Gentoo cuts key parts of itself from net for its own good
Admins with the Gentoo Project say they have disconnected major parts of its website a week after discovering it could be vulnerable to a command injection attack that allows bad guys to remotely execute code on the machine.
At time of writing, users trying to access Gentoo Archives and at least seven other areas of Gentoo.org got a message saying they were unavailable. Gentoo pulled the server hosting the sections "to prevent further exploitation and to allow for forensic analysis," according to Gentoo's homepage.
The words "further exploitation" and "forensic analysis" suggest the server was pwned, but Gentoo assures us the damage was minimal.
"There was no possibility of any leak of personal or meddling with the Gentoo Portage tree," Mike Doty, a member of Gentoo's Infrastructure team, said in an emailed statement. "The attack was limited to one service on one server."
Members intend to rebuild the server and will also perform a security audit on source code for packages.gentoo.org, which is the service containing the injection vulnerability. According to this advisory, the vulnerability allows the remote execution of code by attaching a semicolon to the end of the URL, immediately followed by the command an attacker wants to run. The bottom of the page will then display the output of that command.
Gentoo's advisory comes a week after Ubuntu unplugged five of its eight production servers following the discovery they had been so badly compromised that they were being used to attack other sites. Turns out the systems, which were sponsored by Canonical and hosted by the community, were running an old version of Ubuntu. Tsk, tsk.
Other Gentoo sites and services being shuttered included packagestest.gentoo.org, scripts.gentoo.org, archivestest.gentoo.org, kiss.gentoo.org, stats.gentoo.org and survey.gentoo.org. Gentoo wouldn't estimate when it will have them back online. ®
Hm... maybe I should show these comments to my Python-toting friend and show him exactly why I *wont* use the damn thing.
This isn't really about the OS getting 0wn3d, it is more about lazy programming. I thought SQL/command injection had been taken care of by at least the webmasters of important sites, now I see that this isn't the case.
There's no such thing as a truly secure OS. If you think there is, then you're asking to be pwned in short order.
Always assume you're vulnerable, and do what you can to reduce the possible attack surface. Linux just happens to be *more* secure than Windows, as a rule, because the default settings are usually more restrictive, and the vulnerabilities which do crop up get patched faster.
Also, any operating system is only as secure as the weakest application running on it. That includes web applications, as in this case, which anyone reading this site should know are generally about as secure as an unlocked car in the bad end of town.
Banks use whatever OS they feel happy with i.e. all of them (although note the lack of OpenBSD in this list).
From netcraft, a few banks I could think of before I got bored :
HSBC : Linux, unknown
Barclays : Solaris, AIX
Llyodstsb : Win 2003, NT 4
Abbey : Win 2000, Win 2003, unknown
RBS : Win 2000, NT 4, unknown
BoS : AIX, unknown
Halifax : Win 2000
Natwest : Win 2000
MBNA : Linux, Solaris