On Mon, 21 Jan 2008, Joe Sloan wrote:-
David Bolt wrote:
<Snip>
It's not a matter of blind trust, but of close examination of the worms behavior. Once the hole was closed and the remains of the worm removed, that was the end of it. No more mysterious traffic, no more odd spikes in system load, no more trouble, no anomalies on the system, full package check shows everything in order.
In that case, you're lucky that someone didn't use the worm to use some unknown, or freshly discovered, local root exploit to be able to install a root kit.
If a windows web server gets a worm, game over. wipe the box and reinstall. At least that's what my mcse friends tell me.
I'd apply the same logic to a Linux server as well.
But these are 2 totally different beasts.
Yes they are.
The reason being that if a worm is able to install on the server using root privileges, there's no way to know just what else has been installed by it without performing some form of forensic work on the installation
Why would you assume that a worm got root privileges?
Hope for the best, plan for the worst.
In the cases I've dealt with, there were no root privileges. A close examination of the trail left by the worm showed that it was limited to what it could do as the www user.
That doesn't mean to say that there wasn't the chance it could have gained root privileges.
All it's working files were in /tmp.
That was one of the things I noticed from the samples I retrieved. It's also one of the reasons I now have separate /tmp partitions mounted noexec.
One of the strengths of the unix model is separation of privilege, and that provides a layered defense.
There's still the occasional breaches, although not as many as with another popular OS. Regards, David Bolt -- Team Acorn: http://www.distributed.net/ OGR-P2 @ ~100Mnodes RC5-72 @ ~15Mkeys SUSE 10.1 32bit | openSUSE 10.2 32bit | openSUSE 10.3 32bit | openSUSE 11.0a0 SUSE 10.1 64bit | openSUSE 10.2 64bit | openSUSE 10.3 64bit RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC |RISC OS 3.11 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org