Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Systems compromised with ShellBOT perl script - part 2

From: Martin Mačok <martin.macok () underground cz>
Date: Wed, 20 Oct 2004 23:26:32 +0200
On Wed, Oct 20, 2004 at 12:04:36AM -0500, security () kemhosting com wrote:


They (somehow) copied it into /tmp and executed it.  This confuses
me because I have my /tmp directory mounted rw,noexec,nosuid. Does
Perl somehow bypass this?


"noexec" is a protection against accidental execution or script
kiddies. It could be circumvented by running 

$ /lib/ld-linux.so.2 /tmp/binary

or in case of perl (or any other interpretter)

$ perl /tmp/script.pl

There is probably some patch (by Ulrich Drepper?) in linux-2.6 which
makes it harder to circumvent "noexec" flag this way but my opinion
is that flagging the file as not executable in no way guarantees that
no one will read it and execute instructions written in it (in
traditional DAC/unix environment) ...

Martin Mačok
IT Security Consultant
Previous By Date Next
Previous By Thread Next

Current thread: