Re: Removing Perl.Santy

[Joachim Schipper <j.schipper () math uu nl>]

On Sat, Jan 29, 2005 at 12:19:33AM +0000, Hamish Stanaway wrote:
> Hi friends,
>
> I have a box that has perl.santy (unknown if it is the a, b or c variant) 
> on my redhar linux server. The server is located on the other side of the 
> world for me so physically going through the machine isn't an option for me.
> I have root ssh access.
> I cannot seem to find details anywhere on the internet on how to remove 
> this virus, and the virus' activities are now starting to irritate some of 
> my web hosting clients.
> Can someone help me please, or at least point me in the right direction? 
> G00gle etc reveals nothing...
>
>
>
> Kindest of regards,
>
> Hamish Stanaway, CEO

Dear Hamish,

the Santy worm was described on Bugtraq and k-otik; Bugtraq is available
via securityfocus.net e.a., and k-otik is available on www.k-otik.com
(warning: being able to read French is not required, but quite useful).

Based on the information in the sources above, you should be able to
remove it. If this doesn't work, get the excellent ClamAV package,
download the newest definitions (freshclam -v) and scan your web
directories (clamscan /www | grep -v 'OK$'). Move anything marked as
Worm.Perl.Santy to a quarantine directory out of the web tree and,
heaven forbid, any PATHs. You can then have a quick look at these files
manually, if you so desire, and/or remove them. (NOTE: ClamAV claims to
detect Santy, and I believe them, based on my experience with their
software and databases - but I haven't actually tested it.)

Your clients will probably be happy if you make your backups available
to them, too. Be careful with just placing stuff back, though - you
don't want to overwrite files they painstakingly created!

Oh, and do remove the worms *before* they start irritating clients -
they are likely to irritate the rest of the 'net long before that. ;-)

                        Joachim