Re: Removing Perl.Santy

[Michael Rice <michael () riceclan org>]

Not knowing anything about it except what's on the symantec site, I
would.

a) get rid of the phpBB that made you vulnerable in the first place
(upgrade or replace)
b) look for any processes running perl (examine their /proc entry to see
if the perl interpreter or libraries are open by the process), kill
them.  If apache has mod_perl, examine the apache configs and restart
apache.
c) examine all init scripts and cron/at entries
d) search for files and remove any that have been touched by the
worm.  This is not a trivial task, but hopefully the steps above
have gained you some time on it.

According to what I'm reading, it probably just runs as the user apache
is running as.  If this is not root you can leave it as above and hope
that the worm didn't do anything more malicious or leave your system
vulnerable to more malicious followups.  

I recommend reinstalling unless you have some way to validate nearly
every file on the system (tripwire, aide, etc with remote database).

If apache is running as root I would upgrade that to "strongly
recommend."

On Fri, 2005-01-28 at 18:19, Hamish Stanaway wrote:
> Hi friends,
>
> I have a box that has perl.santy (unknown if it is the a, b or c variant) on 
> my redhar linux server. The server is located on the other side of the world 
> for me so physically going through the machine isn't an option for me.
> I have root ssh access.
> I cannot seem to find details anywhere on the internet on how to remove this 
> virus, and the virus' activities are now starting to irritate some of my web 
> hosting clients.
> Can someone help me please, or at least point me in the right direction? 
> G00gle etc reveals nothing...
>
>
>
> Kindest of regards,
>
> Hamish Stanaway, CEO
>
> Absolute Web Hosting
> Auckland, New Zealand
>
> http://www.webhosting.net.nz
> http://www.buywebhosting.co.nz
-- 
Michael Rice <michael () riceclan org>