Re: slapper countermeasures

To: Jean Christophe ANDRÃ0/00 <jean-christophe.andre@auf.org>
Cc: debian-security@lists.debian.org
Subject: Re: slapper countermeasures
From: Michael Renzmann <mrenzmann@dylanic.de>
Date: Tue, 17 Sep 2002 21:15:52 +0200
Message-id: <[🔎] 3D877F68.8010802@dylanic.de>
References: <[🔎] 3D8775CF.70200@dylanic.de> <[🔎] 20020917190711.GA13051@virus.home>

Hi.

Jean Christophe ANDRÃ0/00 wrote:

Same idea here this night! :)


Hehe :)

I was thinking about the *good* way to do it...
May be something like this (root mail, some wait, virus self-kill):
  /bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper worm" root
  /bin/sleep 300	# to wait for the propagation, some network are slow
  /bin/kill -9 $PPID	# *MUST* CHECK IF IT WILL REALLY KILL THE *RIGHT* ONE!!

The problem will be: every command that slapper executes runs with theuid of the infiltrated ssl webserver. So I guess that in most casesthere won't be a chance to issue a "kill" or "killall" command. Hmm, isthere a chance to cause the program to finish itself in a given condition?


Bye, Mike

Reply to:

Follow-Ups:
- Re: slapper countermeasures
  - From: Jean Christophe ANDRÃ? <jean-christophe.andre@auf.org>

References:
- slapper countermeasures
  - From: Michael Renzmann <mrenzmann@dylanic.de>
- Re: slapper countermeasures
  - From: Jean Christophe ANDRÃ? <jean-christophe.andre@auf.org>

Prev by Date: Re: slapper countermeasures
Next by Date: Re: slapper countermeasures
Previous by thread: Re: slapper countermeasures
Next by thread: Re: slapper countermeasures
Index(es):
- Date
- Thread