Karsten wrote:

I've created a TWiki topic for SlapperWorm

Posted also to that TWiki topic, because this loose end has been bothering me for a while:

Karsten, you wrote: "This is the sort of attack which could potentially hit GNU/Linux or another 'Nix."

Could it? On any *ix I know of, when I install and turn on MySQL, by default it gets configured to listen only on the loopback network interface for service requests -- which is appropriate, because the primary niche it serves, one extremely analogous to that of MSDE, is that of backend database to local (networked or non-networked) processes. The MSDE processes involved in the Slammer/Slapper/Sapphire/SQLSlammer/W32.Slammer attacks were servicing things like Visio, backup programs, some variants of McAfee ViruScan, Cisco's network-infrastructure utilities, configuration software for SonicWall firewall appliances, and so on. MySQL (like BerkeleyDB, GNU gdbm, etc.) is used in similar roles, along with groupware/webmail and other LAMP applications, and generally anywhere a generic data repository is required -- but is reachable only locally unless the admin implements a conscious policy decision to the contrary.

More generally, almost any *ix daemon that can be made network accessible will have an easy-to-find configuration file where you can specify which network ports it listens on, and they generally failsafe by defaulting to loopback-only (except daemons whose sole purpose is network access, e.g., identd) -- not to mention usually being compiled with libwrap and/or invoked by default via identd/xidentd with port-filtering wrappers.

So, I suspect that, upon examination, your claim doesn't hold water: *ix systems' services don't tend to have irresponsible (needless and inappropriate) network access from the global Internet (i.e., why the hell would an embedded database like MSDE default to being Internet-accessible?), and have more-obvious and editable network-interface configurations.

Just as a sanity check, I attempted to look up how to set which network interfaces MSDE listens on. I found nothing at all on the subject. The obvious inference is that neither its publisher nor its userbase even thinks about the question, let alone makes the answer readily available.

Just telling Linux (and other *ix) users not to be complacent does them few favours: What would be more useful is to analyse all the things that actually make a difference -- which includes differences in design, defaults, and administrative toolsets that are overwhelmingly to *ix's advantage. Why would that be useful? Because those things persist in our setups and defaults because a significant fraction of the admins know of them, appreciate them, and want them. And acculturation is always an ongoing task.

Rick Moen
rick@linuxmafia.com