X

Experts say Linux attacks not unusual

Despite reports of a "worm" at work, analysts say the hacks take advantage of a well-known security hole in a messaging program.

Stephen Shankland Former Principal Writer
Stephen Shankland worked at CNET from 1998 to 2024 and wrote about processors, digital photography, AI, quantum computing, computer science, materials science, supercomputers, drones, browsers, 3D printing, USB, and new computing technology in general. He has a soft spot in his heart for standards groups and I/O interfaces. His first big scoop was about radioactive cat poop.
Expertise Processors, semiconductors, web browsers, quantum computing, supercomputers, AI, 3D printing, drones, computer science, physics, programming, materials science, USB, UWB, Android, digital photography, science. Credentials
  • Shankland covered the tech industry for more than 25 years and was a science writer for five years before that. He has deep expertise in microprocessors, digital photography, computer hardware and software, internet standards, web technology, and more.
See full bio
Stephen Shankland
2 min read

In the last two weeks, there have been reports of increased hacker attacks on Unix and Linux computer systems--but the attacks are just part of the usual background of probing that happens all the time, computer security officials say.

The attacks take advantage of a relatively well-known security hole in the Internet Message Access Protocol (IMAP) program, which lets people manage email stored on some Unix or Linux systems. Some reports have said there is a "worm" at work--a program that propagates itself by attacking systems with the security hole then using that computer as a new base of operations for further attacks.

Worms, such as the infamous Morris Worm that brought much of the Internet to its knees in 1988, are rare, however, and there's no evidence that a worm is behind the present attacks, said Shawn Hernan of the Computer Emergency Response Team (CERT).

"It's something we see every single day," added Jed Pickel, also of CERT. "It's not anything out of the ordinary. There's nothing out there like a worm."

Rather, what appears to be happening is that more people are noticing the constant probing that takes place on the Internet, Hernan said. "The increase is in people noticing the attacks, not so much the frequency of the attacks themselves."

Ernie Miller, a system administrator for an Internet Service Provider in Pennsylvania, is one of those who noticed. His security software picked up a series of attacks through IMAP on his Linux-based system beginning November 18.

And Scott Hutton, the lead security engineer for Indiana University, said a series of IMAP probes hit his system beginning November 24.

Miller said all the probes of his system came from machines running Red Hat's distribution of the Linux operating system, leading him to believe that the attacks were specifically targeting Red Hat machines. There are several ways a computer can determine what operating system a machine is running.

Red Hat, however, has had no specific complaints of an attack targeted at its operating system, said Mac Ewing, Red Hat's chief technology officer. The company posted a fix for the security hole immediately after finding out about it, he said.

By default, Red Hat's version of Linux enables the IMAP program when the operating system is installed. The security hole is fixed in Red Hat's most recent version of its software, version 5.2, which has been shipping for about four weeks, Ewing said.

CERT posted a description of the security hole in July. The file provides links to fix the IMAP problem on systems from IBM, Santa Cruz Operation, Sun Microsystems, and Caldera, among others.

Although the IMAP program is one of several programs vulnerable to attacks, there are other problems, CERT's Hernan said. "It is likely that this sort of [scanning] activity will grow as new vulnerabilities are discovered," he said.