[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a weird script worm uploaded via php with debian 3.0 ?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 11 Jun 2003 at 10:47:49AM +0200, Giacomo Mulas wrote:
> On Wed, 11 Jun 2003, Celso Gonz?lez wrote:
> 
> > I dont have any information about your trojan, but i can give you a
> > solution (also a good security practice)
> >
> > Mount /tmp in a separate partition with the noexec flag in fstab
> >
> > This will disable most of the trojans
> 
> Sorry to delude you, but browse the archives: you will find that even with
> a noexec partition you can run any executable by just invoking
> 
> /lib/ld.so /tmp/yourexecutable

While I agree with your observation I feel compelled to defend his
point.

He said mounting /tmp will stop MOST Trojans.  While it might not stop a
trojan planted by a person, it will stop a trojan planted by a worm
(which is what this thread is about) since the author of the worm might
not have had the insight to use ld.so.

Take care,

- -- 
Phillip Hofmeister

PGP/GPG Key:
http://www.zionlth.org/~plhofmei/
wget -O - http://www.zionlth.org/~plhofmei/key.txt | gpg --import
- --
Excuse #66: Unoptimized hard drive 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+5yG/S3Jybf3L5MQRAtz3AJ4oU0nYQytble771jtm9XdoTateOACdFSGD
qcSmvXIQBxHUQlgrf5o/ui0=
=BVu8
-----END PGP SIGNATURE-----
Reply to: