[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: slapper countermeasures



Hi.

Jean Christophe ANDRÃ0/00 wrote:
The problem will be: every command that slapper executes runs with the uid of the infiltrated ssl webserver.
So the kill will also run as the same uid...

*bing* Ok, got the point. I forgot that the uid is allowed to kill processes with it's own uid.

So I guess that in most cases there won't be a chance to issue a "kill"
or "killall" command.
I don't mean to kill anything else than the virus itself! Managing the
webserver is to far away from what we can do without altering anything
valuable on the server!

"killall .bugtraq" would be suitable as well, and it would "destroy" every other instance of the program that is running currently. Even if detecting the current PPID does not work for whatever reason.

Bye, Mike



Reply to: