Topic: Linux

The Linux botweb story that wasn't ...

Summary: Late last Friday a story appeared on my radar that seemed interesting - it was about a botweb (a botnet made up of web servers) utilizing Linux web servers. Was Linux cracked? Would Linux fans have to wind in all their security bragging? Was the Linux fortress wall breached? Was the sky falling in?

By Adrian Kingsley-Hughes for Hardware 2.0 | September 14, 2009 -- 03:23 GMT (20:23 PDT)

Follow @the_pc_doc

Late last Friday a story appeared on my radar that seemed interesting - it was about a botweb (a botnet made up of web servers) utilizing Linux web servers. Was Linux cracked? Would Linux fans have to wind in all their security bragging? Was the Linux fortress wall breached? Was the sky falling in?

Short answer, no.

Slightly longer answer, no, no, no and no.

If there was a way that hackers could crack Linux web servers and use them to create an huge botweb, then that would be a very big deal indeed. Botwebs, since they use web servers rather than zombie home or office PCs, make a far more effective botnet since they have a better connection to the internet. The idea of millions of compromised Linux web servers causing all sorts of mayhem isn't a pretty picture.

Which is why the story was interesting.

But alas, this story doesn't have anything to do with Linux hacks, but instead comes down to basic security, or the lack of it. It seems that the hack comes down to bad passwords. Hackers regularly sweep the web looking for vulnerable systems, which is why good passwords are vital. If your passwords are weak then the system can, and eventually will, be compromised. It doesn't matter if it's Windows-based or Linux-based.

Normal "Linux is more secure than Windows" bragging can resume ...

Topics: Linux, Browser, Open Source, Operating Systems, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

29 comments

Log in or register to join the discussion

One of the things that always confused me...

If you can access the source code to Linux, then wouldn't it be possible to crack a password, and then alter the compromised system's source code to suit the hacker's needs?

That doesn't seem to secure to me...

The one and only, Cylon Centurion
14 September, 2009 03:44

Reply Vote
- The short answer is yes.
  
  But in reality it's no more insecure than being able to replace a DLL in Windows once you've cracked a password.
  
  Just remember. If someone cracks your password, it's not your machine anymore.
  
  Letophoro
  14 September, 2009 05:13
  
  Reply Vote
  - Thats what I was thinking
    
    Thanks.
    
    Although, having access to source code, could be more damaging, no?
    
    The one and only, Cylon Centurion
    14 September, 2009 06:34
    
    Reply Vote
    - Not so much.
      
      <i>Although, having access to source code, could be more damaging, no? </i>
      
      Once the system is compromised, whoever compromised it (probably) has complete control. Access to source code only means that instead of copying a DLL to a cracked machine, the new owner can just have the changes compiled locally.
      
      Separately, I may have failed to completely comprehend your initial question. Having access to the source code does not make it any easier to crack the password. Having access to the source code can make it easier to compile changes into the operating system once the system password has been cracked.
      
      Letophoro
      14 September, 2009 06:56
      
      Reply Vote
      - Sorry
        
        What I was trying to ask is, if a hacker cracks a password on a Linux box, wouldn't they theoretically be able to alter the source code to do malicious deeds? Wouldn't that be more damaging than hacking a Windows box?
        
        The one and only, Cylon Centurion
        14 September, 2009 07:13
        
        Reply Vote
      - No more damaging. Just a little different.
        
        The altering of Linux source code for malicious purposes is no more damaging than replacing a Windows DLL with a custom one compiled elsewhere.
        
        In either case the hacker owns the machine and can do pretty much anything they want with it.
        
        Hacking a Linux box does give a finer degree of control over the internal operations of the OS than a Windows box though. One Linux machine I saw had been compromised. Certain files were no longer deletable as the hackers had modified the OS to prevent deletion of those specific files. The same effect could be made to happen on a Windows machine by replacing the executable file responsible for deleting files.
        
        Letophoro
        14 September, 2009 08:06
        
        Reply Vote
      - Already Answered, but in Other Words
        
        "Changing the source" is exactly equivalent to "installing an
        executable of my choosing."
        
        Editing the source and compiling it on every successfully exploited
        target machine is a lot more work than installing a kit with
        precompiled modules, libraries, and programs.
        
        Also, just because a user could have source code on a system doesn't
        mean they do. It is considered good security practice to not have the
        source or any compilers installed on an outward facing server.
        
        In summary, semantically, no difference. Practically, since it takes
        more work to achieve the same effect and it assumes too much, the
        bad guys won't go that way.
        
        DannyO_0x98
        14 September, 2009 08:33
        
        Reply Vote
- Passwords can be guessed
  
  Passwords can be guessed with automated process. Passwords are encrypted one way. It can't be decrypted. It is always compared in encrypted form. This is applicable for all OSs. Even if you have the source code you can't decrypt the password.
  
  Tregi
  14 September, 2009 05:30
  
  Reply Vote
  - Which Is Why You Should Have a GOOD Strong One
    
    no matter WHAT OS you're using. I may have no love for Windows - but it's honestly just as secure that way as Linux or OSX these days.
    
    Good password (over 20 characters, upper and lower case letters and number, random sequence) = effectively impossible to crack.
    
    Default password? VERY easy to crack....
    
    drprodny
    14 September, 2009 15:03
    
    Reply Vote
- Source code has nothing to do...
  
  with passwords used by admins or anyone else. Obviously you don't understand what happened or how.
  
  bjbrock
  14 September, 2009 05:59
  
  Reply Vote
  - I wasn't referencing
    
    What happened. I was creating a scenario based on what Adrian said.
    
    The one and only, Cylon Centurion
    14 September, 2009 06:32
    
    Reply Vote
    - re: I wasn't referencing...
      
      Passwords are not stored in plain text, they are stored as an encrypted string. A hash of the original string (your password) An algorithm takes your password, hashes it and then compares this to the stored hash. Even if you get the hash, it is extremely difficult, depending on the strength of the algorithm, to come up with a string that will reproduce it. Generally there is a high likelihood that there is only one solution, your password.
      There are a few algorithms in common use and they are used across operating systems. see "Cryptographic hash function" on wikipedia.
      
      It is possible to steal a password, or use a password guessing scheme to try to generate the hash, but cracking the hash, while remotely possible is, not as practical as other methods, like stealing one, guessing one, or exploiting a bug to break into the system and replacing the hash with your own. But you are already in the system, and one would assume you could break again without leaving such an obvious calling card.
      
      Tsingi
      14 September, 2009 16:07
      
      Reply Vote
- The answer is no unless you are storing
  
  your passwords with the code. Having access to source code may help a hacker to find vulnerabilities, but it's not going to help him to find passwords. Passwords are generally data which is separate from actual code.
  
  The exception would be if you hardcoded your database connection password into your code. However, no one is going to hardcode a user's password into the OS code. That would mean that every user would have to have the same password or it would obligate users to memorize a randomly generated password for their kernel. Which means that the password would have to be generated with every download or install and then hardwired in.
  
  So, having access to source code does not reveal passwords on a system. Having access to the datafile that contains the passwords whether it's a plain text file or a database table would give you access. However, unless someone's security is incredibly stupid, those passwords are going to be encrypted.
  
  Incidentally, if passwords were stored with an operating system's source code then it's irrelevant whether you have access to the code or not. You can run Windows OS in a debugger and disassemble the code. It's illegal, but if you're a black hat you're not really concerned about legality.
  
  alaniane@...
  15 September, 2009 15:03
  
  Reply Vote
Telnet port are only open...

if you leave them open.

If you need access to a computer, use a vpn and then strong password on top of that. Hackers are lazy. They go after the weak stuff.

bjbrock
14 September, 2009 06:02

Reply Vote
- Telnet is defaultly closed on Ubuntu...
  
  ...and I would guess on other distros as well. But
  I totally agree with you statement.
  
  DevJonny
  14 September, 2009 08:52
  
  Reply Vote
A botnet was still created...

it doesn't matter how it was done. The Windows botnets are normally created by similar methods as well as social engineering, why is this one different? IIS has a better security record than Apache but that is not the normal way to compromise a web server - it is via the websites running on them or user error such as poor config and passwords.

planruse
14 September, 2009 06:10

Reply Vote
- RE:A botnet was still created...
  
  >>>...IIS has a better security record than Apache but...<<<
  
  That is an assertion. I can assert that the earth is flat, or the moon is made of green cheese. Same value.
  
  richdave
  14 September, 2009 06:25
  
  Reply Vote
  - Maybe I wasn't clear..
    
    if you look at security advisories
    
    Apache 2.0.x - 40
    Apache 2.2.x - 16
    
    IIS 6 - 8
    IIS 7 - 2
    
    If I was to look at security issues with PHP v ASP.NET I am sure it will be even more in favour to Microsoft products.
    
    Even so they are all good products and as I said before the security issues mainly come from poorly coded websites, sql injections, poor config and poor users.
    
    planruse
    14 September, 2009 06:53
    
    Reply Vote
    - Total number of advisories ...
      
      ... is meaningless without the level of severity. You know this and that's why you conveniently omitted it.
      
      MisterMiester
      14 September, 2009 10:38
      
      Reply Vote
      - Not at all.
        
        If you read my posts you will find that I said that the webservers themselves are not the primary cause of problems. If you want to think I was deliberately missing information off then that is your problem not mine. Overall the security of both of them is excellent but IIS has required less patching. I still want to know why the linux botnet doesn't count as one though.
        
        planruse
        14 September, 2009 13:18
        
        Reply Vote