Re: Systems compromised with ShellBOT perl script - part 2

From: Jeffrey Denton (dentonj_at_gmail.com)
Date: 10/20/04

  • Next message: KEM Hosting: "RE: Systems compromised with ShellBOT perl script - part 2" 
    Date: Wed, 20 Oct 2004 11:13:02 -0700
To: incidents@securityfocus.com

    On Wed, 20 Oct 2004 00:04:36 -0500, security@kemhosting.com
    <security@kemhosting.com> wrote:

    > Today, hackers used the ShellBOT perl script to bring down Apache and start up
    > their IRC listener. They (somehow) copied it into /tmp and executed it. This
    > confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does
    > Perl somehow bypass this?

    If the command they are running is something similar to:

    # perl /tmp/script.pl

    Then script.pl isn't being directly executed, perl is. In this
    example, script.pl itself doesn't even need to executable. The same
    thing can be done with shell scripts.

    # sh /tmp/script.sh

    The noexec flag can be bypassed by binaries that are dynamically
    linked by using /lib/ld-linux.so. You execute the linker and give the
    command you want to run as the option.

    # cp /usr/bin/ls /tmp
    # /tmp/ls
    /tmp/ls: Permission denied
    # /lib/ld-linux.so.2 /tmp/ls

    The only way that I'm aware of to stop the above from happening is by
    using libsafe. You will then end up with the following error:

    # /lib/ld-linux.so.2 /tmp/ls
    /tmp/ls: error while loading shared libraries: /tmp/ls: failed to map
    segment from shared object: Operation not permitted

    One interesting observation is that the output of ldd changes when run
    on commands located on noexec partitions and libsafe is being used.

    # ldd /tmp/ls
           not a dynamic executable
    # ldd /usr/bin/ls
           /lib/libsafe.so.2 => /lib/libsafe.so.2 (0x40017000)
           librt.so.1 => /lib/librt.so.1 (0x4002e000)
           libc.so.6 => /lib/libc.so.6 (0x40040000)
           . . .
           . . .

    One warning, libsafe is not always the answer to securing a system
    since it has a habit of interfering with programs and servers. As
    with every security measure, test, test, test.....

  • Next message: KEM Hosting: "RE: Systems compromised with ShellBOT perl script - part 2"

    Relevant Pages

    • Re: Wait for background processes to complete
      ... To be able to execute commands in the background and wait for their ... The documentation I am referring to is http://perldoc.perl.org/. ... You can run a command in the background with: ... There is a general problem with perl documentation: ...
      (comp.lang.perl.misc)
    • Re: Perl For Amateur Computer Programmers
      ... >professional computer programmers could use with the same ease as Basic. ... >Perl For Amateur Computer Programmers ... Also, taking into account that you're appealing to "scientists", it ... Also, as a side note, you seem to use the noun "command" in a naive ...
      (comp.lang.perl.misc)
    • Obtaining complete Unix command line that evoked script as string
      ... If there is a more appropriate list for this, let me know; the other perl lists I've seen seem to specialised for this. ... Note this is not just the arguments of the call to the script, but everything including pipes and redirects, etc., e.g. ... Ideally the perl interpreter would grab the complete command line as its evoked and I'd access this via a variable. ...
      (perl.beginners)
    • Thanks for the comments Jan. 25, 2006
      ... "shadow" operating system which is running behind Windows. ... Perl can then collect data from that program and do ... that by sending longer strings etc. to the Windows clipboard and then having ... SendKeysuse a Ctrl V command to paste the information to the text editor ...
      (comp.lang.perl.misc)
    • Re: debugger exiting
      ... strict and warnings pragmas. ... I think portraying Perl as a command-line tool limits it to fewer platforms than ... work only as a Unix shell command line. ...
      (perl.beginners)
    • Quantcast