Linux utility site hacked, infected

ZDNet Australia ^ | 11/14/02 | Patrick Gray

[Leroy S. Mort]

The download site for two very common Linux based utilities, tcpdump.org, was hacked into on Nov. 11, and the software available for download was modified to contain Trojan Horse code.

This Trojan Horse, or "back door" software allows the hacker that wrote it to access any machine on which the modified software is run.

The two software items affected are tcpdump and libpcap, tools commonly used in information security applications. Some Intrusion Detection System (IDS) software requires libpcap.

The identity of the hacker conducting this campaign is unknown, as is whether a connection exists between the separate incidents.

CERT releasedan advisory in which they ".encourage sites using libpcap and tcpdump to verify the authenticity of their distribution, regardless of where it was obtained."

CERT provided the information necessary to determine the authenticity of any libpcap or tcpdump software recently downloaded. The advisory also encourages users to verify all software before installing it. "As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software."

[Crispy]

"It's humorous to note how quiet Linux advocates are on this thread."

What is there to say. Nobody said Linux was perfect. Besides, this isn't really a fault of Linux as much it is the Fault of the sysadmin.

[chilepepper]

There is nothing Left about freedom...

Microsoft is about MONOPOLY and CONTROL, and its days are numbered as Linux matures. Try Xandra and gnash your teeth...

...and watch all that pseudo-learning of which pull down menus to invoke, and which bizaree registry entries to change melt into irrelevancy... along with your Microsoft shares.

[BlackbirdSST]

Sorry, but there are plenty more than 3 or 4 of the 25 million + Mac users out there that are online. I'm sure you're right. I've got 200+ desktop's, and more Server's than I care to go into, and 1 MAC, with 1 MAC User, which BTW, they are a match made in heaven and meant for each other. It's only natural to extrapolate that out to the real world when ranting. MAC's are just as vulnerable, with the right amount of attention. Blackbird.

[Bush2000]

I hear orally servicing billionaire geeks pays remarkably well.

Don't your lips get tired?

[Bush2000]

What is there to say. Nobody said Linux was perfect. Besides, this isn't really a fault of Linux as much it is the Fault of the sysadmin.

Nobody ever said Windows was perfect, either. But when has that ever stopped your side from bashing it? You could argue that *all* of these security issues are the fault of the sysadmin for not locking them down more. Information is available on how to do that with Linux and Windows. But so few actually do.

[TechJunkYard]

You apparently haven't tried the .NET Server RCs. Practically everything is fscked up now.

Fixed it for you.

[Bush2000]

Don't quit your day job.

[TechJunkYard]

Man, you're quick! ;-)

[Leroy S. Mort]

Switzerland isn't insignificant, it is the model for what the US should aspire to be like again.

As a target of attack it is insignificant. My analogy went over your head.

[Bush2000]

Switzerland isn't insignificant, it is the model for what the US should aspire to be like again.

If you like it so much, go there! Or is the taxpayer-subsidized education better here, college boy?

[stands2reason]

I would think you would know better than I.

[Bush2000]

I would think you would know better than I.

Sorry, I'm straight. Maybe you'd have better luck on DU.

[TechJunkYard]

The recent attacks on the 13 key DNS root servers were mounted from WINDOWS machines...

How do you know this? Just curious.

[Incorrigible]

Linux Left

Ha! I like that.

/. must be the DU of that world!

[Knitebane]

Have you heard anything about this yet?

Yes, I've been discussing this today with some other security types.

While Ziff-Davis is reporting that the site was hacked into, the current evidence coming out of the investigation at tcpdump.org seems to be pointing to a member of the team that was recently asked to leave. In other words, it's an inside job.

From the Bible, "Thou seest the mote in thy brother's eye, but thou seest not the beam in thine own eye."

While this is a problem for users of libpcap and tcpdump, the trojan that is in the infected software doesn't spread itself. Unlike Microsoft which "accidentally sent the virulent Nimda worm to South Korean developers when it distributed Korean-language versions of Visual Studio .Net..."

Whoopsie. Perhaps NBMers might want to examine Microsoft's own history before gloating over problems with Linux.

This incident only reinforces what I've been saying. No OS is perfect. Linux has problems. Microsoft has more, more often and more serious problems. Linux problems are often fixed in hours. Microsoft problems take weeks, if ever. Linux problems are localized. Microsoft problems spread like wildfire. Linux problems generally only infect users that have chosen to use certain pieces of software, Microsoft problems generally infect everyone using a certain version of Windows.

So you probably shouldn't gloat too much. Microsoft still is the world leader in security problems.

[stainlessbanner]

Getting hacked sucks no matter what OS!

[chilepepper]

All the articles I've seen seem to confirm it. Try for example ComputerWorld's recent article

FBI : DNS Server Attacks came from U.S.,Korea

It quotes Alan Paller of SANS indicating that the attacks
came from Nimda and/or Code Red infected machines
(Windows 9X,NT,2000 an perhaps even XP, I'm not sure) originating from Korea home machines connected via DSL...

[Bush2000]

the current evidence coming out of the investigation at tcpdump.org seems to be pointing to a member of the team that was recently asked to leave. In other words, it's an inside job.

What evidence? Let's have references.

[Knitebane]

What evidence? Let's have references.

As I'm not in the investigation itself, I don't have access to the investigative findings.

So, no hard data at the moment, only information from people close to it whose word I trust.

The facts will be out when the investigation is concluded.

I mean, hey, it's not like I'm asking you to just trust me that the source code that I use internally is the same as what I called "shared source." In this case, the truth will be out, it will just take a few weeks.

[Bush2000]

As I'm not in the investigation itself, I don't have access to the investigative findings. So, no hard data at the moment, only information from people close to it whose word I trust.

In other words, you're spreading rumor and innuendo, not fact. Can't you Linux guys distinguish between fact and fantasy? It's your wet dream for this incident to be blamed on some insider. But without actual proof, we'll just have to accept ZDNet's assessment of the situation as a hacked Linux server. Tough luck.