Ubuntu servers hacked to attack others

Ubuntu servers hacked to attack others

Summary: According to a notice in the Ubuntu weekly newsletter, 5 of the 8 servers that are loco hosted had to be shut down after an investigation showed a variety of security problems.

SHARE:
194

Finger pointing as Ubuntu servers hacked

More than half of Ubuntu's production servers had to be pulled offline after a security breach caused those servers to actively attack other machines.

According to a notice in the Ubuntu weekly newsletter, 5 of the 8 servers that are loco hosted had to be shut down after an investigation showed a variety of security problems.

The servers were found to be missing security patches, using insecure protocols (FTP without SSL) to access the machines and without upgrades past breezy due to problems with the network cards and later kernels.

"The situation has become untenable," Ubuntu's Jono Bacon said in an e-mail outlining changes to the loco server policy.

Some details on the breach:

  1. The servers, especially zambezi were running an incredible amount of web software (over 15 packages recognized) and of all the ones where it's trivial to determine a version, they were without exception out-of-date and missing security patches. An attacker could have gotten a shell through almost any of these sites.
  2. FTP (not sftp, without SSL) was being used to access the machines, so an attacker (in the right place) could also have gotten access by sniffing the clear-text passwords.
  3. The servers have not been upgraded past breezy due to problems with the network card and later kernels. This probably allowed the attacker to gain root.

A post on Slashdot notes that there is a blame game going on between Canonical (the company that sponsors the servers) and the community administrators who are being blamed for poor security practices.

Topics: Servers, Open Source, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

194 comments
Log in or register to join the discussion
  • "... community administrators ..."?

    When everyone owns the cow, no one owns the cow.

    Canonical not exercizing oversight on servers with the company name associated is equivalent to Mattel not realizing that the company hired to paint the toys had substituted lead paint for the type Mattel required.

    Subcontractors can have as much control over the brand as direct employees. And, no matter how good those subcontractors might be, Trust but verify applies, especially when the subcontractors are a non-commercial "community".
    Anton Philidor
    • No disagreement there (nt)

      .
      Michael Kelly
    • How?

      'especially when the subcontractors are a non-commercial "community"'
      Is being a commercial sub-contractor guarantee of automatic compliance/adherence to all best software security practices? Don't we know of a company that has been commercially providing software now for almost a millennia (in computing terms) that has made a name for being unreliable. Though in all these years they could have come up with a solution. A new operating system that would have been backward compatible with all the software released for their 'terrible old' OS? This debunks the theory that 'commercial' vendors provide the best. GNU/Linux has proved it otherwise and to take one example of failure and come to the conclusion as above is being supercilious.
      kmashraf
    • Who wants to buy a cow?

      Just to get a gallon of milk?

      When they can get all the milk they want for
      free?
      Ole Man
  • Yeah.

    Anyone thinking of running a net facing server, get an Expert. I would assume that these people were college students doing it for free but after some of the things I've seen (who in the hell uses a while(1) loop in production software?) I'm not going to assume anything.
    odubtaig
  • Note it said breezy

    Which is a pretty old version that they were "unable" to update because of ancient hardware. This was likely a management decision to run the servers like that to save money.

    Even the most fanatic Windows zealot with a half a brain would not try to stretch this into some kind of common security problem.
    bobsherrill
    • He's not wrong though.

      I think all he's saying is, just because Linux [i]can[/i] be more secure than Windows, doesn't mean you can slack off.
      odubtaig
    • Why not? It's the same "logic" used against Windows.

      If it's good for Windows it's good for Linux. If it's not good for Linux than it's not good for Windows. Pick a position, any position, and stick with it. Stop flip-flopping
      ye
      • Message has been deleted.

        mdsmedia
        • Message has been deleted.

          GeoNorth
        • What makes todays Linux more secure than Breezy?

          We've been told that Linux (UNIX) had security built in from day one and that's what makes it so secure. Was this security not present in Breezy? If it was how did these servers become compromised? Is there the implication that merely having security built in is insufficient to having a secure system?
          ye
          • What makes today's Windows more secure than 98?

            Weren't we also told that Windows had security built in from day one? Weren't we told this about Vista? People are still exploiting it?

            How is this?

            See, it makes sense now.
            Sabz5150
          • Windows 98 was not designed with security.

            Windows NT, and therefore XP and Vista since they're based on NT, was. Comparing the security of Windows 98 and Windows NT is foolish. One, Windows NT, was built from the ground up with security. The other, Windows 98, was not.

            Contrast this to Breezy and Fiesty. Has the security in Fiesty changed since Breezy? No, it has not. The same security model is in place. So why does it matter that the compromised servers were an older release? The security model is identical to todays Fiesty.
            ye
          • Do you really

            Want to start on flaws in XP, 2000 and now Vista? If that's built from the ground secure, then... wow.

            Secondly, the problem is caused by (a) insecure FTP. This isn't Linux's fault any more than... say... an Adobe flaw is Microsoft's. Then we move onto the fact that (b) the servers were kept running a much older version without any security patches.

            Care to put a pre service pack 1 XP system out on the net? Naah, didn't think so. Or maybe a good ol NT4 system...

            Get my point?
            Sabz5150
          • Quit Fighting

            All of you, quit your nastiness and name calling!

            If I have a BMW and read of an AK47 used on a Mercedes am I going to mock the Mercedes?

            So quit your arguing and stick to useful technical matters.
            lmenningen
          • Although . . .

            It [b]IS[/b] fun to watch the Trolls try to eat each other . . .

            ;)
            JLHenry
          • Where have you been?

            Why do all of the diplomats show up on the blogs over poorly implemented Linux code? They seem to stay silent when it's windows being lambasted.
            xuniL_z
          • Some of us . . .

            Do defend Windows (AND BILL GATES) when appropriate. Myself, I get riled up when someone goes after MS, or Gates simple 'cause they're #1. 'Course, I also get riled up when MS does something stupid that they think they can get away with, 'cause they're #1 . . .

            And I didn't see you sticking up for Ubuntu, either, when it was someone running an unpatched, two-year old, OS . . .
            JLHenry
          • Why should he be defending Ubuntu?

            His lack of defense of Ubuntu is entirely consistent with his defense of Windows.

            The reasons for the compromise of the Ubuntu servers is no different than the reasons for the majority of compromised Windows systems. In both situations the systems in question were compromised not due to poor security designed into the OS but rather bugs in the code coupled with poor administration. In both cases if best practices were followed it's very likely neither would have been compromised.
            ye
          • JLHenry

            I've posted elsewhere in this blog that, like this situation, windows has suffered from poor administration as well. With their massive market share, the exposure is greater. But the story remains the same. Poor administration. <br>
            I'm not really arguing in defense of Windows. Certainly not of the leadership at Microsoft. I do not care for Mr. Balmer. I do not like his business strategy of "milking" every product for all it's worth. I detest that stance but believe despite it the folks at Microsoft continue to do great work. My position is one of yours...that being when someone tries to diminish windows, which in turn is a slap in the face to every professional working for or with Microsoft and it's technology, because they are large. I think in the last 2 years the worst kind of bashing has settled down some. Just 2 years ago many windows related blogs would have dozens of subject lines with inflammatory garbage, expletives etc. and I do believe that has diminished significantly. However, it's far from gone and the attitude of the ABM crowd toward windows is narrow, deceitful and not something that should be left to stand.<br><br> Microsoft is suffering from an image problem that is surely largely their own doing but also largely from concerted efforts by other vendors, organizations and ABMers in general, to purposely and maliciously try to undercut, spin and just hammer away at Microsoft daily, to try and alter public perception.
            xuniL_z