Security Incidents mailing list archives
Re: Systems compromised with ShellBOT perl script - part 2
From: Martin Mačok <martin.macok () underground cz>
Date: Wed, 20 Oct 2004 23:26:32 +0200
On Wed, Oct 20, 2004 at 12:04:36AM -0500, security () kemhosting com wrote:
They (somehow) copied it into /tmp and executed it. This confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does Perl somehow bypass this?
"noexec" is a protection against accidental execution or script kiddies. It could be circumvented by running $ /lib/ld-linux.so.2 /tmp/binary or in case of perl (or any other interpretter) $ perl /tmp/script.pl There is probably some patch (by Ulrich Drepper?) in linux-2.6 which makes it harder to circumvent "noexec" flag this way but my opinion is that flagging the file as not executable in no way guarantees that no one will read it and execute instructions written in it (in traditional DAC/unix environment) ... Martin Mačok IT Security Consultant
Current thread:
- re: Systems compromised with ShellBOT perl script - part 2 security (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Meder Kydyraliev (Oct 20)
- re: Systems compromised with ShellBOT perl script - part 2 Jim Halfpenny (Oct 20)
- DoS worm David Gillett (Oct 20)
- Re: DoS worm Nick FitzGerald (Oct 21)
- DoS worm David Gillett (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Jeffrey Denton (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Martin Mačok (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Harry de Grote (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Stephen J. Smoogen (Oct 20)
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Thomas Hochstein (Oct 21)
- Re: Systems compromised with ShellBOT perl script - part 2 Paul Schmehl (Oct 22)
- <Possible follow-ups>
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Dave (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Chris Norton (Oct 22)