Re: Systems compromised with ShellBOT perl script - part 2

From: Martin Mačok (martin.macok_at_underground.cz)
Date: 10/20/04

  • Next message: Harry de Grote: "Re: Systems compromised with ShellBOT perl script - part 2"
    Date: Wed, 20 Oct 2004 23:26:32 +0200
    To: incidents@securityfocus.com
    
    

    On Wed, Oct 20, 2004 at 12:04:36AM -0500, security@kemhosting.com wrote:

    > They (somehow) copied it into /tmp and executed it. This confuses
    > me because I have my /tmp directory mounted rw,noexec,nosuid. Does
    > Perl somehow bypass this?

    "noexec" is a protection against accidental execution or script
    kiddies. It could be circumvented by running

    $ /lib/ld-linux.so.2 /tmp/binary

    or in case of perl (or any other interpretter)

    $ perl /tmp/script.pl

    There is probably some patch (by Ulrich Drepper?) in linux-2.6 which
    makes it harder to circumvent "noexec" flag this way but my opinion
    is that flagging the file as not executable in no way guarantees that
    no one will read it and execute instructions written in it (in
    traditional DAC/unix environment) ...

    Martin Mačok
    IT Security Consultant


  • Next message: Harry de Grote: "Re: Systems compromised with ShellBOT perl script - part 2"