Security Incidents mailing list archives
Re: Suspicious files in /tmp
From: Robin Sheat <robin () kallisti net nz>
Date: Tue, 19 Jun 2007 13:33:21 +1200
On Tuesday 19 June 2007 04:47:13 Matt D. Harris wrote:
They're being executed despite filesystem mount options because the script isn't being executed, the perl interpretter is. The script is being read and interpretted by the perl interpretter.
I think it's also the case (I don't have a noexec partition handy to test on) that you can get around this by doing something like: /lib/ld-linux.so.2 /tmp/mybadbinary e.g.: /lib/ld-linux.so.2 /bin/ls noexec is at best an annoyance to an attacker rather than a real security measure. Of course, it would be nice to see a check in interpreters just to make things that much trickier. -- Robin <robin () kallisti net nz> JabberID: <eythian () jabber kallisti net nz> Hostes alienigeni me abduxerunt. Qui annus est? PGP Key 0xA99CEB6D = 5957 6D23 8B16 EFAB FEF8 7175 14D3 6485 A99C EB6D
Attachment:
_bin
Description:
Current thread:
- Suspicious files in /tmp kladizkov.thehome (Jun 18)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 18)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 19)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Message not available
- Re: Suspicious files in /tmp Michal Zalewski (Jun 20)
- Re: Suspicious files in /tmp Michal Zalewski (Jun 19)
- Re: Suspicious files in /tmp Matt D. Harris (Jun 18)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Rainer Duffner (Jun 19)
- Re: Suspicious files in /tmp Robin Sheat (Jun 19)
- Re: Suspicious files in /tmp Valdis . Kletnieks (Jun 20)
- RE: Suspicious files in /tmp Thyago Braga da Silva (Jun 21)
- RE: Suspicious files in /tmp kaneda (Jun 21)
- Re: Suspicious files in /tmp Eduardo Tongson (Jun 22)
- Re: Suspicious files in /tmp Cy Schubert (Jun 21)
- <Possible follow-ups>
- Re: Suspicious files in /tmp Juha-Matti Laurio (Jun 19)