Security Basics mailing list archives
Re: Removing Perl.Santy
From: Michael Rice <michael () riceclan org>
Date: Mon, 31 Jan 2005 16:34:26 -0600
Not knowing anything about it except what's on the symantec site, I would. a) get rid of the phpBB that made you vulnerable in the first place (upgrade or replace) b) look for any processes running perl (examine their /proc entry to see if the perl interpreter or libraries are open by the process), kill them. If apache has mod_perl, examine the apache configs and restart apache. c) examine all init scripts and cron/at entries d) search for files and remove any that have been touched by the worm. This is not a trivial task, but hopefully the steps above have gained you some time on it. According to what I'm reading, it probably just runs as the user apache is running as. If this is not root you can leave it as above and hope that the worm didn't do anything more malicious or leave your system vulnerable to more malicious followups. I recommend reinstalling unless you have some way to validate nearly every file on the system (tripwire, aide, etc with remote database). If apache is running as root I would upgrade that to "strongly recommend." On Fri, 2005-01-28 at 18:19, Hamish Stanaway wrote:
Hi friends, I have a box that has perl.santy (unknown if it is the a, b or c variant) on my redhar linux server. The server is located on the other side of the world for me so physically going through the machine isn't an option for me. I have root ssh access. I cannot seem to find details anywhere on the internet on how to remove this virus, and the virus' activities are now starting to irritate some of my web hosting clients. Can someone help me please, or at least point me in the right direction? G00gle etc reveals nothing... Kindest of regards, Hamish Stanaway, CEO Absolute Web Hosting Auckland, New Zealand http://www.webhosting.net.nz http://www.buywebhosting.co.nz
-- Michael Rice <michael () riceclan org>
Current thread:
- Re: Removing Perl.Santy Michael Rice (Feb 01)
- Re: Removing Perl.Santy Barrie Dempster (Feb 02)
- <Possible follow-ups>
- Re: Removing Perl.Santy Joachim Schipper (Feb 01)