J.C. André écrivait : > >May be something like this (root mail, some wait, virus self-kill): > > /bin/ls -la /tmp | /bin/mail -s "You have been infected by the Slapper > > worm" root > > /bin/sleep 300 # to wait for the propagation, some network are slow > > /bin/kill -9 $PPID # *MUST* CHECK IF IT WILL REALLY KILL THE *RIGHT* > > ONE!!
Michael Renzmann écrivait : > The problem will be: every command that slapper executes runs with the > uid of the infiltrated ssl webserver. So the kill will also run as the same uid... > So I guess that in most cases there won't be a chance to issue a "kill" > or "killall" command. I don't mean to kill anything else than the virus itself! Managing the webserver is to far away from what we can do without altering anything valuable on the server! > Hmm, is there a chance to cause the program to finish itself in a given > condition? Since it would use shell commands (I still not have got deeply in the source), the best way is to use "/bin/kill" and the PPID which will tell you who launched the shell (it should be the virus itself). J.C.
