June 16th, 2010
If you happen to know any Windows Server “fanboys“, you’d probably have noticed the smug look they have on their faces right now. Its most likely after this little announcement. A recent version of the Unreal IRC server source tar ball, stored on various mirrors, was replaced by one that contained a backdoor. It seems it was replaced some time back in November 2009 and no one noticed it till now! So if anyone downloaded and installed it since then, their servers are open to compromise. So how safer are Linux servers? Its high time we stopped thinking of Linux as Invincible.
One of the reasons I wouldn’t worry too much is that there is way more malware targeting Windows than Linux, but its still important that we don’t get carried away. In the case of the Unreal IRC backdoor, the hacker will still only have the privileges of the user the IRC server is running as. If your running it as “root”, then they will have complete control over your server. What is more concerning is how this file was replaced with the malware on the mirrors? This is something maintainers of those mirrors should look into. Something I’m sure they are looking into right now and will have a solution for soon. Till then what do we do? We have to make sure that all packages we install are indeed the ones the distributors intended us to have. All package management systems have some form of PGP/GPG checking. So make sure you have those enabled on your server.
Most of you are probably using “Yum” to install/update packages, to enable GPG checking simply look for the distro file in:
/etc/yum.repos.d/. Look for the line that says gpgcheck=0 and change it to gpgcheck=1. The next time you install a package, it will request you to download and install the GPG public key, which you can also download from the same site your downloading the package from. Yum will automatically check the package against the key to make sure the one you are downloading is safe.
There is always a possibility that the public key has also been replaced, in which case we’d still end up installing the malware, but I guess there’s always some amount of risk we’ll have to take if we wish to install new software. Want to guarantee, 100%-without a doubt, the security of your server? Disconnect it from the internet. But what purpose will that serve?
About the Author:
Hamish works as a Senior Software Engineer in Bobcares. He joined Bobcares in July 2004, and is an expert in Control panels and Operating systems used in the Web Hosting industry. He is highly passionate about Linux and is a great evangelist of open-source. When he is not on his xbox, he is an avid movie lover and critic.