Re: slapper countermeasures
J.C. André écrivait :
> >May be something like this (root mail, some wait, virus self-kill):
> > /bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper
> > worm" root
> > /bin/sleep 300 # to wait for the propagation, some network are slow
> > /bin/kill -9 $PPID # *MUST* CHECK IF IT WILL REALLY KILL THE *RIGHT*
> > ONE!!
Michael Renzmann écrivait :
> The problem will be: every command that slapper executes runs with the
> uid of the infiltrated ssl webserver.
So the kill will also run as the same uid...
> So I guess that in most cases there won't be a chance to issue a "kill"
> or "killall" command.
I don't mean to kill anything else than the virus itself! Managing the
webserver is to far away from what we can do without altering anything
valuable on the server!
> Hmm, is there a chance to cause the program to finish itself in a given
> condition?
Since it would use shell commands (I still not have got deeply in the
source), the best way is to use "/bin/kill" and the PPID which will tell
you who launched the shell (it should be the virus itself).
J.C.
Reply to: