Cracking All The Live Long Day & RH6/7 Worms 120
BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.
Whoa... (Score:2)
Red Hat 7.01 (Score:3)
It would be much easier if they provided updated ISO images (yeah I know I could make them myself, and someone else probably already has). Sine Red Hat 7.1 is still a good way of I think 7.01 would be a good idea.
Re:Red Hat 7.01 (Score:1)
Re:Hypocritical? (Score:1)
Actually, a virus is not distinguished from a worm by its destructive capability, but rather by its method of propogation. A virus is a bit of code that has to be attached to an existing executable program so that it can be run and thus do its work. A worm propogates itself without requiring a "host" executable. The ananlog is to the biological world, where virii do not duplicate/reproduce except when they are in another cell.
BdosError
Re:Analysis of Ramen worm (Score:1)
Cheap forensic analysis? (Score:2)
Well if you want to try, have a read of the Nov & Dec Dr.Dobbs. It has a pair of articles about recovering deleted data and has pointers to useful tools.
Re:Hypocritical? (Score:1)
That having been said, a worm that targeted IIS4's FTP service and W2K's Print Server service, and had nothing to do with the usual Outlook/VBS/Desktop virus targets, would be treated to a 300 post flamefest on Slashdot, even if Microsoft had fixed the exploits months ago. Instead, we have 98 posts currently, most of them relatively demure.
I'm actually kinda surprised that "Red$at" is getting such kind treatment around here today.
Re:Not in RH7 (Score:1)
That's because the advisory was issued before RH7 was released. By all accounts, the buggy wu-ftpd still shipped with RH7. It would be rather silly to issue security advisories for releases in the future, wouldn't it?
Re:Analysis of Ramen worm (Score:1)
Certainly as bad as Microsoft (Score:2)
Re:been there got cracked (Score:1)
Interesting ... In June of last year, my box got cracked using the exact same exploit, even down to the port 9704.
The machine that got cracked had nothing on it, it was just a test machine I was setting up.
When it was cracked, I thought the exploit looked pretty neat until I saw the same exploit over and over again. Damn script kiddie
cnet stupidity (Score:1)
Re:Oh well! (Score:1)
It's easy to turn a vulnerability into virus. Linux has vulnerabilities. All the vulnerabilities used to create this worm were fixed last October but people still need to install the new RPM before the fixes do any good.
Personally, I just type apt-get update && apt-get upgrade every couple days... That way all my programs stay fresh.
Re:Hypocritical? (Score:1)
This worm *does* that... (Score:2)
if you believe what this guy says on his summary of the worm.
here [home.net]
Re:Off by default (Score:1)
*Not a Sermon, Just a Thought
*/
Re:Hypocritical? (Score:2)
muahahah openhack.com=gay (Score:1)
Re:Nope (Score:2)
rm -R
comment out the "asp" stuff in
rm
change your passwords (an email was sent - not sure what the contents were)
remove the "asp" line in
The ftpd hole was fixed for you, and you also need to make sure rpc.statd is turned off.
I'd also suggest you go through your logs so you can see who gave you the worm, so you can tell them that they've been 0wn3d.
Also, _all_ of your index.html files have been replaced by a ramen advertisement.
Re:Hypocritical? (Score:2)
Re:I don't get how RH and the community can allow. (Score:2)
Re:What's the deal here? (Score:2)
the problem is that most of the distributions started out making an OS for Sysadmins, and they can't get it out of their system. Ever heard of a network exploit for Corel Linux? Why not? It's for users, and doesn't have _any_ services running. When someone clicks on "desktop install", that's what they should get. Then you don't have to mess with files like hosts.allow/deny, ftpusers, and stuff like that. If you want to run an FTP site, then you should know how that stuff works, but most desktop users don't even know that they are running an FTP site, and that is the distributions fault.
E-week contest (Score:1)
Wow, you must be one rich SOB. The "moderate" sum for cracking the E-Week box is $50,000.00.
Moderate to you maybe, but a nice kick in the income ass to me.
Re:Hypocritical? (Score:2)
Re:Analysis of Ramen worm (Score:1)
If you mod this down, be a darling and mod the parent up. And vice versa.
Re:Analysis of Ramen worm (Score:1)
Re:Hypocritical? (Score:3)
Saw a cracked box the other day (Score:1)
Been watching the IP's trying to connect through the firewall log, and came upon a site that was now obviously cracked, with the "RameN Crew--Hackers looooooooooooove noodles."
Sent a message to the abuse contact, but never heard back. Many of the IP's attempting to connect have been cracked.
Maybe we sould put a few more honeypots out on the big cable and DSL providers.
Re:Sloppy sys admins (Score:1)
Re:Oh well! (Score:3)
Linux and other *nixish OSes are fairly "virus-resistant" (no OS is "virus-proof") as long as you don't run the virus as root, apply the patches for known security issues, and basically do your job as a sysadmin...
Re:Oh well! (Score:1)
I don't even think something like this would even require special privileges unless the machine was extremely restricted...
Re:Analysis of Ramen worm (Score:3)
This is an interesting ecological approach to the security problem though. :-)
A worm that has the sole job of wandering around and fixing the exploit wherever it finds it and using the box for a little while to find other exploitable boxes, then moving on.
But a Bad Idea (Score:2)
For starters, consider this scenario:
1. You know your machine is vulnerable, so you check out its wu-ftpd and rpc.statd binaries and the various logfiles. Whoa, there are worm tracks here! How do you KNOW (not just suspect, KNOW) whether the "bad" worm or the "good" worm was here?
2. Assume that the "good worm" has been coded to announce and identify itself. A) Most victims won't be able to judge whether to believe it, and B) the forthcoming "bad worm variant 2" will pretend to be the "good worm" anyway, so the ID cannot be trusted in the first place. The "bad worm variant 3" will be even better at hiding its damage while pretending to be the "good worm".
The net result: Systems hit by the "good worm" will have to be cleaned up and rebuilt just like systems hit by the "bad worm", unless the sysop/user is too clueless to notice the presence of either one. Thus, the "target audience" for this hypothetical white-hat is limited to clueless users who haven't already been hit by the "bad worm". To say nothing of the lawsuits unleashed by offended sysops who had to clean systems "your" worm "attacked".
Re:How amusing. (Score:1)
That may be true... *shrug*.. I keep forgetting I've got +2, I spent so long at 1... (and I'll be back there soon at this rate... :)
But oh, what a ride... burn, karma, burn.. :)
It is true... (Score:2)
In reality, most security issues with Windows are of the same ilk: Admins that haven't a clue as to what they are doing and manage to fsck everything up and leave holes wide open.
Next time you read about some hole in Windows, or are tempted to say something smug about Windows 2000 security: Just remember this.... Nobody likes a smart ass, especially a hypocritical one
-
The IHA Forums [ihateapple.com]
How long before someone "evolves" this worm? (Score:1)
Maybe make it more damaging... maybe ahve it report the hacked IP #'s via IRC, or some other medium... And also have it open up a few other holes on each system, before it goes along its merry way...
I shudder each time I think about this happening to all of the unsecured RH 6.2/7 boxes setup on all of those cable modems/DSl lines out there. (High bandwidth availability+unsercure box=Nasty Mess)
A few friends of mine run default RH setups on their DSL lines.. I might be over reacting, but I sent a few panic stricken emails out to them with links to the worms analysis, and links to download the patched RPM's.. (plus a personal rant about setting up IPCHAINS, and such..)
Call me a worrywart, but I really don't want to see this thing get out of hand...
Re:wuftpd (Score:2)
Re:SDMI? (Score:1)
Perhaps you should read the article before you post such flamebait. r
SDMI? (Score:1)
I'm confused, people. Which one is it? Yes or No for hack contests?
Immunix 7 & FormatGuard Resist Ramen (Score:1)
----
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. [wirex.com]
Immunix [immunix.org]: Free Hardened Linux Distribution
Re:Off by default (Score:2)
But what I really don't understand is why you're upset.
---
Re:been there got cracked (Score:2)
I got hacked though through the Wu-ftp bug, which I was aware of -- but like I said, I didn't think anyone would consider my stupid box worth attacking. Fortunately, they didn't do much damage. They deleted the
Re:Analysis of Ramen worm (Score:2)
I won't need the perl program as I'll fix any holes that may be open.
Re:What's the deal here? (Score:2)
rstatd attacks do seem to be fairly common (Score:1)
Re:SDMI? (Score:1)
Re:But a Bad Idea (Score:1)
Points one and two attempt to refute the remote possibility that 'benevolent involuntary root patching' (Or BIRP, as I like to call it - excuse me) could gain credence as a legitimate tactic for updating daemons. You're right, but consider this scenario:
A 'good worm', nearly identical to this one, is periodically distributed from an unknown location, armed with the latest and most popular exploit and the correct scripting to retrieve the binaries to fix the vulnerability. It compromises the system using the exploit, silently fixes the problem, propogates itself for a fixed amount of time, and rm's itself from the box.
