On Tue, 22 Jan 2008, James Knott wrote:-
<snip>
>Assuming you're running as a mere mortal and not root, how does it
>start a root shell?
It wouldn't as a mere mortal. However, the exploit was one affecting
Apache and PHP, and allowed for the server to be compromised. Once it's
able to gain a toe hold, you don't know what it's going to do, and it's
quite possible for the worm to have installed a root kit using a local
root exploit to elevate the permissions.
As I said, you don't know for certain just what has been done, and it
would need some forensic work performed on the drive using outside
tools, to find out. Unless the server isn't critical, taking it off-line
while the investigation is performed isn't a viable choice, leaving a
wipe and reinstall, and rapid security patching, as the next best
option.
Regards,
David Bolt
--
Team Acorn: http://www.distributed.net/ OGR-P2 @ ~100Mnodes RC5-72 @ ~15Mkeys
SUSE 10.1 32bit | openSUSE 10.2 32bit | openSUSE 10.3 32bit | openSUSE 11.0a0
SUSE 10.1 64bit | openSUSE 10.2 64bit | openSUSE 10.3 64bit
RISC OS 3.6 | TOS 4.02 | openSUSE 10.3 PPC |RISC OS 3.11
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
