Security Incidents mailing list archives
re: Systems compromised with ShellBOT perl script - part 2
From: Jim Halfpenny <jim () openanswers co uk>
Date: Wed, 20 Oct 2004 17:14:27 +0100 (BST)
On Wed, 20 Oct 2004 security () kemhosting com wrote:
Today, hackers used the ShellBOT perl script to bring down Apache and start up their IRC listener. They (somehow) copied it into /tmp and executed it. This confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does Perl somehow bypass this?
Instead of running... $ /tmp/perlscript.pl they just have to run... $ perl /tmp/perlscript.pl Perl will read the file in /tmp, so no attempt is made to execute it directly. Regards, Jim Halfpenny
Current thread:
- re: Systems compromised with ShellBOT perl script - part 2 security (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Meder Kydyraliev (Oct 20)
- re: Systems compromised with ShellBOT perl script - part 2 Jim Halfpenny (Oct 20)
- DoS worm David Gillett (Oct 20)
- Re: DoS worm Nick FitzGerald (Oct 21)
- DoS worm David Gillett (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Jeffrey Denton (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Martin Mačok (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Harry de Grote (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Stephen J. Smoogen (Oct 20)
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Thomas Hochstein (Oct 21)
- Re: Systems compromised with ShellBOT perl script - part 2 Paul Schmehl (Oct 22)
- <Possible follow-ups>
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
(Thread continues...)