You guys are forgetting the other problem, Buffer Overflows, in SUID executables could in theory cause this to be a source of infection as well, Root or not.. Jason On 6 Sep 2001 at 9:26, Russell Fulton wrote: From: Russell Fulton <r.fultonat_private> To: incidentsat_private Subject: Re: New Linux Trojan Date sent: Thu, 6 Sep 2001 09:26:01 +1200 (NZST) Priority: NORMAL Mailer: Simeon for Solaris Motif Version 4.1.5 Build (43) > > On Wed, 05 Sep 2001 13:57:12 -0700 Ben Ford > <bfordat_private> wrote: > > > Qualys Inc wrote: > > > > > > > >executable programs. On Linux systems, the Remote Shell Trojan > > >typically begins its replication activities in the current working > > >directory and in the /bin directory. > > > > > [ . . .] > > > > >Mitigating Factors: > > >------------------- > > >The replication process of the Remote Shell Program can only effect > > >binary files within the access privileges of the user who launched > > >the originally infected program. > > > > > > > I think that this point should be emphasized a bit more, unless you are > > simply out for dramatization. A properly configured machine won't have > > the root user running untrusted binaries. > > True, however a local (non root) user compromise is still a serious > matter. This is another good reason to write protect *all* > executables, and preferably have them owned by someone other that the > user. > > Again Unix is protected because users can't write to most executable > files. > > Russell Fulton, Computer and Network Security Officer > The University of Auckland, New Zealand > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. For more > information on this free incident handling, management and tracking system > please see: http://aris.securityfocus.com > > --- Jason Robertson Network Analyst jasonat_private http://www.astroadvice.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 15:29:51 PDT