I’ve been working
with and using Linux far longer than any other platform. Through those years, I’ve pretty much seen and used it all. Interestingly, my tune has
changed on a number of things — one opinion is about the relative security of
Linux. Back in the day, I would have looked you in the face and said
squarely, “There’s no way anyone is going to hack a Linux server!” My tune now
is a bit more somber, sober, and far more realistic. But before I get the
chance to sing you that tune, let me set the stage.
Over the last week, I was called to check into why a
CentOS server was behaving poorly. The server duty was for web/email. The
shenanigans were first spotted when a particular email address on the server in
question refused to authenticate. I logged into the cPanel, changed the email’s
password, and attempted to log into the user’s webmail. The second I logged in,
the password was automatically changed again.
So, I started digging around.
Unfortunately, the machine had been severely compromised through
a PHP exploit. How did that happen? The machine was deployed and
never updated. So, the PHP version being used had long since reached its end of
life. Along with around 300 or so other packages that were sorely out
of date, the machine was simply a sitting duck.
I decided to dig a bit deeper. There were a number of clients on the machine
that used FTP. Nearly 50% of those clients still had the default FTP
password, which was set up by the original engineer that deployed the machine.
Even worse, FTP wasn’t set up securely.
Here’s a list of the problems I’d discovered thus far:
- Out-of-date packages
- PHP exploit
- Weak FTP with default passwords
Finally, a few of the clients on the machine actually had
access to the root user via the wheel group. At this point, I thought, “Why
did the deploying engineer not send out invitations to nefarious users for an
It’s not hard to see why this machine was compromised.
The biggest problem was that whoever did the hijack did so
in such a way to completely obfuscate their work. None of the standard root kit
tools came up with anything outside of some ownership changes. In the end,
there was nothing I could do. The time and cost involved with getting the
server back up and running, as is, couldn’t be justified. Thankfully, the
machine had been cloned and virtualized, so it was just a matter of finding
out when the hack happened and spinning up a clean vm.
The lesson here is a tough one, because one of the
biggest selling points of Linux is its security. But the truth of the matter
is, if a machine is online, it’s vulnerable — and it can be hacked. If that
machine isn’t updated regularly, the chances of it being hacked are greatly increased. Using
the Linux platform does not give you an automatic “Get out of jail free” card.
Like any other platform, you must run regular updates and take proper security
measures. Otherwise, you’re inviting trouble.
Yes, I still think Linux is a much more secure platform than
the alternatives. I would pit the Linux desktop against any others. But no
matter how secure of a reputation it has, it’s only as secure as the packages
installed. So, if you have an exploitable PHP installed, if you employ weak
scripting, or if you fail to follow
through on updates — you will get hacked.
Don’t learn this lesson the hard way. It’ll be costly in terms of budget, precious data, and your reputation.
Do you agree that Linux is more secure than other platforms? Share your opinion in the discussion thread below.