Re: slapper countermeasures

[Jean Christophe ANDRÃ? <jean-christophe.andre@auf.org>]

J.C. André écrivait :
> >May be something like this (root mail, some wait, virus self-kill):
> >  /bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper 
> >  worm" root
> >  /bin/sleep 300	# to wait for the propagation, some network are slow
> >  /bin/kill -9 $PPID	# *MUST* CHECK IF IT WILL REALLY KILL THE *RIGHT* 
> >  ONE!!

Michael Renzmann écrivait :
> The problem will be: every command that slapper executes runs with the 
> uid of the infiltrated ssl webserver.

So the kill will also run as the same uid...

> So I guess that in most cases there won't be a chance to issue a "kill"
> or "killall" command.

I don't mean to kill anything else than the virus itself! Managing the
webserver is to far away from what we can do without altering anything
valuable on the server!

> Hmm, is there a chance to cause the program to finish itself in a given
> condition?

Since it would use shell commands (I still not have got deeply in the
source), the best way is to use "/bin/kill" and the PPID which will tell
you who launched the shell (it should be the virus itself).

J.C.