<quote who="Tim White">
> Reports indicate that the Apache/mod_ssl worm's source code is placed
> in /tmp/.bugtraq.c on infected systems. It is compiled with gcc,
> resulting in the executable binary being stored at /tmp/.bugtraq;
> therefore, presence of any of the following files on Linux systems
> running Apache with OpenSSL is indicative of compromise.
I've taken a bit of stick every now and then for refusing to let co-admins
install gcc and other non-server-related software on machines that I admin.
Giving gcc to a worm or human attacker is like arming them with an anti-
aircraft missile in an inner city cafeteria.
"But what if I have to build a kernel?" -> you can do it on *any* other
machine, even cross-compiling it on a different architecture if you're
feeling lucky
"But what if I have to rebuild a patched package?" -> do it on your test
system which should be exactly like your production machine anyway
"But it's convenient!" -> go to the back of the class
If you can, it's even worth removing perl, bash (/dev/tcp!), and other tools
from machines that you're paranoid about. Don't give a worm or human
attacker *any* rope to hang you on. This worm can be extra sneaky given that
it can compile itself, but don't discount the damage that a perl or python
based worm could do before detection.
[ Unfortunately, I can't do that with my distribution, but I hope the day
will come when I can. It would be cool if other distributions greyed out
the 'development' tools option once you select 'server' too, though
perhaps that's a bit harsh. :-) ]
Numero Uno: Don't put any crap, compiler or not, on your server that you
don't need. It can and will be used against you.
- Jeff
--
The Unix Way: Everything is a file.
The Linux Way: Everything is a filesystem.
--
SLUG - Sydney Linux User's Group - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
