto the server. The info I've seen suggests the vulnerability allows people to put files onto the server and that then infects systems that access the web pages on that server. This sort of indicates that the server itself isn't infected so much as the web pages stored on the server. My web host uses the application and have twice reset all password due to people breaking into the management application. I use a secure password that is long and doesn't respond to the basic attacks, so I should be reasonably safe.

Jaqui
Jaqui

the linux servers are infecting every javascript enabled system that gets the advertisement(s) served from it. That would be how it was noticed in the first place.

Dumphrey
Dumphrey

in XP to install etc. You can Shift + R Click to get a run as dialoge on most programs, or open them from a command line with the runas command. Its not QUITE as easy as the linux propting you for the root passowrd model, but its close.

Dumphrey
Dumphrey

if you install MS products (Office)as a Power User, it goes smoother for other users on the box then if you install as an Admin user. Go figure.

JCitizen
JCitizen

and I use IE 7. Whenever I do catch a malware file most of the time the scanners don't catch it right away because it never loads - just sits there until I get the tech to scan for zip files or remnants, and then I can delete them. I purposely use this unsecure browser because I have to support customers who need support on issues that come up. So I play in the mine fields and hope I can keep one step ahead for my clients. Almost all of them refuse to switch to Firefox or SeaMonkey.

Deadly Ernest
Deadly Ernest

reports of security vulnerabilities affecting things through IE7? I have moved right away from Windows XP - Vista and IE as I got fed up with it. I hope for your sake they do finally get their act together, but I doubt it. As that won't happen until MS starts to use ALL the industry standard code sets.

Jaqui
Jaqui

The ideal solution, and a lot of work. What a lot of people seem to forget is that when they added the functionality to javascript to set cookies, they gave it WRITE access to the hard drive, creating a security hole. Flash always had write access, and newer versions go further and use your system to serve flash from websites you visited, when your system is a faster resource to the client.

Jaqui
Jaqui

haven't ever read my comments about it before. if you had, you would know, I do NOT have any plugins installed, so no flash, no video, no audio. my preferred browser is lynx, text only, and not using tables for layout, since it doesnt support tales or framesets. any website that doesn't function with lynx, is one where the company does NOT get any money from me.

Jaqui
Jaqui

only one site actually made any changes. I usually email the CEO as CC comments ripping the webmaster apart for a non usable website.

Jaqui
Jaqui

to get people to close that gaping hole in system security called clientside scripting. it just won't happen, since to many website designers think clientside scripting is a good thing. [ just shows how stupid they are for not paying atention to the issues with it. they use code generators to make their clientside scripts. ]

Forum Surfer
Forum Surfer

Yes, I've tried convincing the powers that be to do away with such silly things that make my job tricky sometimes...the internet, monitors and right mouse buttons (for non Apples of course). ~On a side note I do have right clicking disabled n a few public access terminals...that really makes people mad.

JCitizen
JCitizen

enabled browser was vulnerable when hitting a server target described in the article and getting nuked from their windows machine in the interaction. Do you suppose this Java update had anything to do with this? I didn't have time to read the release notes on that one, sorry.. Adobe Reader had an update to their ActiveX plugin this week too.

JCitizen
JCitizen

in some files associated with the application permission to install also; and they were malware. Until then the malware couldn't install. I've been real leery of doing it that way since. In fact I don't tell them that is possible. Guess that is just one more reason to think twice about using unsigned installers; unless they are a very ubiquitous and well trust application.

Deadly Ernest
Deadly Ernest

understand how to do this, also it doesn't always work.

Neon Samurai
Neon Samurai

... of whatever level my Power User (user 1) gets. It's the same solution that so many home users take though few have the knowledge to run as Admin and not leave the system wide open to pwnership. So MS products install more cleanly on a stand alone Windows workstation when installed as poweruser then used by regular users then when installed by Admin for regular users. Well, I guess I should have expected as much from a single user OS playing at multiuser like the grownup OS. :D No matter, it only needs to support games and a very few bits of other Windows only applications.

Deadly Ernest
Deadly Ernest

to work with the info they bought from M$, that's all. The ones with the real vulnerabilities are the M$ apps as they give them extra ways direct into the system to make them faster than other vendors. And that's how most baddies get in.

