On Thu, December 28, 2006 4:25 pm, Erik de Castro Lopo wrote: >> perhaps, but, it certainly would have prevented two infiltration I had >> in the last few month > > I *REALLY* honestly don't think so. Once somebody is in they will > use a Perl script. If Perl isn't installed they will do something else, > like uploading a precomiled binary. > > The idea is to prevent people getting in to begin with. Once they > are in its way too late.
Erik, thanks you obviously have a great deal more experience than I do, and, I agree the idea is to prevent in the 1st place, however, going by a rather limited experience of two semi-successful infiltrations, they call a code from a remote server like 'sg-webDOTorg/cmd2DOTtxt' (change DOT to .), trying 5 downloaders until it executes, I'm guessing if the download/execution fails, the scripts will search/target other servers sure, what I'm suggesting will not stop a serious attempt to exploit a hole, but, it should deflect such a script as it was, when I realized the server was infiltrated, the 'solution' was: remove downloaders, remove perl, reboot server, problem removed; next day the problem was located, 'faulty' CMSs were deleted, and, Perl re-instated so, until the CMSs were removed, someone could've run different exploits, but it didn't happen. I feel this is like moving ssh to a non-stand port, a small measure to reduce exposure. lastly, now that '/tmp' is mounted as /tmp type ext3 (rw,noexec,nosuid,nodev,noatime,nodiratime) that should hopefully prevent execution of such expolits thanks for all the comments -- Voytek -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
