Re: suidperl in /var/log/secure
From: Luke Vogel (luke@bell-bird.com.au)Date: 04/22/02
- Next message: Yan Seiner: "Re: best vpn with Red hat 7.2"
- Previous message: RainbowHat: "Re: iptables and nimda."
- In reply to: Tony: "Re: suidperl in /var/log/secure"
- Next in thread: Tony: "Re: suidperl in /var/log/secure"
- Reply: Tony: "Re: suidperl in /var/log/secure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Luke Vogel <luke@bell-bird.com.au> Date: Mon, 22 Apr 2002 20:08:59 +1000
Tony wrote:
>
> Hi,
> I have search tje entrie machine and cannot find the script. Any ideas?
I'm not surprised. Many exploit scripts delete themselves on successful
completion (and unsuccessful completion if it comes to that).
If you want to look at the script that was used, search on packetstorm
for "xperl.sh". You will notice that at the end of the script it _does_
remove itself :)
Perhaps you could try the script on yourself and see if you are
vulnerable. If you are, then you need too look much deeper into your
file system AND try and figure out if one of your users is wearing a
dark shade of hat, or whether someone has penetrated you from the net!
Even if you are not vulnerable, I would recommend that you either remove
the suidperl binary, or at the very least unset the suid bit.
-- Regards Luke ------ Q: What does FAQ stand for? A: We are Frequently Asked this Question, and we have no idea. ------ C.O.L.S FAQ - http://www.linuxsecurity.com/docs/colsfaq.html Note: Remove NOSPAM from my return address if necessary ------
- Next message: Yan Seiner: "Re: best vpn with Red hat 7.2"
- Previous message: RainbowHat: "Re: iptables and nimda."
- In reply to: Tony: "Re: suidperl in /var/log/secure"
- Next in thread: Tony: "Re: suidperl in /var/log/secure"
- Reply: Tony: "Re: suidperl in /var/log/secure"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