And, in the grand tradition of survival of the fittest: the real sysadmins will have already patched, or will be rooted and do a clean rebuild once they notice. The clueless users will be protected from raining DDOS and IRC bot madness onto their fellow Internet denizens for another day.
There's nothing like being owned to make you a better sysadmin, and this method ensures that no one else will hijack your system through the same exploit while you're waiting to notice that something fishy has gone on. Morally, this argument doesn't hold water, but practically, it could eliminate a whole class of script kiddie problems before they start, by harnessing the power of the exploit for something beneficial.
Ah, yes: eWeek, the serial spammers (Score:2)
I used to have a free subscription to macweek, which seems to be where they got the email address they use. They took it on themselves to take this as consent to receive eweek a couple of years later. I've emailed them demanding that they stop. I"ve sent abuse complaints upstream. Nothing seems to work.
For some reason, i doubt that frims that build their subscription numbers this way have enough of a clue to tell me anything interesting . . .
Re:Oh well! (Score:1)
Look at the crack, it exploited wu-ftpd. Anyone dumb enough to run that program with pathetic security deserves to be cracked. Run something like ProFTPd if you need FTP, or even better, the Linux port of OpenBSD's FTPd.
Also, use a good distribution (like ROCK Linux [rocklinux.org]). Or at the very least, Mandrake.
Re:It is true... (Score:1)
RH Crack (Score:5)
Re:Nope (Score:1)
You forgot that no one makes much money programming under Linux
You forgot that the reason there's been little hacking/virusing of Linux is because there are so few linux boxes out there compared to MS boxes. (this ones my favorite 8) )
Who the hell wants to base the future of their company on free software? Only morons.
I think that about sums it up.
Oh well! (Score:3)
I would think a *horrible* vector would be one that alternated Windows/Linux targetting.
A Windows virus that targets Linux, transmutes itself, than looks for other Windows machines on the network.
Rinse, lather, and repeat.
Geek dating! [bunnyhop.com]
be careful (Score:1)
Download Site / Comments (Score:4)
A project such as this does such a good job of exposing users to the methodologies of the black hat community. This is a great project for anyone who has even been hacked or might be hacked in the future. Its an excellent idea to play with a compromised system to see what one looks like, what gets "messed with" and what needs to be fixed.
-mark
hee, hee (Score:1)
if you have a real problem, you can't demand support from anyone.
Have you ever had a "real problem"? At my last job, about 1999, a whole string of win 95 machines blew up. Who's problem was it? It was our problem. What was the fix? Buy Win 98. Some support that was. I wish it was as easy as apt, downloading a patch, or even ordering a $4 CD. Oh yeah, about 1 man year's worth of work was lost between them all.
You forgot that no one makes much money programming under Linux
Life's a bitch. We can't all be like Bill Gates and fuck the world over. I'm happy enough making an honest living, how about you? I'd go into consulting if I were you. There are plenty of angry MS customers all happy to pay for your time.
Who the hell wants to base the future of their company on free software? Only morons.
Free software is the future. Get used to it or perish.
Analysis of Ramen worm (Score:5)
This worm has been being discussed on the incidents (not bugtraq, as C|Net says) mailing list.
It's basically a bunch of existing tools snapped together by some brute-force driver scripts.
My analysis is at http://members.home.net/dtmartin24/ramen_worm.txt [home.net]. Fifteen minutes of fame, here I come!
Re:Certainly as bad as Microsoft (Score:2)
That's an outright lie. Care to back it up with some proof?
The wu-ftpd vulnerability used by these worms is with wu-ftpd versions prior to 2.6.0, and this vulnerability affected every single Linux distribution that included wu-ftpd (most do). Guess what? The hole was discovered, and wu-ftpd 2.6.0 released, after Red Hat 6.2 had been released for some time. An updated wu-ftpd 2.6.0 package was issued as a security fix for Red Hat 6.2 [redhat.com] by Red Hat shortly thereafter.
The LPRng problem was detected very shortly after Red Hat 7 was announced. A fix was released immediately [redhat.com].
That they have not been repaired and the packages update is as inexcusable as the assorted Microsoft vulnerabilities.
Please check your facts before spouting off such FUD and lies. Or maybe I just responded to a troll, posting at +2...
Re:Hypocritical? (Score:1)
It's spelled "Red Hat". Would you please care to explain why you write that name with a dollar sign?
Re:See? (Score:1)
What would I want a lady for??
And while I'm on the subject, security is *both* product *and* process. Sure, I'd be stupid not to have the latest patches and train my users. But I'd also be better off not allowing them to use MS Outlook, and IE (remember the scripting bug [l0pht.com] that allowed one to catch a virus from simply browsing the web?)
---------------------------
Lets see.. (Score:1)
Re:Lets see.. (Score:3)
The OpenHack challenge is just another one of those crack-this-box challenges which you see every month or so. Not to take anything away from it, but I find forensics much more interesting. What do you find more interesting: trying to crack a box, or trying to produce a cost-analysis report and details on _who_ cracked a box. I'll take the forensics any day.
rwm
It was a matter of time, really... (Score:3)
Because... (Score:2)
Because it's generally easier to sell someone a security system to keep your house from being broken into, than a camera that will only tell you where they went after they left.
Hypocritical? (Score:4)
Distributed Worm Computing (Score:3)
The title immediately conjured an image of internet worms, self-replicating, and using host machines to number crunch (in the distributed.net case, "crack"). Imagine a Seti@home or distributed.net worm.
Now *that* would be a decent worm.
"Why are these processes eating up all the CPU! Why are they talking to setiathome.ssl.berkeley.edu!"
Re:Lets see.. (Score:1)
Just cracking the box is easy. All you have to do is just find the one patch the admin did not install, and then use that, toss a wedge in it, and soon you have r00t.
Trying to find out who put that wedge in place, is a litte more difficult. It takes skill, knowledge, and some luck.
By the time I post this, I am sure it will be redundant, but ah well, I won't post with score bonus.
Off by default (Score:5)
AFAIK, any normal RH Linux box needs these system services:
crond
keytable
random
syslogd
xfs (if running X)
A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).
The only thing that MIGHT want to be turned on by default is SSH. But there's really no reason that the user shouldn't have to do event this themselves.
The problem is obviously the entry-level Unix/mid-level MS users who are starting to use Linux. They need their hands held. So put a $!@#$ memo in the installer that says to read "services.txt" or something to get your system services going. Or, perhaps RH should open a web browser with a "Configuring Services" FAQ when you login to X as root (most people do this, annoying enough).
---
Re:How amusing. (Score:2)
I think I've got a moderator following me around with an itchy finger on the "Overrated" trigger.
Take heart, brother. :)
wuftpd (Score:2)
(Ideally it would come with proftpd, but with it disabled out-of-the-box...)
Re:Red Hat 7.01 (Score:1)
HELL, they could even slap the disc on the outside of the box in a little envelope really...
Nope (Score:2)
Differences to be noted:
1. Problem is presented quickly and fully.
2. Problem can be prevented by changing text based config files.
3. Problem can be patched at no cost.
4. No cost was incured to begin with. Who wants to bash volunteers?
5. Reinstal will not subject you to liscence keys, bogus copy protection schemes, and outright adverts like, "Everything you do will be easier and more fun. Be sure to register today!"
The ranting seems to be all yours. Get thee hence, MicroTurd.
RH *does* include a patch disk with 7.0. (Score:1)
The bad news is that it only contained the fixes for rhnsd (up2date). It would be nice if RH would continue to include full-fledged Errata CDs, rather than rely upon up2date, but I have a feeling that this was a one-time thing. Kudos to RH for stepping up, though.
Ideally vendors would include pre-patched distributions when new disc manufacturing runs are ordered. The primary example I'm thinking of is Microsoft: it would have been nice for MSDN to include a Windows NT 4 SP 6 full install disc, rather than require you to install NT 4 and then service packs. (You can't even run Windows Update since NT4 includes IE2.0!)
I don't get how RH and the community can allow... (Score:2)
Oh well, I've got to run. I believe in the POTENTIAL for Open Source to be a mechanism for secure code (at least for certain TYPES of code), but it's generally not happening today.
Not in RH7 (Score:3)
Re:Distributed Worm Computing (Score:2)
When did $50K become a poultrty prize!!! (Score:1)
When did $50,000 there offering for the person who can crack the system not be worth it. Truth be known, I would probably be working on it I had those kind of schools. (Sorry boys and girls, I do data analysis). What's a security cost anyway? And if your a part of a company how much do you think you would actually make from it. (Independent contractors would also be helpful.) But still, its $50K! Seems like a lot of folks stock options would be so far underwater that it would be worth it.
Re:Red Hat 7.01 (Score:1)
Re:Red Hat 7.01 (Score:1)
Re:Analysis of Ramen worm (Score:1)
Re:Off by default (Score:3)
A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).
I say:
You don't need to firewall 6000, if you add "-nolisten tcp" to the end of the line that starts the X server. On the Mandrake system I'm currently using, with gdm as the login manager, it's in the servers section of
Re:Hypocritical? (Score:2)
One of the vulnerabilities is ws-ftpd. Make by Washington University, it runs on any unix.
Also, in this case there were patches for these two vulnerabilities BEFORE this worm was even created.
Sloppy Red Hat? (Score:3)
Hopping through CERT and eventually into Red Hat I found this [redhat.com]. Fixes only for RH5 and RH6 (RH7 didn't exist at the time). I can't get to RH's FTP to check the status for wu-ftpd in RH7 right now, but their list of security advisories for RH7 does not mention wu-ftpd.
Re:Not in RH7 (Score:2)
Re:Hypocritical? (Score:3)
Thing is, these are not new exploits. They're known, and easily patched. Anyone who gets hit by this worm shouldn't be operating a web server.
Re:Sloppy Red Hat? (Score:2)
[root@elite RedHat-7.0-RPMS]# ls -la wu-ftpd-2.6.1-6.i386.rpm
-rw-r--r-- 1 root root 196336 Aug 30 18:16 wu-ftpd-2.6.1-6.i386.rpm
As far as I know this is not vulnerable. The wu exploit that most people use has these offsets harcoded:
0 - RedHat 6.2 (?) with wuftpd 2.6.0(1) from rpm
1 - RedHat 6.2 (Zoot) with wuftpd 2.6.0(1) from rpm
So I do not think it is. The only exploit I know of for Red Hat 7 is the lpd one. AFAIK RH 7 does not even install inetd (xinetd) by default.
r
Ugh. Should've read fizbin's post before. (Score:2)
I got hacked (Score:2)
been there got cracked (Score:2)
rpc.statd[443]: SM_MON request for hostname containing '/': *INSERT BUNCH OF CRAPPY CHARACTERS*/bin/sh -c echo 9704 stream tcp nowait root
There were a lot of funky characters in the middle that slashdot wouldn't take.
Re:RH Crack (Score:3)
http://slashdot.org/comments.pl?sid=01/01/17/1836
A good worm (Score:2)
Sloppy sys admins (Score:4)
Under the rug? (Score:5)
I expect this'll get modded down, but...
It seems that the RedHat exploit is at least as big a story as the Honeypot project. While they're both 'cracker' related, one is an opt-in research project and one is an advisory news item.
Don't they deserve separate top-level stories to clear it up? This isn't some downgraded Slashback or quickies thing. Both deserve their own thread.
Or is it just negative news about a pet issue, getting swept into a little dark corner at the end of something else?
Re:Red Hat 7.01 (Score:2)
Re:Analysis of Ramen worm (Score:2)
Re:Oh well! (Score:2)
A "worm" isn't a virus. A virus is a hidden executable that spreads within a computer. A worm is a script or program that hits a computer and then goes to other computers. All this is is a script that attacks network services, sends an email and then looks for other computers. There is a difference.
SealBeater
How come... (Score:2)
Re:Distributed Worm Computing (Score:2)
http://project.honeynet.org/papers/worm/ [honeynet.org]
Re:Hypocritical? (Score:2)
Maybe because patches have been available BEFORE this worm even came into existence?
Just a few thoughts... Don't get me wrong, this stuff is bad but it's hard for me to get as excited about it than I have been about the MS bugs.
Re:Hypocritical? (Score:3)
But reading the advisories, it suggests that the unloaded code not only is a standard script kiddie root pack, but also emails to some sites, most likely the information on how the box reporting can be further hacked. It can tie up your internet connection since the portscanning that it appears to be doing is rapid. It also rewrites the default index page of the server (assuming you use default installs) with that "powered by raman noodles" page.
Which means that if you have this on your system, the only precaution you can take is a full system reinstall least you be "0wn3d" in the future, because some script kiddie somewhere has a way into root on your box.
So this is VERY dangerous as there's a potental for abuse, but that has to be initiated by a human contact, which downgrades this from a virus to a worm. As others have said, if the rootpack had a simple "rm -rf /" or similarly damaging command in it's script, it would be a virus.