Re: SF new column announcement: Linux worm overrated

From: James Eaton-Lee (james.mailing_at_gmail.com)
Date: 11/11/05

  • Next message: j.sonsurkar_at_ixiscm.com: "Automatic Password Generator Tools on Unix Platform" 
    To: focus-linux@securityfocus.com
Date: Thu, 10 Nov 2005 23:53:43 +0000

    On Fri, 2005-11-11 at 00:45 +0800, Alex Nordstrom wrote:
    > Friday, 11 November 2005 00:13, Moderator wrote:
    > > Linux worm overrated
    > > http://www.securityfocus.com/columnists/368
    >
    > That may well be, but I've seen two attacks in the last week, one from
    > an Indonesian host and one Taiwanese, so it's definitely out there. It
    > looks more active at the moment than Nimda, which has declined a lot
    > since this time last year (although that might have more to do with the
    > fact that I since decided to drop all packets from China and South
    > Korea).

    A very, very cursory look (egrep 'xmlrpc|hints|awstats' * |wc -l) at the
    logs of an apache box which has been sitting online for ~2 weeks gives
    286 lines of related activity - there are no pages on this server with
    any of those three strings in them, so these are all (probably)
    automated attacks.

    Looking a little more carefully, it seems that there have been 7 unique
    attacking addresses (quite a few lines for so few clients, thanks to a
    mod_security log dropping most of this traffic as well as access_log
    entries for the error 500s).

    It is obviously overrated - but the "novelty of a bi-annual Linux worm"
    does indeed tend to generate some hype. Especially funny though, since
    this isn't really a linux worm - it just has a platform-specific
    payload. ;)

    Actually, what strikes me as interesting in this particular instance is
    the fact that the worm exploits web applications - given the complete
    commoditization of web hosting (and, thanks to the low profit margins,
    the lack of effort which frequently goes into shared hosting
    environments), I'd hazard that this and more web-related intrusions &
    worms is a sign of a growing shift bringing web apps alongside socket
    apps as targetable.

    I have to say, I wonder how many of thousands of freely available
    webapps that are out there (especially PHP ones, seemingly) even realise
    that such considerations exist - I remember talking to a developer on an
    (actually fairly large) LAMP app 12 months ago and being shocked when
    he'd never heard the term "SQL Injection" before. ;)

     - James.

  • Next message: j.sonsurkar_at_ixiscm.com: "Automatic Password Generator Tools on Unix Platform"