Digg this story   Add to del.icio.us  
Slapped Silly
Jon Lasser, 2002-09-18

Lessons I learned from falling prey to the latest Linux virus.

It's our turn again. The latest worm to attack Web servers is aimed squarely at Linux systems running Apache. The Slapper worm affects 21 different builds of Apache that live on top of a number of different Linux distributions, exploiting the SSL bug reported at the end of July. It installs a distributed denial-of-service (DDoS) client on the target system and also attempts to locate and exploit other vulnerable instances of Apache.

If the previous paragraph fails to break any new ground, well, perhaps it's because Slapper breaks so little new ground - except that the time lag between initial public knowledge of the exploit and release of the corresponding worm has shrunk to a mere six weeks.

And this time two of my servers were hit, and I have no one to blame but myself.

Red Hat released their patch on August 5th, but I hadn't applied it to one server, or my laptop. My only defense, and it's a poor one, is that at the time of the patch neither server in question had Apache turned on. I had managed to avoid previous Linux exploits, but this one got me and there's nothing to blame but my own laziness.

What could I have done to protect my systems? Not wait five weeks to install security updates, for one thing. For another, as Sandu Mihai points out on Bugtraq, simply mounting the /tmp directory with noexec and nosuid will block this worm and a great many other attacks.

The consequences of my lapse, and the Slapper worm in general, could have been much worse. In contrast to OpenSSH and BIND, most systems should have Apache running not as root but as its own user, so Slapper should get root on relatively few systems. Current versions of OpenSSH have very little exposure for root, and BIND has long supported running as its own user, but Linux distributions have only recently caught up. Perhaps this will encourage distributors to put Apache and BIND in chrooted environments.

Also, like most worms, this one seems to have been poorly written: although the worm copied itself to both of my exploited systems, it failed to compile itself successfully on either system, despite the presence of all appropriate libraries. That my network did not become another attack platform is wonderful, but a testament only to the failure of the worm's designer.

Despite these difficulties, there is a huge pool of machines still vulnerable to this exploit, and the DDoS network is growing: F-Secure reports that between Sunday and Monday the number of DDoS nodes nearly doubled, from approximately 6,000 up to 11,000. Only time will tell if Slapper can maintain this growth for any length of time. It may prove to be as much trouble for the Linux community as Code Red and NIMDA were for the Windows world.

There's really nothing new or stunning about Slapper. It's another good reason to be prompt and proactive with regard to security updates, and another good reason not to install software you don't plan on using. It's also another good reason for firewalls to deny access by default: the DDoS network chatters on UDP port 2002, so if your firewall blocks this, your machine doesn't become part of the attack network.

It's another good reason for automating patch installs, especially if you're in charge of a large number of systems. The tools to do this are available, but could stand to be improved. Debian's Apt is beautiful, but the beauty isn't necessarily apparent to the average user; Red Hat's update agent also works, but feels rather slow on my laptop and requires the user to complete a registration procedure.

Both systems need to be more proactive: they should inform users when security updates are required, rather than wait in vain for the user to take the initiative and install updates. At a client's site this past week, I saw Debian machines that hadn't had any security updates installed for a full year. They were doing their job, my client said, and he didn't want to touch them.

Slapper just reinforces my existing prejudices regarding security, makes me more certain that I need better automated tools than those available right now, and reminds me painfully that I can be as lazy as any other system administrator -- and what a slap in the face that is.

SecurityFocus columnist Jon Lasser is the author of Think Unix (2000, Que), an introduction to Linux and Unix for power users. Jon has been involved with Linux and Unix since 1993 and is project coordinator for Bastille Linux, a security hardening package for various Linux distributions. He is a computer security consultant in Baltimore, MD.
    Digg this story   Add to del.icio.us  
Comments Mode:
Slapped Silly 2002-09-18
Jeremiah Cornelius
Unpatched Debian 2002-09-19
Slapped Silly - Sometimes we all are 2002-09-19
Louis Helmke
Don't feel too bad, Jon. 2002-09-19
Robert Vaughan
Slapped Silly 2002-09-20
Slapped Silly 2002-09-21
Slapped Silly 2002-09-25
Slapped Silly 2002-09-27


Privacy Statement
Copyright 2010, SecurityFocus