re: Systems compromised with ShellBOT perl script - part 2

From: Jim Halfpenny (jim_at_openanswers.co.uk)
Date: 10/20/04

Next message: Jeffrey Denton: "Re: Systems compromised with ShellBOT perl script - part 2"

Previous message: KEM Hosting: "RE: Systems compromised with ShellBOT perl script - part 2"
In reply to: security_at_kemhosting.com: "re: Systems compromised with ShellBOT perl script - part 2"
Next in thread: David Gillett: "DoS worm"
Reply: David Gillett: "DoS worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 20 Oct 2004 17:14:27 +0100 (BST)
To: security@kemhosting.com

On Wed, 20 Oct 2004 security@kemhosting.com wrote:

> Today, hackers used the ShellBOT perl script to bring down Apache and start up
> their IRC listener. They (somehow) copied it into /tmp and executed it. This
> confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does
> Perl somehow bypass this?

Instead of running...

$ /tmp/perlscript.pl

they just have to run...

$ perl /tmp/perlscript.pl

Perl will read the file in /tmp, so no attempt is made to execute it
directly.

Regards,
Jim Halfpenny

Next message: Jeffrey Denton: "Re: Systems compromised with ShellBOT perl script - part 2"

Previous message: KEM Hosting: "RE: Systems compromised with ShellBOT perl script - part 2"
In reply to: security_at_kemhosting.com: "re: Systems compromised with ShellBOT perl script - part 2"
Next in thread: David Gillett: "DoS worm"
Reply: David Gillett: "DoS worm"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]