August 27, 2008 6:37 AM PDT

Linux servers under the Phalanx gun: A problem with people, not code

by Matt Asay
  • Font size
  • Print
  • 15 comments

As The Register reports Wednesday, Linux servers are increasingly under attack from Phalanx2, a "self-injecting kernel rootkit designed for the Linux 2.6 branch that hides files, processes and sockets and includes tools for sniffing a tty program and connecting to it with a backdoor."

According to The Register:

The attacks appear to use stolen SSH keys to take hold of a targeted machine and then gain root access by exploiting weaknesses in the kernel. The attacks then install a rootkit known as Phalanx2, which scours the newly infected system for additional SSH keys. There's a viral aspect to this attack. As new SSH keys are stolen, new machines are potentially vulnerable to attack.

The U.S. Computer Emergency Readiness Team has recommended an approach to counteracting the risk, but this is where Linux (and Windows and Solaris and...) security meets reality: Linux may be inherently more secure as a system, but ultimately security is a question of process and people, not merely code.

Administrators must apply the patches. If Linux server administrators are anything like Oracle server administrators--65 percent of whom never install critical security patches--then Linux security will be as fallible as that of any other system. If IT administrators won't secure Linux, it won't be secured.

Much is made about security in open source, and often for good reason. But judging from the lack of chatter on the Web about the Phalanx attacks, I'm not optimistic that we're responding fast enough as a community to this new security breach.

Matt Asay brings a decade of in-the-trenches open-source business and legal experience to The Open Road, with an emphasis on emerging open-source business strategies and opportunities. Matt is vice president of business development at Alfresco, a company that develops open-source software for content management. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure. You can follow Matt on Twitter @mjasay.
Topics:

Industry news

Tags:

Linux,

security

Share:
Digg
Del.icio.us
Reddit
Recent posts from The Open Road
An application war is brewing in the cloud
2010 the year of cloud-computing...M&A
Canonical shines its Ubuntu light on consumers
Open source became big business in 2009
Will we see an open-source IPO in 2010?
Could Apache keep Google's regulators at bay?
Red Hat's Q3 earnings defy gravity
Canonical's opportunity to simplify Ubuntu
Related
Zemlin: 'Industry transformation depends on Linux' (Q&A)
Microsoft to plug critical IE hole targeted by exploit code
Microsoft plugs zero-day IE hole
Eucalyptus open-sources the cloud (Q&A)
Boeing's 787 completes first flight
Novell's quarter crumbles, but a new market beckons
Google wants to unclog Net's DNS plumbing
DNS security and performance considerations, and ISP alternatives
Add a Comment (Log in or register) (15 Comments)
  • prev
  • 1
  • next
by Penguinisto August 27, 2008 7:37 AM PDT
There's not much chatter yet because the warning just barely came out (SANS reported it late yesterday). Also, you would have had to 1) not patched against the OpenSSL bug from weeks ago, and 2) have had one (or more) of your SSH keys (assuming you even use them) stolen or compromised.

FWIW: Oracle servers get patched slower because Oracle patches have a greater chance of breaking things (esp. with delicate or even bone-headed queries/scripting).

/P
Reply to this comment
by rapier1 August 27, 2008 8:49 AM PDT
Penguinisto,
So I do a lot of SSH development. The set of patches I came up with, while not part of the official OpenSSH offerings, are widely used to enhance performance. Because of that I get a lot of mail from people and I'd say at least half of them are looking for patches for OpenSSH 3.8, 4.1, 4.3 etc... old versions - years old. Regardless of what people *should* be doing they just aren't doing it. They're not upgrading OpenSSL, they aren't upgrading OpenSSH, they're not password locking their keys. They just aren't. These aren't idiots but if they don't know it broken they don't see any reason to fix it. So while I don't think this is a potential meltdown I do think there are a good number of people that are at risk and that this may end up being somewhat disruptive.
by Penguinisto August 27, 2008 12:35 PM PDT
You sort of left out context, whether or not they use ssh keys, what application (could be Cygwin for all I know) etc.

So where are these packages of yours, then? I'm kind of curious to see them.
by rapier1 August 27, 2008 12:43 PM PDT
just google hpn-ssh. it won't do you much good unless you have a BDP > 2MB but we also included mid stream cipher switching to null (post auth (we maintain HMAC)) and a threaded aes-ctr cipher. As for the context of the requests - you know as much as I do. However, Corrina does a damn fine job of keeping SSH under cygwin current with releases. Of course, if you are using cygwin performance probably isn't a priority.
by alegr August 27, 2008 7:50 AM PDT
Of course, if users click on unsafe attachments, and always run as administrators, it's Windows horrible security. But if beloved Linux is compromized, it's just admins not doing their job.
Reply to this comment
by Penguinisto August 27, 2008 12:36 PM PDT
That's because part of a admin's job is to not run with root privileges unless he/she has a good reason to.

Next...?
by electromanvern August 29, 2008 2:05 PM PDT
@Penguinisto

An I'm sure now that Vista runs user sessions at low priv by default that you will have to agree that would have helped to prevent this type of 'user error'.
by softwaredesignengineer August 27, 2008 8:03 AM PDT
Stupid Windows with all its big security holes that allows unsafe attachments to be opened and executed and users to run as administrators with all access right... oh wait wait...this was Linux??? geeez, pPlease ignore my post...... the admins don't know how to use Linux security.
Reply to this comment
by upperfalls August 27, 2008 11:15 AM PDT
There's no chatter because this is old news. Competent admins have patched OpenSSL long ago. Only incompetent types still have a problem. Do you really expect them to talk?
Reply to this comment
by The_Decider August 27, 2008 11:47 AM PDT
The only thing I am concerned about is your decline lack of quality writing.

This is speculative at best and is only meant to drive traffic your way.

As others have said this is old news. It is your fault you are up to date on events in Linux.
Reply to this comment
by Vegaman_Dan August 27, 2008 11:52 AM PDT
The problem that I see here is that self-titled administrators are too ego-driven and full of themselves to actually consider that there may be an issue here and take steps to avoid it. Confident in their abilities to move the planet itself if they so choose, they disregard taking these steps because... well, it can't happen to them- they are infallible, as are the systems they manage.


Take a look at those people who call themselves admins and see if this isn't the case. Responsible people don't brag about being admins. Those that do are prime targets for this sort of situation.


Apple and Microsoft have nothing on *nix admins for egos. That's something nobody can touch.

Reply to this comment
by Penguinisto August 27, 2008 12:46 PM PDT
Nice try - try again.

When the OpenSSL bug came out a few weeks back, every *nix admin I know of was auditing their servers to see if they were affected, and were patching appropriately (including key revocation/regens as needed). I busily did the same, and it took less than a day to install the vendor patches, audit the keys, and revoke the old ones (and even then it was only done out of paranoia).

This "issue" separates the men from the boys, so to speak. Getting bitten requires that 1) you never bothered to patch the earlier OpenSSL bug, weeks after it was announced, 2) you continue to use keys generated by the buggy versions, 3) your key somehow gets swiped from the server (meaning that you left it in an unsecure location), and 4) that you parked the thing, rigged as described, directly onto the public Internet where some schmuck can get at it (hint: you NEVER use SSH keys on a public-facing server. Ever.) Remove either one of those steps, and the whole house of cards falls apart, and no cookie for the script kiddie.

By the way... how effective is a "rootkit" that can be found with a simple "cd" command, or picked up by any decent file-integrity checking binary? Weren't "rootkits" supposed to be nearly completely undetectable?

Given all of this, methinks that Mr. Asay is shouting "wolf!" rather prematurely, considering the convolutions required to even infect a machine with this thing.

--

So, let's compare this to the typical Windows bust-in, where the fault (usually) lies with privilege escalations and zero-day (or outright unpached-by-the-vendor) flaws in the OS. Instead of relying on a convoluted series of events to be true, it usually requires a double-click, or merely surfing to a poisoned website.
by francip August 27, 2008 12:01 PM PDT
You say "Linux may be inherently more secure as a system" and then you link this sentence to your own post that actually says: "Does this mean Linux is more secure? Not necessarily...".

I guess in your next piece you'll write "As we all know, Linux is more secure" and link to this one.
Reply to this comment
by richto August 27, 2008 1:24 PM PDT
Errrm, nice meaningless squigley picture, but its been well known and widely acknowledged for years now that Windows is inherently more secure than Linux with far fewer vulnerabilities that are fixed much faster.

e.g. http://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard.aspx

or

http://blogs.technet.com/security/archive/2007/08/16/july-2007-operating-system-vulnerability-scorecard.aspx


Thats why for instance the US and UK armies and Navies use it in perference to Linux. Not to mention that a Linux / Apache webserver is 5 times more likely to be hacked defaced than a Windows / IIS one.
Reply to this comment
by Dalkorian August 27, 2008 2:25 PM PDT
Thanks, I needed a good laugh.
(15 Comments)
  • prev
  • 1
  • next
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About The Open Road

Matt Asay brings a decade of in-the-trenches open-source business and legal experience to the Open Road, with an emphasis on emerging open-source business strategies and opportunities. Matt is general manager of the Americas division and vice president of business development at Alfresco, a company that develops open-source software for content management. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure.

Add this feed to your online news reader

The Open Road topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET