Re: Phishing - Linux boxes are vulnerable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 4 Oct 2007, Ben Mohilef wrote:


> theres lots of vulnerable Linux servers out there, managed by poorly
> skilled admins   - mainly teenagers playing around - ... IMHO
> attacking a linux server is more convenient than a windows server

After setting up a secure Apache (irrespective of the distribution) a lot of
admins go get a "php-this" or "php-that" web program from a repository.
Unfortunately, they don't ask the question of how this thing will be
automagically updated each time a vulnerability is fixed, so the program
never gets updated.

Those programs get a lot of security updates (don't believe me? see
http://www.securityfocus.com/bid and query your favorite php program).
Look in your /var/log/httpd/error.log and you will probably see several
hundred attempts to break into various php scripts.

OT, a famous and recent example is the group in Canada who was busted
for cracking web contact forms and sending  out truly massive amounts of
spam. Their technique required the mental acumen of a 5th grader in my
estimate, but worked because of an abundance of really poorly written web
contact scripts which never got updated.

If the cracked script runs with sufficient authority to add a web page, the
phishers job becomes trivial. The solution is for maintainers to make sure
that they can notify their customers each time a security fix is made. This
can be done in the script or by mandatory registration before a  download.
Yum repositories and the equivalent for other distros should be helpful in
solving this problem.
This becomes even worse when you consider hosting sites. The last one I dealt with had everyone on virtual servers that had no capacity to update the packages installed. (Yum was not installed. No patches had been applied. You could actually break the system because they had plesk installed and packages would conflict. A real mess.)
People think that just because someone set it up for them, it is secure. Rarely is that the case.
People are trying to do complex things on the cheap. You are not seeing it done under Windows because doing anything useful is either not cheap or not easy.
Under Linux they can do what they want, but they are too cheap to hire someone who has clues and can do it securely. 

--
Never trust a queue structure designed by a cryptographer.
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux