On Tue, 22 Jan 2008, James Knott wrote:- <snip>
Assuming you're running as a mere mortal and not root, how does it start a root shell?
It wouldn't as a mere mortal. However, the exploit was one affecting Apache and PHP, and allowed for the server to be compromised. Once it's able to gain a toe hold, you don't know what it's going to do, and it's quite possible for the worm to have installed a root kit using a local root exploit to elevate the permissions. As I said, you don't know for certain just what has been done, and it would need some forensic work performed on the drive using outside tools, to find out. Unless the server isn't critical, taking it off-line while the investigation is performed isn't a viable choice, leaving a wipe and reinstall, and rapid security patching, as the next best option. Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-P2 @ ~100Mnodes RC5-72 @ ~15Mkeys SUSE 10.1 32bit | openSUSE 10.2 32bit | openSUSE 10.3 32bit | openSUSE 11.0a0 SUSE 10.1 64bit | openSUSE 10.2 64bit | openSUSE 10.3 64bit RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC |RISC OS 3.11 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org