Re: Systems compromised with ShellBOT perl script - part 2
From: Martin Mačok (martin.macok_at_underground.cz)
Date: 10/20/04
- Previous message: KEM Hosting: "RE: Systems compromised with ShellBOT perl script - part 2"
- In reply to: security_at_kemhosting.com: "re: Systems compromised with ShellBOT perl script - part 2"
- Next in thread: Harry de Grote: "Re: Systems compromised with ShellBOT perl script - part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 20 Oct 2004 23:26:32 +0200 To: incidents@securityfocus.com
On Wed, Oct 20, 2004 at 12:04:36AM -0500, security@kemhosting.com wrote:
> They (somehow) copied it into /tmp and executed it. This confuses
> me because I have my /tmp directory mounted rw,noexec,nosuid. Does
> Perl somehow bypass this?
"noexec" is a protection against accidental execution or script
kiddies. It could be circumvented by running
$ /lib/ld-linux.so.2 /tmp/binary
or in case of perl (or any other interpretter)
$ perl /tmp/script.pl
There is probably some patch (by Ulrich Drepper?) in linux-2.6 which
makes it harder to circumvent "noexec" flag this way but my opinion
is that flagging the file as not executable in no way guarantees that
no one will read it and execute instructions written in it (in
traditional DAC/unix environment) ...
Martin Mačok
IT Security Consultant
- Previous message: KEM Hosting: "RE: Systems compromised with ShellBOT perl script - part 2"
- In reply to: security_at_kemhosting.com: "re: Systems compromised with ShellBOT perl script - part 2"
- Next in thread: Harry de Grote: "Re: Systems compromised with ShellBOT perl script - part 2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
