Re: New Linux worm crawls the web
[This message has also been posted to linux.debian.user,comp.infosystems.www.servers.unix.]
In article <57iWN-3za-27@gated-at.bofh.it>, Hugo Vanwoerkom wrote:
> Paul Johnson wrote:
>> Hugo Vanwoerkom wrote:
>>>Mike McCarty wrote:
>>>
>>>>http://www.securityfocus.com/brief/38?ref=rss
>>>
>>>How to detect whether infection has occurred?
>>
>> Don't go overboard yet. Might want to read Steve Lamb's comment about this
>> just upthread.
>
> Like Joey says, Debian Sarge with security updates avoids the problem.
> Yet... it would still be nice to know how to tell that there was no
> infection.
It's misleading to call these things "Linux worms."
The worm attacks PHP applications. You can update Sarge
every day. If one of your users is running PHP Nuke
or Mambo or phpBB or Squirrel Mail, you have directories
where the Web server can create executable files and run them.
If your users don't maintain their PHP apps, they can
have holes that let the worm create files in /tmp or /var/tmp/.
If you install in the default places, the worm knows where
your Mambo modules directory is.
Sure, the worm wants to pull in a rootkit, and maybe Sarge
with security updates will prevent the root escalation.
That depends on the rootkit, and the worm. But even if
it only gets UID 33 (www-data), it can pull in and run PHP
code. Your box can become a spammer bot or an attack bot that way,
and you can help propagate the worm to other hosts where
the rootkit might succeed.
I think it's a major security bug for /tmp and /var/tmp
to be mounted with exec privileges. It's a major security
problem for the Web server user to be able to create
and run executables anywhere. I hope the Debian maintainers
are going to fix it, because the PHP application community
never will.
Cameron
Reply to: