A Slap Upside the Head
Windows users are accustomed to worms, viruses, and Trojans. It's much
more rare for Unix-like operating systems to become targets. Perhaps
it's because we're more likely to secure our systems; perhaps it's
because Open Source software 'is not designed to enable virus
replication' [1]; or maybe it's because there are so many Windows
machines out there, it's a much more appealing target.
When a worm that attacks Unix-like systems comes round though, it's
noteworthy. While there was an Apache worm [2] about two months ago, it
didn't seem to catch on at all. Now a new worm -- dubbed
linux.slapper.worm -- has started targeting SSL-enabled Apache servers
and has had noticeable impact: 30,000 hosts have been compromised as of
September 17th. [3]
By now [4], news about the worm has been all over the place, so I won't
rehash it in detail. Suffice it to say that a buffer overflow in OpenSSL
[5] can be abused on Apache servers that support SSL (Apache + mod_ssl
or Apache-SSL) to gain access as the apache user. Patches (OpenSSL
0.9.6e and later) have been out for a while. The bug is in the SSL
negotiation, which happens before the actual HTTP data (GET/POST/etc) is
sent, which means you won't have any indication in your logs that the
attack is occurring.
If the buffer overflow succeeds, the worm uploads a file
'/tmp/.bugtraq.c', compiles it, and runs the resulting executable
/tmp/.bugtraq. This program starts listening for connections on UDP port
2002, joining a Peer-To-Peer network of cracked machines. This P2P
network can be used to create Distributed Denial of Service attacks
(IPv4 and IPv6 TCP floods, DNS floods and more) and allow the cracker to
run any arbitrary commands on your machine. (A useful example would be
to upgrade the P2P code to include new functionality.) Though he does
not get root access directly, it's possible to get in and poke around
more to see if he can elevate his privileges.
Whew. Now that we've gotten the background out of the way, here's the
worst thing about the situation: it's completely preventable. If you
follow paranoid procedures when setting up your machine, you would have
stopped this worm at several points and either avoid becoming infected
at all, or at least keep yourself from becoming part of the P2P network.
Let's take a look at generic security practices that could keep this
worm in check:
ServerTokens
Many worms check the Daemon's banner before attempting an exploit
in order to choose the best attack available. If you set the
Apache 'ServerTokens' configuration variable to 'ProductOnly'
then it will only broadcast 'Apache' and not the version and
installed modules. (For more info about this configuration
setting, see [6].)
SSLv2 Support
Most, if not all, Web browsers support SSLv3 now. This particular
vulnerability is in the SSLv2 code. If you'd turned off SSLv2,
you'd be safe even with buggy OpenSSL libraries.
Upgrades
You need to keep abreast of the security-related patches for your
Symantec Backup Exec 12 and Backup Exec System Recovery 8 deliver industry leading Windows data protection and system recovery. Download this whitepaper to find out the top reasons to upgrade and how to get continuous data protection and complete system recovery.
Data and system loss — from a hard drive failure, malicious attack, natural disaster, or simple human error — can happen anytime. Don’t leave your business vulnerable. Make sure you have a secure recovery strategy in place. Symantec's latest backup and system recovery technology can efficiently restore critical applications, individual emails and documents and even restore your entire system in minutes in the event of a loss.
Businesses face a growing challenge to ensure that the IT environment is properly protected. Backup Exec 12 integrates with other applications in the Symantec family of products, to complement your current data protection strategy, keep your data securely backed up and make it recoverable when you need it most.
