Re: Systems compromised with ShellBOT perl script - part 2

From: Martin Mačok (martin.macok_at_underground.cz)
Date: 10/20/04

  • Next message: Harry de Grote: "Re: Systems compromised with ShellBOT perl script - part 2"
    Date: Wed, 20 Oct 2004 23:26:32 +0200
    To: incidents@securityfocus.com
    
    

    On Wed, Oct 20, 2004 at 12:04:36AM -0500, security@kemhosting.com wrote:

    > They (somehow) copied it into /tmp and executed it. This confuses
    > me because I have my /tmp directory mounted rw,noexec,nosuid. Does
    > Perl somehow bypass this?

    "noexec" is a protection against accidental execution or script
    kiddies. It could be circumvented by running

    $ /lib/ld-linux.so.2 /tmp/binary

    or in case of perl (or any other interpretter)

    $ perl /tmp/script.pl

    There is probably some patch (by Ulrich Drepper?) in linux-2.6 which
    makes it harder to circumvent "noexec" flag this way but my opinion
    is that flagging the file as not executable in no way guarantees that
    no one will read it and execute instructions written in it (in
    traditional DAC/unix environment) ...

    Martin Mačok
    IT Security Consultant


  • Next message: Harry de Grote: "Re: Systems compromised with ShellBOT perl script - part 2"

    Relevant Pages

    • Re: How perl program execution happened ?
      ... But i want clear idea about how the perl ... program execution was happened. ... perl compiles the script, but as soon as it compiles a complete ... here)) and reads and starts compiling the module (handling BEGIN ...
      (perl.beginners)
    • Re: preventing a user to start a process
      ... You can use some perl to split the lines to find out how long the processes ... >> located in file systems that allow execution. ... >> are running for a certain period of time and are not the apache. ... Does anyone know a usable script for that ...
      (freebsd-isp)
    • Re: Unix commands
      ... Available for execution. ... quite a rigid opinion on using external tools (lazy (in a bad way) was ... I am convinced that there is more Perl out ... Then suddenly overheads and portability is dragged ...
      (comp.lang.perl.misc)
    • Re: /boot at beginning of drive
      ... noexec Do not allow execution of any binaries on the ... mounted file system. ... noexec mounted partition. ...
      (freebsd-questions)
    • Re: ternary operator
      ... $cell is evaluated for true or false. ... That line is not valid Perl syntax. ... While with Perl, the compile phase and the execution phase are performed as one step by the user, there are nevertheless separate compile and execution phases. ... If you are unsure which phase is encountering an error, you can perform just the compilation phase with the -c option to Perl: ...
      (perl.beginners)