Re: New Linux Trojan

From: Jason Robertson (jasonat_private)
Date: Wed Sep 05 2001 - 15:15:08 PDT

Next message: Russell Fulton: "Code red variants?"

Previous message: Russell Fulton: "Re: New Linux Trojan"
In reply to: Russell Fulton: "Re: New Linux Trojan"
Next in thread: Gary Flynn: "Re: New Linux Trojan"
Next in thread: Vidovic,Zvonimir,VEVEY,GL-IS/CIS: "RE: New Linux Trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You guys are forgetting the other problem, Buffer Overflows, in SUID executables could in theory 
cause this to be a source of infection as well, Root or not..

Jason

On 6 Sep 2001 at 9:26, Russell Fulton wrote:

From:           	Russell Fulton <r.fultonat_private>
To:             	incidentsat_private
Subject:        	Re: New Linux Trojan
Date sent:      	Thu, 6 Sep 2001 09:26:01 +1200 (NZST)
Priority:       	NORMAL
Mailer:         	Simeon for Solaris Motif Version 4.1.5 Build (43)

> 
> On Wed, 05 Sep 2001 13:57:12 -0700 Ben Ford 
> <bfordat_private> wrote:
> 
> > Qualys Inc wrote:
> > 
> > >
> > >executable programs. On Linux systems, the Remote Shell Trojan 
> > >typically begins its replication activities in the current working 
> > >directory and in the /bin directory.
> > >
> > [ . . .]
> > 
> > >Mitigating Factors:
> > >-------------------
> > >The replication process of the Remote Shell Program can only effect 
> > >binary files within the access privileges of the user who launched 
> > >the originally infected program.
> > >
> > 
> > I think that this point should be emphasized a bit more, unless you are 
> > simply out for dramatization.  A properly configured machine won't have 
> > the root user running untrusted binaries.
> 
> True, however a local (non root) user compromise is still a serious 
> matter.   This is another good reason to write protect *all* 
> executables, and preferably have them owned by someone other that the 
> user.
> 
> Again Unix is protected because users can't write to most executable 
> files.
> 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> 
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service. For more
> information on this free incident handling, management and tracking system
> please see: http://aris.securityfocus.com
> 
> 


---
Jason Robertson                
Network Analyst            
jasonat_private    
http://www.astroadvice.com      


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Russell Fulton: "Code red variants?"
Previous message: Russell Fulton: "Re: New Linux Trojan"
In reply to: Russell Fulton: "Re: New Linux Trojan"
Next in thread: Gary Flynn: "Re: New Linux Trojan"
Next in thread: Vidovic,Zvonimir,VEVEY,GL-IS/CIS: "RE: New Linux Trojan"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 15:29:51 PDT