> Rick Garcia wrote: > > > #chmod 0 `which gcc` > > > > Can anyone confirm that this is enough to stop the current SSL worm > threat? > > This will stop the threat, but at the expense of letting anyone who has > shell access use the gnu c compiler. > > Jeff
Don't some PKG files use GCC when installing? The one that comes to mind is the pkgmaster neomail released a while back. I wonder if others need it as well. Changing mode 700 should be OK, since the admin httpd process runs as root it will still have execute permission on gcc, but apache and other users would not. BTW, I had one computer hit by the worm. Fortunately it's very easy to clean. There are three files in the /tmp folder. .bugtraq, .bugtraq.c .uubugtraq. you can see them by running the ls -a command. If you run ls -la you can see when you were violated. Remove the three files, do a ps -ax | grep bugtraq to find out the PID of the worm and then kill it. Temporarily prevent future exploits by finding the line in /etc/httpd/conf/httpd.conf that begins with SSLCipherSuite and find the part that says: +SSLv2 and change the + to a ! Save the file, restart apache by doing /etc/rc.d/init.d/httpd restart and then make sure your SSL sites still work. You know, we should be thankful that the person released this particular worm. It's relatively benign, easy to catch and could have been much worse. Now, we'll all have an opportunity to patch our servers before someone releases a seriously destructive version. Additionally, the worm leaves it's entire source code behind. They even left it completely commented and documented. I haven't used C in 4 or 5 years, but I didn't have much trouble at all figuring out what's going on in there. It's almost like the person who released it was just trying to say "Wake up knuckle headed sys-admins... there's an openssl update that you need to get!" I hope we all get the message. One last BTW: I love my cobalt raq servers, however I'm starting to feel that they are a serious liability. I can't manually update/patch them without the fear of breaking the ability to get future updates from Cobalt, but if I wait for the "official" updates to come around, my server will never get patched. Not to mention the SHP fiasco... Maybe I need to revisit that thread on the developer list about installing 2.4 based Linux onto the Raq's. -- Matthew Nuzum www.bearfruit.org [EMAIL PROTECTED] _______________________________________________ cobalt-developers mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-developers
