ie8 fix
madison

Hardware 2.0

Adrian Kingsley-Hughes
Home / News & Blogs / Hardware 2.0

The Linux botweb story that wasn't ...

By | September 14, 2009, 3:23am PDT

Summary: Late last Friday a story appeared on my radar that seemed interesting - it was about a botweb (a botnet made up of web servers) utilizing Linux web servers. Was Linux cracked? Would Linux fans have to wind in all their security bragging? Was the Linux fortress wall breached? Was the sky falling in?

Late last Friday a story appeared on my radar that seemed interesting - it was about a botweb (a botnet made up of web servers) utilizing Linux web servers. Was Linux cracked? Would Linux fans have to wind in all their security bragging? Was the Linux fortress wall breached? Was the sky falling in?

Short answer, no.

Slightly longer answer, no, no, no and no.

If there was a way that hackers could crack Linux web servers and use them to create an huge botweb, then that would be a very big deal indeed. Botwebs, since they use web servers rather than zombie home or office PCs, make a far more effective botnet since they have a better connection to the internet. The idea of millions of compromised Linux web servers causing all sorts of mayhem isn’t a pretty picture.

Which is why the story was interesting.

But alas, this story doesn’t have anything to do with Linux hacks, but instead comes down to basic security, or the lack of it. It seems that the hack comes down to bad passwords. Hackers regularly sweep the web looking for vulnerable systems, which is why good passwords are vital. If your passwords are weak then the system can, and eventually will, be compromised. It doesn’t matter if it’s Windows-based or Linux-based.

Normal “Linux is more secure than Windows” bragging can resume …

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Hardware 2.0”

Topics

Web Server, Linux, Web Servers, UNIX, Operating Systems, Open Source, Software, Internet, Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology.

Disclosure

Adrian Kingsley-Hughes

All opinions expressed on Hardware 2.0 are those of Adrian Kingsley-Hughes. Every effort is made to ensure that the information posted is accurate. If you have any comments, queries or corrections, please contact Adrian via the email link here. Any possible conflicts of interest will be posted below. [Updated: February 23, 2010] - Adrian Kingsley-Hughes has no business relationships, affiliations, investments, or other actual/potential conflicts of interest relating to the content posted so far on this blog.

Biography

Adrian Kingsley-Hughes

Adrian Kingsley-Hughes is an internationally published technology author who has devoted over a decade to helping users get the most from technology -- whether that be by learning to program, building a PC from a pile of parts, or helping them get the most from their new MP3 player or digital camera.

Adrian has authored/co-authored technical books on a variety of topics, ranging from programming to building and maintaining PCs. His most recent books include "Build the Ultimate Custom PC", "Beginning Programming" and "The PC Doctor's Fix It Yourself Guide". He has also written training manuals that have been used by a number of Fortune 500 companies.

Adrian also runs a popular blog under the name The PC Doctor, where he covers a range of computer-related topics -- from security to repairing and upgrading.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
29
Comments
Add Your Opinion

Join the conversation!

Just In

RE: The Linux botweb story that wasn't ...
arlin5000@... 22nd Sep 2009
I have a feeling you're talking to a brick wall. What I don't understand is why they let Bill Gates post on this site.
View in thread
0 Votes
+ -
One of the things that always confused me...
Cylon Centurion 14th Sep 2009
If you can access the source code to Linux, then wouldn't it be possible to crack a password, and then alter the compromised system's source code to suit the hacker's needs?

That doesn't seem to secure to me...
0 Votes
+ -
The short answer is yes.
Letophoro 14th Sep 2009
But in reality it's no more insecure than being able to replace a DLL in Windows once you've cracked a password.

Just remember. If someone cracks your password, it's not your machine anymore.
0 Votes
+ -
Thats what I was thinking
Cylon Centurion 14th Sep 2009
Thanks.


Although, having access to source code, could be more damaging, no?
0 Votes
+ -
Not so much.
Letophoro 14th Sep 2009
Although, having access to source code, could be more damaging, no?

Once the system is compromised, whoever compromised it (probably) has complete control. Access to source code only means that instead of copying a DLL to a cracked machine, the new owner can just have the changes compiled locally.

Separately, I may have failed to completely comprehend your initial question. Having access to the source code does not make it any easier to crack the password. Having access to the source code can make it easier to compile changes into the operating system once the system password has been cracked.
0 Votes
+ -
Sorry
Cylon Centurion 14th Sep 2009
What I was trying to ask is, if a hacker cracks a password on a Linux box, wouldn't they theoretically be able to alter the source code to do malicious deeds? Wouldn't that be more damaging than hacking a Windows box?
0 Votes
+ -
No more damaging. Just a little different.
Letophoro 14th Sep 2009
The altering of Linux source code for malicious purposes is no more damaging than replacing a Windows DLL with a custom one compiled elsewhere.

In either case the hacker owns the machine and can do pretty much anything they want with it.

Hacking a Linux box does give a finer degree of control over the internal operations of the OS than a Windows box though. One Linux machine I saw had been compromised. Certain files were no longer deletable as the hackers had modified the OS to prevent deletion of those specific files. The same effect could be made to happen on a Windows machine by replacing the executable file responsible for deleting files.
0 Votes
+ -
Already Answered, but in Other Words
DannyO_0x98 14th Sep 2009
"Changing the source" is exactly equivalent to "installing an
executable of my choosing."

Editing the source and compiling it on every successfully exploited
target machine is a lot more work than installing a kit with
precompiled modules, libraries, and programs.

Also, just because a user could have source code on a system doesn't
mean they do. It is considered good security practice to not have the
source or any compilers installed on an outward facing server.

In summary, semantically, no difference. Practically, since it takes
more work to achieve the same effect and it assumes too much, the
bad guys won't go that way.
0 Votes
+ -
Passwords can be guessed
Tregi Updated - 14th Sep 2009
Passwords can be guessed with automated process. Passwords are encrypted one way. It can't be decrypted. It is always compared in encrypted form. This is applicable for all OSs. Even if you have the source code you can't decrypt the password.
0 Votes
+ -
Which Is Why You Should Have a GOOD Strong One
drprodny 14th Sep 2009
no matter WHAT OS you're using. I may have no love for Windows - but it's honestly just as secure that way as Linux or OSX these days.

Good password (over 20 characters, upper and lower case letters and number, random sequence) = effectively impossible to crack.

Default password? VERY easy to crack....
0 Votes
+ -
Source code has nothing to do...
bjbrock 14th Sep 2009
with passwords used by admins or anyone else. Obviously you don't understand what happened or how.
0 Votes
+ -
I wasn't referencing
Cylon Centurion 14th Sep 2009
What happened. I was creating a scenario based on what Adrian said.
0 Votes
+ -
re: I wasn't referencing...
Tsingi 14th Sep 2009
Passwords are not stored in plain text, they are stored as an encrypted string. A hash of the original string (your password) An algorithm takes your password, hashes it and then compares this to the stored hash. Even if you get the hash, it is extremely difficult, depending on the strength of the algorithm, to come up with a string that will reproduce it. Generally there is a high likelihood that there is only one solution, your password.
There are a few algorithms in common use and they are used across operating systems. see "Cryptographic hash function" on wikipedia.

It is possible to steal a password, or use a password guessing scheme to try to generate the hash, but cracking the hash, while remotely possible is, not as practical as other methods, like stealing one, guessing one, or exploiting a bug to break into the system and replacing the hash with your own. But you are already in the system, and one would assume you could break again without leaving such an obvious calling card.
0 Votes
+ -
The answer is no unless you are storing
alaniane@... 15th Sep 2009
your passwords with the code. Having access to source code may help a hacker to find vulnerabilities, but it's not going to help him to find passwords. Passwords are generally data which is separate from actual code.

The exception would be if you hardcoded your database connection password into your code. However, no one is going to hardcode a user's password into the OS code. That would mean that every user would have to have the same password or it would obligate users to memorize a randomly generated password for their kernel. Which means that the password would have to be generated with every download or install and then hardwired in.

So, having access to source code does not reveal passwords on a system. Having access to the datafile that contains the passwords whether it's a plain text file or a database table would give you access. However, unless someone's security is incredibly stupid, those passwords are going to be encrypted.

Incidentally, if passwords were stored with an operating system's source code then it's irrelevant whether you have access to the code or not. You can run Windows OS in a debugger and disassemble the code. It's illegal, but if you're a black hat you're not really concerned about legality.
0 Votes
+ -
Telnet port are only open...
bjbrock 14th Sep 2009
if you leave them open.

If you need access to a computer, use a vpn and then strong password on top of that. Hackers are lazy. They go after the weak stuff.
0 Votes
+ -
Telnet is defaultly closed on Ubuntu...
DevJonny 14th Sep 2009
...and I would guess on other distros as well. But
I totally agree with you statement.
0 Votes
+ -
A botnet was still created...
planruse 14th Sep 2009
it doesn't matter how it was done. The Windows botnets are normally created by similar methods as well as social engineering, why is this one different? IIS has a better security record than Apache but that is not the normal way to compromise a web server - it is via the websites running on them or user error such as poor config and passwords.
0 Votes
+ -
RE:A botnet was still created...
richdave 14th Sep 2009
>>>...IIS has a better security record than Apache but...

That is an assertion. I can assert that the earth is flat, or the moon is made of green cheese. Same value.
0 Votes
+ -
Maybe I wasn't clear..
planruse 14th Sep 2009
if you look at security advisories

Apache 2.0.x - 40
Apache 2.2.x - 16

IIS 6 - 8
IIS 7 - 2

If I was to look at security issues with PHP v ASP.NET I am sure it will be even more in favour to Microsoft products.

Even so they are all good products and as I said before the security issues mainly come from poorly coded websites, sql injections, poor config and poor users.
0 Votes
+ -
Total number of advisories ...
MisterMiester 14th Sep 2009
... is meaningless without the level of severity. You know this and that's why you conveniently omitted it.
0 Votes
+ -
Not at all.
planruse Updated - 14th Sep 2009
If you read my posts you will find that I said that the webservers themselves are not the primary cause of problems. If you want to think I was deliberately missing information off then that is your problem not mine. Overall the security of both of them is excellent but IIS has required less patching. I still want to know why the linux botnet doesn't count as one though.
0 Votes
+ -
re: SQL Injections
Tsingi 14th Sep 2009
I was part of a discussion on SQL injections a couple of months ago on IRC. I was shocked beyond belief to discover how easy it is. I now have several books on the subject and I've graduated from dangerous ignorance to a mild but persistant sate of paranoia.

I'll pass on the impending IIS/Apache flame war.
0 Votes
+ -
Number of Reported Vulns is Meaningless
daengbo 16th Sep 2009
You cannot compare projects with different reporting strategies. Apache is an Open Source project with full disclosure (meaning that all vulns are reported immediately). IIS, on the other hand, is an MS project, and MS practices "responsible disclosure" (This term actually means that a reasonable period of time is given after discovery and before disclosure, but MS uniquely uses the term to mean that vulns aren't voluntarily disclosed until a patch is available -- whether that patch comes months or years later isn't important). In rare instances, MS never discloses, even when issuing a patch.

You can only compare number of disclosures on projects that have the same reporting criteria. IIS could have seventy-five unpatched vulns, and we wouldn't have a clue.
0 Votes
+ -
IIS is much worse...
bjbrock 14th Sep 2009
than Apache when it comes to security. This is exactly why Apache is used more extensively than IIS.

However, poor management can render any software dangerous.
0 Votes
+ -
Wrong - IIS is much better...
SI-285 15th Sep 2009
IIS6 has had only 8 security vulnerabilities identified in the 9 years it has been in use http://secunia.com/advisories/product/1438/?task=advisories

That is much better than the 26 vulnerabilities identified in Apache 2.2.x
http://secunia.com/advisories/product/9633/?task=advisories

I agree any system can be made insecure by poor system management,configuration, and programming practices and it is this that ultimately determines if your server is compromised.
0 Votes
+ -
I disagree with your assumption on one ground
alaniane@... 15th Sep 2009
You are comparing the total number of known vulnerabilities and assuming that the unknown vulnerabilities have the same ratio. There is no way of knowing which is better than the other without being able to actually compare the code of both.

If only 8% of IIS6 total vulnerabilities have been discovered, but 26% of Apache 2.2.x vulnerabilities have been discovered then they both have exactly a 100 vulnerabilities. On the other hand if 10% of IIS6's vulnerabilities have been discovered and 50% of Apache's vulnerabilities have been discovered then Apache would have better security whereas if both had an equal percentage of vulnerabilities discovered then IIS would be more secure.

That is the problem with counting vulnerabilities and then postulating which is more secure. You are comparing two unknown variables since no one really knows how many total vulnerabilities are in either system.
0 Votes
+ -
The user is always the weakest link
Ronny102 14th Sep 2009
"Problem Exists Between Keyboard And Chair"
"loose nut between the steering wheel and the seat"
"a short between the headphones"
0 Votes
+ -
Assert what you want...Here are the facts!
SI-285 15th Sep 2009
IIS6 8 vulnerabilities identified
http://secunia.com/advisories/product/1438/?task=advisories

Apache 2.2.x 26 vulnerabilities identified
http://secunia.com/advisories/product/9633/?task=advisories

Just more Linux/Apache FUD!!!
0 Votes
+ -
Your facts don't prove anything
alaniane@... 15th Sep 2009
How many Windows 98 vulnerabilities were found in the last two years? How many Vista vulnerabilities were found in the last two years?

Does that make Windows 98 more secure than Vista just because 0 Windows 98 vulnerabilities have been found and patched in the last two years while Vista has had a few found in patched in the same time frame?

A better measure of security would be how each went about implementing it, not by how many vulnerabilities have been found. Vista is far more secure than Windows 98 simply because Windows 98 had a terrible security model. Counting the total number of known vulnerabilities may make you feel like your secure, but it's the unknown vulnerabilities that are going bite you. Just ask the Titanic.
0 Votes
+ -
RE: The Linux botweb story that wasn't ...
arlin5000@... 22nd Sep 2009
I have a feeling you're talking to a brick wall. What I don't understand is why they let Bill Gates post on this site.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix