SLUG Mailing List Archives
Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
- To: slug@xxxxxxxxxxx
- Subject: Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)
- From: Daniel Pittman <daniel@xxxxxxxxxxxx>
- Date: Mon, 02 Jun 2008 15:20:49 +1000
- Organization: How about yours? http://rimspace.net/resume/
- User-agent: Gnus/5.110006 (No Gnus v0.6) Emacs/23.0.60 (gnu/linux)
Rick Welykochy <rick@xxxxxxxxxxxxx> writes:
> Mary Gardiner wrote:
>> I suspect attacks through web apps like WordPress are pretty common
>> causes of comprise of machines run by essentially knowledgable people
>> at the moment, because there doesn't seem yet to be a good set of
>> best practices for packaging and updating them (upstream tends to
>> aims their instructions at people who might not even have shell
>> access, let alone root access, and there's the whole plugin universe
> Out of curiosity, I often query the server used in the links provided
> in phishing scam emails.
> More often than not, the phishing box is a compromised Linux server
> running Apache and PHP. Rarely do I see a Windows server :(
> I would tend to blame an out-of-date PHP install rather than Apache as
> being the attack vector. If you are on AusCert or DebSec, you will
> know how many exploits are disovered in PHP 4 and 5.
Much as I love putting the boot into PHP, this isn't actually *directly*
the fault of the language. This is usually that there are a stupidly
large number of remote command injection and remote file inclusion
vulnerabilities in PHP applications.
> And they keep finding more. I did do a PHP install and was amazed at
> the server info p[ag. There are a myriad of hacks and "fixes" in PHP,
> as reflected in the PHP system variables, to turn off all sorts of
> insecure features. I got the feeling that out of the box and with
> little technical knowledge, PHP is not a healthy addition to any Linux
I would argue that *any* remotely accessible service is not a good
addition to a Linux box with only a little technical knowledge.
Many years ago, when I was younger and dinosaurs walked the earth, Perl
was the hateful language of the day: most of the crappy CGI software out
there that let people break in was written in Perl.
PHP has taken over the role of popular, easy to use web language, so has
pickup up many of the same people who used to cause trouble with poorly
written Perl scripts.
> Not wishing to start an OS war, but I rarely if ever have seen a BSD
> or Sun box compromised. Is this due to sheer numbers of Linux and
Yes. Back when *BSD had significant technical advantages in TCP/IP
performance, and when Sun was much more prevalent on the Internet, they
were often compromised.
These days, not so much, just because they are not as easy to find and
most attacks are now very much automated "try everything and see what
sticks" attacks that don't run outside their mainline platform.
Compromises of !x86 Linux boxes are also much lower, for the same
reason: many of the binary exploits just don't work, and no one bothers
porting them to the underlying architecture.
 PHP is arguably indirectly responsible for this, through poor
design of the language and encouraging poor use of the tools, but
I don't see a great deal of value in arguing about that. ;)
 formmail. I say no more.