14 DAY TRIAL // Ubuntu productions servers hacked beyond recognition had to be taken offline, as a desperate measure to stop attacks launched from the machines running the compromised Canonical distribution of the Linux open source operating system. There is a good reason why Microsoft is applauding Windows Vista as the most secure Windows platform available on the market. And in this context, while Vista has got the client side covered, Windows Server 2008 will do the same for the server side, nothing short of the security performances synonymous with its predecessor Windows Server 2003. But while both Linux and the Unix based Mac OS X are perceived as delivering superior security to Windows, a total of five out of eight Ubuntu production servers were shut down because of the poor security conditions.
"On Monday evening (UK time) it was reported that one of the hosted community servers that Canonical sponsors had been compromised. After investigation, it became apparent that 5 of the 8 machines had been compromised. Since it was reported that they were actively attacking other machines, the decision was taken to shut the machines down", revealed James Troup, head of the Canonical sysadmin team. "On Tuesday morning we started the procedure of bringing these machines up in a safe state so that we could recover data from them. Unfortunately, this took far longer than we would have hoped or liked due to a combination of having to use remote hands, arbitrary limits imposed by those remote hands and (relative) lack of bandwidth to copy data off site. This process is still ongoing (though only one remain has yet to be fully recovered - tiber)."
Jono Bacon, Ubuntu Community Manager confirmed the fact that the five hacked Ubuntu servers were killed in order to put an end to the attacks originating from them. Bacon additionally revealed that the servers were in fact under the responsibility of LoCo and only sponsored by Ubuntu. Still, Troup did emphasize the fact that the Ubuntu operating system was not at fault, placing the blame on the maintenance team. "The servers, especially zambezi were running an incredible amount of web software (over 15 packages[1] that we recognised) and of all the ones where it's trivial to determine a version, they were without exception out-of-date and missing security patches. An attacker could have gotten a shell through almost any of these sites. FTP (not sftp, without SSL) was being used to access the machines, so an attacker (in the right place) could also have gotten access by sniffing the clear-text passwords. The servers have not been upgraded past breezy due to problems with the network card and later kernels. This probably allowed the attacker to gain root," Troup explained.