David Bolt wrote: > On Mon, 21 Jan 2008, Joe Sloan wrote:- > > <snip> > >> Yes, I remember dealing with some similar worms on linux servers - the >> difference being, if a linux system gets a worm, you install the >> security upgrade from the vendor, clean up the files left behind by the >> worm (which will typically be found only in world writable areas), and >> life goes on, without a reboot, and perhaps a momentary interruption in >> service while the daemon is reloaded. > > You'd trust that method of cleaning a system? If only life were so > simple.
It's not a matter of blind trust, but of close examination of the worms behavior. Once the hole was closed and the remains of the worm removed, that was the end of it. No more mysterious traffic, no more odd spikes in system load, no more trouble, no anomalies on the system, full package check shows everything in order. >> If a windows web server gets a worm, game over. wipe the box and >> reinstall. At least that's what my mcse friends tell me. > > I'd apply the same logic to a Linux server as well. But these are 2 totally different beasts. > The reason being > that if a worm is able to install on the server using root privileges, > there's no way to know just what else has been installed by it without > performing some form of forensic work on the installation Why would you assume that a worm got root privileges? In the cases I've dealt with, there were no root privileges. A close examination of the trail left by the worm showed that it was limited to what it could do as the www user. All it's working files were in /tmp. One of the strengths of the unix model is separation of privilege, and that provides a layered defense. Joe -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
