Experts say Linux attacks not unusual
Despite reports of a "worm" at work, analysts say the hacks take advantage of a well-known security hole in a messaging program.
In the last two weeks, there have been reports of increased hacker attacks on Unix and Linux computer systems--but the attacks are just part of the usual background of probing that happens all the time, computer security officials say.
The attacks take advantage of a relatively well-known security hole in the Internet Message Access Protocol (IMAP) program, which lets people manage email stored on some Unix or Linux systems. Some reports have said there is a "worm" at work--a program that propagates itself by attacking systems with the security hole then using that computer as a new base of operations for further attacks.
Worms, such as the infamous Morris Worm that brought much of the Internet to its knees in 1988, are rare, however, and there's no evidence that a worm is behind the present attacks, said Shawn Hernan of the Computer Emergency Response Team (CERT).
"It's something we see every single day," added Jed Pickel, also of CERT. "It's not anything out of the ordinary. There's nothing out there like a worm."
Rather, what appears to be happening is that more people are noticing the constant probing that takes place on the Internet, Hernan said. "The increase is in people noticing the attacks, not so much the frequency of the attacks themselves."
Ernie Miller, a system administrator for an Internet Service Provider in Pennsylvania, is one of those who noticed. His security software picked up a series of attacks through IMAP on his Linux-based system beginning November 18.
And Scott Hutton, the lead security engineer for Indiana University, said a series of IMAP probes hit his system beginning November 24.
Miller said all the probes of his system came from machines running Red Hat's distribution of the Linux operating system, leading him to believe that the attacks were specifically targeting Red Hat machines. There are several ways a computer can determine what operating system a machine is running.
Red Hat, however, has had no specific complaints of an attack targeted at its operating system, said Mac Ewing, Red Hat's chief technology officer. The company posted a fix for the security hole immediately after finding out about it, he said.
By default, Red Hat's version of Linux enables the IMAP program when the operating system is installed. The security hole is fixed in Red Hat's most recent version of its software, version 5.2, which has been shipping for about four weeks, Ewing said.
CERT posted a description of the security hole in July. The file provides links to fix the IMAP problem on systems from IBM, Santa Cruz Operation, Sun Microsystems, and Caldera, among others.
Although the IMAP program is one of several programs vulnerable to attacks, there are other problems, CERT's Hernan said. "It is likely that this sort of [scanning] activity will grow as new vulnerabilities are discovered," he said.