<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">I've been responsible for a large number of hosting/vps/etc servers in my last job and was recipient to quite a few AusCERT notifications (btw, good work AusCERT!).<div><br></div><div>We had a mix of both Windows and Linux servers of various versions and distros.</div><div><br></div><div>99% of AusCERT notifications were for **customer's websites** being compromised through dodgy php/asp/etc code. These were usually malicious in nature targeting users viewing the website and attempting to infect with malware/spyware etc.</div><div><br></div><div>In the 3 years I worked there, the relatively few windows servers were never rooted, but we did have one (and only one) Linux server rooted. We discovered this ourselves after noticing all the client sites on that server had been defaced.</div><div><br></div><div>In any environment (not just hosting), the fact is, it doesn't matter what OS, distro or architecture you're running (nothing is invulnerable), what matters is the relative insecurity of the code (ie, user's php/asp/etc code) you allow to run on your system. The best you can do is mitigate risk as best as possible by using technologies to isolate processes such as suphp to limit the damage that can be done. This wont fix everything though.</div><div><br></div><div>Interestingly enough, most of the compromises of client code we saw was used to send spam as opposed to defacement or DOS etc etc. We'd usually find these ourselves because we'd see mail queues go thru the roof for no apparent reason.</div><div><br></div><div>On the desktop running as an unprivileged limited-access non-root user is one of the reasons Windows 7, OS X, and Linux (most notably Ubuntu's default setup) are mildly more secure, but once again, it falls to the code you allow to run on your box. If you blindly install every Bonzi-Buddy like application on the internet, and click 'yes' every time any Windows application asks for privilege escalation, you're bound to be infected with the latest and greatest spyware/adware/etc. Same goes for running apps as root in your *nix environment.</div><div><br></div><div><br></div><div>TLDR: No one is safe.</div><div><br></div><div><br></div><div>Cheers!</div><div>-Shaun</div><div><br></div><div><br></div><div><br><div><div>On 24/06/2010, at 5:54 PM, phil colbourn wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Sean,<div><br></div><div>What sort of *nix do you run and in what ways have they been compromised?</div><div><br></div><div>Re the AusCERT emails, are you referring to the vulnerability alerts or actual compromises? If compromises, how do they find out about them?</div>
<div><br></div><div>Phil<br><br><div class="gmail_quote">On Thu, Jun 24, 2010 at 2:12 PM, Sean K. Finn <span dir="ltr"><<a href="mailto:sean.finn@ozservers.com.au">sean.finn@ozservers.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
I have to butt in here, hosting one metric ** tonne of servers, it's the *nix ones that get compromised more often than our windows ones. (I know, because AusCert sends me emails every time one is compromised.).<br>
<br>
The Windows Vs Linux Debate is dead. Both are as bad as one another for compromises.<br>
<br>
Home users running Windows get targeted, and server farms running *nix get targeted just as easily.<br>
<br>
Before someone starts bashing the macs-are-safe bandwagon, BSD and Mac OsX Servers are just as likely to get attacked / rootkitted / compromised / dial home to a botnet.<br>
<br>
Having a software dependant package installed on ANY machine that is considered the target is just bad karma. It just doesn't work, and unless it stays ahead of the pack, the software will be specifically targeted and disabled as part of any smart malware attack.<br>
<font color="#888888"><br>
S<br>
</font><div><div></div><div class="h5"><br>
<br>
-----Original Message-----<br>
From: <a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a> [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a>] On Behalf Of Mark Newton<br>
Sent: Thursday, 24 June 2010 1:25 PM<br>
To: Zane Jarvis<br>
Cc: <a href="mailto:ausnog@ausnog.net">ausnog@ausnog.net</a><br>
Subject: Re: [AusNOG] (bad) cyber security and ideas coming out of the woodwork?!<br>
<br>
<br>
On 24/06/2010, at 12:15 PM, Zane Jarvis wrote:<br>
<br>
> If everyone in Australia switches to *NIX (or anything else) then the<br>
> criminals will just spend more resources targeting that.<br>
<br>
You think? I reckon most botnet operators couldn't care less where<br>
their targets are physically located, and they'll just keep attacking<br>
windows boxes in other jurisdictions instead. :-)<br>
<br>
(my burglar alarm doesn't prevent my stuff from being stolen, but the<br>
stickers on the windows make my next door neighbours' houses more<br>
attractive targets :)<br>
<br>
Interesting thought experiment, though.;<br>
<br>
- mark<br>
<br>
<br>
--<br>
Mark Newton Email: <a href="mailto:newton@internode.com.au">newton@internode.com.au</a> (W)<br>
Network Engineer Email: <a href="mailto:newton@atdot.dotat.org">newton@atdot.dotat.org</a> (H)<br>
Internode Pty Ltd Desk: +61-8-82282999<br>
"Network Man" - Anagram of "Mark Newton" Mobile: +61-416-202-223<br>
<br>
<br>
<br>
<br>
<br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br>Phil<br><br><a href="http://philatwarrimoo.blogspot.com/">http://philatwarrimoo.blogspot.com</a><br><a href="http://code.google.com/p/snmp2xml">http://code.google.com/p/snmp2xml</a><br>
<br>"Someone has solved it and uploaded it for free."<br><br>"If I have nothing to hide, you have no reason to look."<br><br>"Any sufficiently advanced technology is indistinguishable from magic." Arthur C. Clarke - Who does magic today?<br>
<br>
</div>
_______________________________________________<br>AusNOG mailing list<br><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a><br>http://lists.ausnog.net/mailman/listinfo/ausnog<br></blockquote></div><br></div></body></html>