In response to Paul Schmehl <>:

> --On Tuesday, August 25, 2009 07:26:04 -0500 Bill Moran 
> <> wrote:
> >>
> >> I am currently killing the process with the following bash command while I
> >> decide what to do next:
> >>
> >> $ while x=1 ; do sudo killall -9 perl5.8.9  && echo "killed..." ; sleep 15;
> >> done
> >
> > You can add an ipfw rule to prevent the script from calling home, which
> > will effectively render it neutered until you can track down and actually
> > _fix_ the problem.
> >
> > In reality, good security practice says that you should have IPFW (or some
> > other firewall) running and only allowing known good traffic right from
> > the start, which might have protected you from this in the first place.
> >
> I disagree.  I used to believe this, but experience has taught me otherwise. 
> When you run a firewall on a host, you open the ports for the services you 
> want 
> to offer.  The firewall provides you no protection at all against hackers 
> attacking the services that are listening on ports opened through the 
> firewall. 
> All a host firewall does is consume CPU and memory and give you a warm fuzzy 
> that doesn't really add to security at all and may well make you less 
> vigilant. 
> (And yes, I know I'm a security heretic in some quarters.)

Well, you're entitled to your opinion, but I think it's misguided.

Security isn't always about preventing a compromise.  Sometimes it's about
reducing the damage.

If he had a packet filter installed that allowed only known-good traffic,
he still might have gotten compromised through a web server, you got that
part right.

The part you missed is that the installed script needs to connect out to
talk to it's bot master.  The packet filter would have prevented this
communication, thus the rogue script would have been useless.  While the
compromise of the machine would succeed, control of the machine would not
fall into other hands, and the script would be incapable of compromising
_information_ on the machine (as it stands, you have no idea what files
that script has been sending up to the bot master ... password files, for

A side note to that.  Make sure to change each and every password, key file,
etc on that system, as they're all suspect at this point.

Bill Moran
_______________________________________________ mailing list
To unsubscribe, send any mail to ""

Reply via email to