JCitizen
JCitizen

without a server. None of my SMBs wants to go to a server environment. In fact I stopped testing server OSs in my lab.

JCitizen
JCitizen

them if they don't do at least the minimum of this type of configuration. I disable fast user switching too; so they won't try to cheat.. As you said that doesn't work worth a darn at all! If no one else touches the machine I sometimes let them disable password protection on the restricted account; but that is as far as I go. If the application doesn't work on the restricted side I invariably find an update on the vendor site to give functionality to the application used this way. You don't suppose the vendors are creating applications that work with full admin rights on the restricted side, do you? =) We wouldn't have any vulnerabilities would we?

Deadly Ernest
Deadly Ernest

1. Create an account, let alone a restricted account. And few of the retail stores do that for them. 2. Jump about within the system to temporarily use an admin account to load new software - often needed. And some software will not work right if being used in a different level account. The main problem is all those retail sales where the seller doesn't set up security on the box for the buyer as the buyer doesn't know how.

Dumphrey
Dumphrey

is to run your XP VM as an admin user to browse the web. This way, you can actually run as the users you support may be running, if home users. And if your lucky, you can thenpractice cleaning up in an environment that can be restored from a snapshot in a few miniutes.

Dumphrey
Dumphrey

user is one of the best things you can do in XP to improve security. It is amazing how much that step alone lowers your risk of infection and compromise. The MS installer default user is an Admin, after its created the ADMIN user and an ADmin password?!?! Why? Oh, wait, because it makes life easy for the end user...

JCitizen
JCitizen

Now days you just send a rocket propelled det-cord across the mine field and set it off. No more minefield! OOps! There I go getting off topic again! Hey! At least it is challenging and kinda fun attempting to dodge that proverbial malicious data bullet! The messy cleanup after a failure is a great learning curve too! :)

Neon Samurai
Neon Samurai

"Infentry" as they are often called. I remember an army buddy telling me about officer training. If you have a unit of tanks and a unit of infantry and don't have the time too crawl across the field inch by ince with the bayonets; you order the infentry to charge across in about the width of a road then follow with the tanks after. Doesn't war sound like a peach.

Deadly Ernest
Deadly Ernest

military who play in minefields to help others. When they detect a big one they get a real bang out of life and free prosthetics from the government. IF they survive. Yeah, it's a hard call, do what's best or play with the bombs because you know the clients are too silly or stupid to actually listen to you.

Deadly Ernest
Deadly Ernest

ago and switched to using Avant which placed a security overlay over MSIE and also provided it with a tabbed capability - that was back in the days of IE5. Then about eighteen months ago I got totally fed up with MS screwing me over because I didn't have a broadband access and dumped all MS products as I moved to Linux. haven't looked at IE since, but keep seeing headlines about attacks getting in through MSIE and the access points MS has for it into the OS. BTW - I dumped MS after WGA killed my system for the fifth time because I had auto updates off and never ran all the MS updates, many were for things I didn't use and I didn't have the bandwidth on a slow dial up to spend weeks each month downloading the buggers, just picked the eyes out of the critical security ones. But that meant my system wasn't up to date enough for WGA and it regularly killed me as being a pirate. then hours talking to MS on the phone and getting new code numbers and etc. I got fed up with the lost productivity and switched. The most annoying thing was I bought my copy of XP Pro direct from MS Australia - and their computer system didn't seem to be aware of that. Ahhrg.

Justin James
Justin James

... and you will see that they are not the kinds of things that a sandbox necessarily prevents against. A sandbox is designed to prevent unauthorized disk and RAM access. A lot of the current security holes (Firefox is seeing these too, unfortunately) is in things like parsing URLs and the handlers before handing the request to the OS to decide what to do with them. In other words, the limited access in/out of the sandbox is what is now being attached. The sandbox itself seems to be holding rather securely. On the flip side, following these things isn't something I do, so I could be totally off, this is just my understanding from the reading I've done on the subject. J.Ja

JCitizen
JCitizen

that is why I take the risk in leaving active x, scripting, and java on. I try to make up for it buy constantly keeping java updated with the newest security tech, using lightweight utilities that block malicious active x controls, and enough local machine policy configurations - restricted account use, to minimize the danger. Besides, if I hit a land mine, I learn more for my customers who are going to use it anyway, no matter what I say.

The Listed 'G MAN'
The Listed 'G MAN'

the first page should give you an option, redirecting you to either type.

Deadly Ernest
Deadly Ernest

site that can download in a reasonable time without a major broadband link. Much of rural Australia is NOT able to go to broadband and the fancy all flash and script web sites take forever to appear when connected via a dial up service, many of which are still restricted to 33.6 kbps due to load limits and age of equipment. Not caring for customers to make it look pretty makes you look like an idiotic amateur. Let the business that pays for the web site service know a badly done site is costing them money and they'll take action when they get enough complaints.

The Listed 'G MAN'
The Listed 'G MAN'

I think you would get more customers with... than without. Reason: Majority of customers may be non IT and therefore have an expectation level to what a website will contain and look like. Remove this (and other items) and you risk the chance, however incorrect it may be, of looking like an amateur.

Jaqui
Jaqui

I haven't found a blog script that doesn't use js in some fashion. wordpress generally uses it for the rss feeds and pings. yup, I enabled the plugin that sends an empty .js to visitors, since spam-bots can't handle .js files.

graham
graham

After all of the comments here regarding Javascript and client-side scripting, I assume you would never use it on any of your sites....? Not even on your blog to stop the spammers (or maybe I was mistaken when I noticed a ".js" being downloaded when visiting it). That aside, be it client-side scripting or machine level code - if the author is malicious with their intent then it really makes no difference how or where the code/script resides. Its time to stop knocking the "script kiddies", and spend more effort and time encouraging those that attempt to use the Internet in a way that is constructive - be that using FLASH, Javascript, HTML, server-side scripting - whatever. Giving recognition to someone who has developed a malicious script or piece of code (which is what we all do by discussing the implications of what they've done) will only serve to encourage more to follow, in a bid to out do those before them.

JCitizen
JCitizen

in promoting this, is probably the best indication of how worthless it is. If it was better than flash - they would have been tooting their horn over it. From the pesky promos I've been trying to ignore, I couldn't make heads or tales about WTF it was! I did notice it appears as a singular update type in the Microsoft update consol.

Deadly Ernest
Deadly Ernest

revenue for MS. Since it's a MS related thing, it explains why I don't know much about it as I never have need to visit a MS web site nowdays.

Justin Fielding
Justin Fielding

One of the most annoying things about visiting a Microsoft website these days is the constant nagging--please install Silverlight for the best experience! There's no need for it. Could somebody explain to me exactly what advantages Silverlight offers the end user over Flash?

JCitizen
JCitizen

dinosaur that was dead straight off the starting line.

Deadly Ernest
Deadly Ernest

know how to develop a web page or web site without JavaScript, Flash and the other client side scripting programs. Way too often I see web sites that are very heavy with JavaScript and / or Flash and similar rubbish that do nothing more than a standard static html page would do. In one case, to prove a point, I took a particular web site's first four pages and redid them as static html. What was several MB of scripts become a few hundred KB of html. When I showed it to the person who'd designed the original they were amazed, seems the web page designing course they'd done at the uni did NOT mention html at all. It was all on using programs like DreamWeaver and Front Page to create fancy looking web pages using JavaScript or Java scripts with Flash and similar programs. When they showed me the university workbook on it - everything in it required the use of proprietary software - all up it was several thousand dollars worth. It recommended all documents for download be pdf files, extensive use of flash, etc. The person was amazed to find I could do similar web sites to them using free software and html. They also had a hard time understanding the problem with using pdf for forms that people fill in electronically. Makes you wonder what the education system is coming too. It seems people get taught to use software provided by the company who pays the uni the most.

Justin Fielding
Justin Fielding

You aren't going to get rid of JavaScript, Flash etc as they are too widespread and as you pointed out developers seem to love them. If you disable these features in your browser then half of the web stops working and while you or I may be able to put up with that our customers/users can't.

Editor's Picks