Voytek Eymont wrote:
sure, what I'm suggesting will not stop a serious attempt to exploit a
hole, but, it should deflect such a script
This is probably correct, renaming Perl may deflect scripts which rely on perl
being easily found. However, patching the hole and securing your system is
likely to have a greater return on investment.
You mention that the script uses multiple paths to attempt to download the
exploit. It may be possible that it also uses multiple execution paths: Perl,
then Python, shell and maybe a few other things. Renaming all of these may not
be feasible.
as it was, when I realized the server was infiltrated, the 'solution' was:
remove downloaders, remove perl, reboot server, problem removed;
next day the problem was located, 'faulty' CMSs were deleted, and, Perl
re-instated
I'm not certain about your confidence here about "problem removed". I
understand that you haven't seen different exploits occurring, but without a
full re-install it's difficult to be certain that root kits haven't been
installed on your system and are now lying in wait. Most systems administrators
will therefore encourage you to do a complete re-install, or restore from a
known good state after any compromise.
so, until the CMSs were removed, someone could've run different exploits,
but it didn't happen.
Depending on how much access to your machines they got, I'm not sure you can say
this with confidence. Logs can be faked, important entries removed etc.
lastly, now that '/tmp' is mounted as
/tmp type ext3 (rw,noexec,nosuid,nodev,noatime,nodiratime)
that should hopefully prevent execution of such expolits
It should reduce them, but it probably won't prevent all (or even possibly most)
of them. If the CMS has a directory to which it can write, then the exploit can
edit that instead of /tmp/ The best solution is to wall off the CMS, or get a
better CMS to start with. You may find something like TripWire a useful tool as
well.
All the best,
Jacinta
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
