Security Incidents mailing list archives
Re: Systems compromised with ShellBOT perl script - part 2
From: Jeffrey Denton <dentonj () gmail com>
Date: Wed, 20 Oct 2004 11:13:02 -0700
On Wed, 20 Oct 2004 00:04:36 -0500, security () kemhosting com <security () kemhosting com> wrote:
Today, hackers used the ShellBOT perl script to bring down Apache and start up their IRC listener. They (somehow) copied it into /tmp and executed it. This confuses me because I have my /tmp directory mounted rw,noexec,nosuid. Does Perl somehow bypass this?
If the command they are running is something similar to: # perl /tmp/script.pl Then script.pl isn't being directly executed, perl is. In this example, script.pl itself doesn't even need to executable. The same thing can be done with shell scripts. # sh /tmp/script.sh The noexec flag can be bypassed by binaries that are dynamically linked by using /lib/ld-linux.so. You execute the linker and give the command you want to run as the option. # cp /usr/bin/ls /tmp # /tmp/ls /tmp/ls: Permission denied # /lib/ld-linux.so.2 /tmp/ls The only way that I'm aware of to stop the above from happening is by using libsafe. You will then end up with the following error: # /lib/ld-linux.so.2 /tmp/ls /tmp/ls: error while loading shared libraries: /tmp/ls: failed to map segment from shared object: Operation not permitted One interesting observation is that the output of ldd changes when run on commands located on noexec partitions and libsafe is being used. # ldd /tmp/ls not a dynamic executable # ldd /usr/bin/ls /lib/libsafe.so.2 => /lib/libsafe.so.2 (0x40017000) librt.so.1 => /lib/librt.so.1 (0x4002e000) libc.so.6 => /lib/libc.so.6 (0x40040000) . . . . . . One warning, libsafe is not always the answer to securing a system since it has a habit of interfering with programs and servers. As with every security measure, test, test, test.....
Current thread:
- re: Systems compromised with ShellBOT perl script - part 2 security (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Meder Kydyraliev (Oct 20)
- re: Systems compromised with ShellBOT perl script - part 2 Jim Halfpenny (Oct 20)
- DoS worm David Gillett (Oct 20)
- Re: DoS worm Nick FitzGerald (Oct 21)
- DoS worm David Gillett (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Jeffrey Denton (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Martin Mačok (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Harry de Grote (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Stephen J. Smoogen (Oct 20)
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Thomas Hochstein (Oct 21)
- Re: Systems compromised with ShellBOT perl script - part 2 Paul Schmehl (Oct 22)
- <Possible follow-ups>
- RE: Systems compromised with ShellBOT perl script - part 2 KEM Hosting (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Dave (Oct 20)
- Re: Systems compromised with ShellBOT perl script - part 2 Chris Norton (Oct 22)