Ubuntu Servers Hijacked, Used to Launch Attack

By Lisa Vaas  |  Posted 2007-08-15 Print this article Print

Members of the Ubuntu colocation team suggest the attack could have begun with a Chinese IP address.

The Ubuntu community had to yank five of the eight Ubuntu-hosted community servers sponsored by Canonical offline Aug. 6 after discovering that the servers had been hijacked and were attacking other machines. It was suggested during an IRC (Internet relay chat) meeting of the Ubuntu colocation team Aug. 14 that the source of the troubles might have been a Chinese IP address trying to log onto the servers by brute force "for a long time now it seems," said a participant.
On Aug. 14, the community began to bring the machines back up in a safe state so that they could recover data from them. Unfortunately, according to Ubuntu Community Manager Jono Bacon, the servers were all found to be out of date, stuffed with Web software, and missing security patches—at least in the instances where it was easy to determine what version theyre running.
"An attacker could have gotten a shell through almost any of these sites," Bono wrote in a posting, regarding a change to location server policy that resulted from the incident. Click here to view an eWEEK Labs walkthrough of Ubuntu 7.04. "FTP (not sftp, without SSL) was being used to access the machines, so an attacker (in the right place) could also have gotten access by sniffing the clear-text passwords," he said. Also, "the servers have not been upgraded past breezy due to problems with the network card and later kernels. This probably allowed the attacker to gain root." Bringing the servers back up has taken longer than the managers would have liked, Bono said. Given that theyve been relying on help from members spread over the globe, there are "arbitrary limits imposed by those remote hands" and theres a "(relative) lack of bandwidth" available with which data can be copied from the machines, he wrote. During the Aug. 14 IRC meeting, location teams were given a choice to migrate to the Canonical data center or stay on the hosted/outsourced servers. Canonical, based in the U.K., is a provider of services to individual and corporate open-source software users. The pluses of moving to the Canonical data center, Bono said, include better hardware and bandwidth, full-time support from Canonicals systems administration team—including software maintenance—and integration into Ubuntus existing backup infrastructure. Some of the minuses the Ubuntu community will have to deal with in a move to Canonical—the company behind the Ubuntu distribution—include having less software supported—with the wiki engine MoinMoin, the blog platform WordPress and the Ubuntu community forum Planet on the short list of still-supported applications. The migration was still in swing as of Aug. 14, and the collocation team leaders were looking for help. "Id be very happy if I got one index.html file to ubuntu-fi.org today as a start :) MoinMoin would be very nice too," one said during the IRC meeting. "One thing I would ask for is patience. I understand that a service outage like this makes many people anxious," he said, requesting that those anxious about restoration of services go to the #canonical-sysadmin channel and ask publicly so that the first available systems administrator can answer the request. To read more about software development the Ubuntu way, click here. In the meantime, data isnt lost, although applications must be deep-sixed since executable code simply cant be trusted following the intrusion. "Due to the nature of the intrusion, we must assume that any and all executable code of any sort on the old sites is dangerous," said the meeting leader, "Spads." "…We have data, but executable code (python, PHP, Perl, any CGI, etc.) will need to be replaced." Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel