Re: slapper countermeasures
Jean Christophe ANDRÃ0/00 wrote:
The problem will be: every command that slapper executes runs with the
uid of the infiltrated ssl webserver.
So the kill will also run as the same uid...
*bing* Ok, got the point. I forgot that the uid is allowed to kill
processes with it's own uid.
So I guess that in most cases there won't be a chance to issue a "kill"
or "killall" command.
I don't mean to kill anything else than the virus itself! Managing the
webserver is to far away from what we can do without altering anything
valuable on the server!
"killall .bugtraq" would be suitable as well, and it would "destroy"
every other instance of the program that is running currently. Even if
detecting the current PPID does not work for whatever reason.