Security Basics mailing list archives
Re: Removing Perl.Santy
From: Joachim Schipper <j.schipper () math uu nl>
Date: Mon, 31 Jan 2005 23:53:10 +0100
On Sat, Jan 29, 2005 at 12:19:33AM +0000, Hamish Stanaway wrote:
Hi friends, I have a box that has perl.santy (unknown if it is the a, b or c variant) on my redhar linux server. The server is located on the other side of the world for me so physically going through the machine isn't an option for me. I have root ssh access. I cannot seem to find details anywhere on the internet on how to remove this virus, and the virus' activities are now starting to irritate some of my web hosting clients. Can someone help me please, or at least point me in the right direction? G00gle etc reveals nothing... Kindest of regards, Hamish Stanaway, CEO
Dear Hamish, the Santy worm was described on Bugtraq and k-otik; Bugtraq is available via securityfocus.net e.a., and k-otik is available on www.k-otik.com (warning: being able to read French is not required, but quite useful). Based on the information in the sources above, you should be able to remove it. If this doesn't work, get the excellent ClamAV package, download the newest definitions (freshclam -v) and scan your web directories (clamscan /www | grep -v 'OK$'). Move anything marked as Worm.Perl.Santy to a quarantine directory out of the web tree and, heaven forbid, any PATHs. You can then have a quick look at these files manually, if you so desire, and/or remove them. (NOTE: ClamAV claims to detect Santy, and I believe them, based on my experience with their software and databases - but I haven't actually tested it.) Your clients will probably be happy if you make your backups available to them, too. Be careful with just placing stuff back, though - you don't want to overwrite files they painstakingly created! Oh, and do remove the worms *before* they start irritating clients - they are likely to irritate the rest of the 'net long before that. ;-) Joachim
Current thread:
- Re: Removing Perl.Santy Michael Rice (Feb 01)
- Re: Removing Perl.Santy Barrie Dempster (Feb 02)
- <Possible follow-ups>
- Re: Removing Perl.Santy Joachim Schipper (Feb 01)