In comp.os.linux.advocacy, Ezekiel
<y@xxxxx>
wrote
on Tue, 15 Jul 2008 14:50:19 -0400
<c5418$487cf16d$11172@xxxxxxxxxxxxxxxxx>:
>
> "Rex Ballard" <rex.ballard@xxxxxxxxx> wrote in message
> news:3a7feffc-5662-4845-80f1-9f3c075d5b70@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> On Jul 15, 9:56 pm, Roy Schestowitz <newsgro...@xxxxxxxxxxxxxxx>
>>
>> Now, anyone want a guess as to how many weeks or months a Linux
>> desktop system will run before it's infected?
>
> I don't know... how long did it take them to infest all of the pages on Roy
> Schestowitz's website with malware and trojans? How long did it take them to
> get the Ubuntu servers to start attacking each other?
Probably far less than 8 seconds, actually, by an automated
scanner unit that knew exactly what to look for. (The 8
seconds refers to the average time between attack packets
from any already-compromised source. You are asking how
long the infection took -- a different question. Bear in
mind that transmission rates to Roy's server are probably
on the order of megabits per second, if not hundreds of megabits;
a 1460-byte packet would therefore take 146 microseconds
to receive on a 100 Mb/s system, and only a few packets are
usually needed, though it depends on the vulnerability's nature.)
One wonders what IIS/6 is vulnerable to.
As of 4 days ago:
http://www.us-cert.gov/cas/techalerts/TA06-192A.html
suggests the following:
VU#395588 - Microsoft Internet Information Services vulnerable to remote
code execution via specially crafted ASP file
VU#189140 - Microsoft Server Service Mailslot vulnerable to heap
overflow
(there are others in the article but they are not related to IIS, and
I'm not sure 189140 is either).
Patches are available, of course. This was Roy's greatest failing,
presumably: not keeping his system up to date.
Whether Roy would have been infected were he to use ASP.NET,
IIS/6, and Microsoft Windows Server is far from clear. The
probability is that he would have at least had to worry about it,
given Microsoft's rather sorry track record:
http://isc.sans.org/top10.html
Top Ten Ports:
135 - DCE endpoint resolution
139 - NETBIOS session service
445 - Microsoft-DS
1433 - Microsoft SQL Server
1434 - Microsoft SQL Monitor
1026 - various, might be Messenger Service
1027 - various, ditto
25 - SMTP
137 - NETBIOS name service
443 - HTTPS
4 out of 10 attack ports say "Microsoft", and the two NetBIOS and one
DCE might be included as well.
Is Linux perfectly secure? No. Is Windows? Most definitely not.
One now gets to make a comparison between the two.
>
>
> (Roy Schestowitz wrote:)
>
> http://groups.google.com/group/comp.os.linux.advocacy/msg/40c2e3fb593a38eb
> <quote>
> Schestowitz.com gets hacked and 0wned. Becomes part of zombie bot-net to
> infect visitors and attack other sites.
>
> This was found last night. My very out-of-date installation of phpBB got
That's not Linux, is it? That's phpBB. Oh, wait, that's gotta be Linux
because it's offered as part of Linux distros. Yeah, got it.
> exploited. I've cleaned most stuff up, but I'm styill working with the Web
> host to get rid of what's left. Script kiddies snuck in extra markup that
> points to some other domain (via iframe) -- whatever it actually does. This
> will be resolved by the weekend.
> </quote>
>
>
>
> http://groups.google.com/group/comp.os.linux.advocacy/msg/d35ab3c983a6898c?hl=en
> <quote>
> Ubuntu servers hacked to attack others
>
> More than half of Ubuntu's production servers had to be pulled offline after
> a security breach caused those servers to actively attack other machines
>
> http://blogs.zdnet.com/security/?p=453&tag=nl.e550
> </quote>
>
Well, there you are then. Linux is inferior to Windows
because you found a specific pair of instances of infection.
Congratulations.
Your next mission, should you choose to accept it: refute every
point in
http://www.theregister.co.uk/security/security_report_windows_vs_linux/
which is of course biased towards Linux, but gives a
reasonable overview of what one faces infection-wise.
It's a rather dry read, and does contain several
identifiable errors (for instance, Windows is *not*
monolithic, although it's not all that flexible either;
one can swap out DLLs to modify its behavior, and register
or deregister ActiveX components). The question, of
course, relates to how one can prove Linux less secure.
http://www.securityfocus.com/columnists/188
is another dry read, basically a refutation of
http://www.vnunet.com/vnunet/news/2116855/linux-lined-virus-target
which claims Linux will see more dangerous and frequent viruses
as it gains in popularity; "it is a stable OS but it's not a
secure OS".
(I will agree we'll see more Linux attacks, as well as cross-system
virus infection attempts, various scripting vulnerabilities
a la Badbunnyz, and other such mayhem. Whether they'll be
successful depends on the vigilance of the coders and the users.)
>
> ** Posted from http://www.teranews.com **
--
#191, ewill3@xxxxxxxxxxxxx
Useless C++ Programming Idea #7878218:
class C { private: virtual void stupid() = 0; };
** Posted from http://www.teranews.com **
|
|
