
, 2002-09-18
Lessons I learned from falling prey to the latest Linux virus.
That my network did not become another attack platform is wonderful, but a testament only to the failure of the worm's designer.
If the previous paragraph fails to break any new ground, well, perhaps it's because Slapper breaks so little new ground - except that the time lag between initial public knowledge of the exploit and release of the corresponding worm has shrunk to a mere six weeks.
And this time two of my servers were hit, and I have no one to blame but myself.
Red Hat released their patch on August 5th, but I hadn't applied it to one server, or my laptop. My only defense, and it's a poor one, is that at the time of the patch neither server in question had Apache turned on. I had managed to avoid previous Linux exploits, but this one got me and there's nothing to blame but my own laziness.
What could I have done to protect my systems? Not wait five weeks to install security updates, for one thing. For another, as Sandu Mihai
The consequences of my lapse, and the Slapper worm in general, could have been much worse. In contrast to OpenSSH and BIND, most systems should have Apache running not as root but as its own user, so Slapper should get root on relatively few systems. Current versions of OpenSSH have very little exposure for root, and BIND has long supported running as its own user, but Linux distributions have only recently caught up. Perhaps this will encourage distributors to put Apache and BIND in chrooted environments.
Also, like most worms, this one seems to have been poorly written: although the worm copied itself to both of my exploited systems, it failed to compile itself successfully on either system, despite the presence of all appropriate libraries. That my network did not become another attack platform is wonderful, but a testament only to the failure of the worm's designer.
Despite these difficulties, there is a huge pool of machines still vulnerable to this exploit, and the DDoS network is growing: F-Secure reports that between Sunday and Monday the number of DDoS nodes nearly doubled, from approximately 6,000 up to 11,000. Only time will tell if Slapper can maintain this growth for any length of time. It may prove to be as much trouble for the Linux community as Code Red and NIMDA were for the Windows world.
There's really nothing new or stunning about Slapper. It's another good reason to be prompt and proactive with regard to security updates, and another good reason not to install software you don't plan on using. It's also another good reason for firewalls to deny access by default: the DDoS network chatters on UDP port 2002, so if your firewall blocks this, your machine doesn't become part of the attack network.
It's another good reason for automating patch installs, especially if you're in charge of a large number of systems. The tools to do this are available, but could stand to be improved. Debian's Apt is beautiful, but the beauty isn't necessarily apparent to the average user; Red Hat's update agent also works, but feels rather slow on my laptop and requires the user to complete a registration procedure.
Both systems need to be more proactive: they should inform users when security updates are required, rather than wait in vain for the user to take the initiative and install updates. At a client's site this past week, I saw Debian machines that hadn't had any security updates installed for a full year. They were doing their job, my client said, and he didn't want to touch them.
Slapper just reinforces my existing prejudices regarding security, makes me more certain that I need better automated tools than those available right now, and reminds me painfully that I can be as lazy as any other system administrator -- and what a slap in the face that is.