Re: slapper countermeasures
Jean Christophe ANDRÃ0/00 wrote:
Same idea here this night! :)
I was thinking about the *good* way to do it...
May be something like this (root mail, some wait, virus self-kill):
/bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper worm" root
/bin/sleep 300 # to wait for the propagation, some network are slow
/bin/kill -9 $PPID # *MUST* CHECK IF IT WILL REALLY KILL THE *RIGHT* ONE!!
The problem will be: every command that slapper executes runs with the
uid of the infiltrated ssl webserver. So I guess that in most cases
there won't be a chance to issue a "kill" or "killall" command. Hmm, is
there a chance to cause the program to finish itself in a given condition?