[This message has also been posted to linux.debian.user,comp.infosystems.www.servers.unix.] In article <[EMAIL PROTECTED]>, Hugo Vanwoerkom wrote: > Paul Johnson wrote: >> Hugo Vanwoerkom wrote: >>>Mike McCarty wrote: >>> >>>>http://www.securityfocus.com/brief/38?ref=rss >>> >>>How to detect whether infection has occurred? >> >> Don't go overboard yet. Might want to read Steve Lamb's comment about this >> just upthread. > > Like Joey says, Debian Sarge with security updates avoids the problem. > Yet... it would still be nice to know how to tell that there was no > infection.
It's misleading to call these things "Linux worms." The worm attacks PHP applications. You can update Sarge every day. If one of your users is running PHP Nuke or Mambo or phpBB or Squirrel Mail, you have directories where the Web server can create executable files and run them. If your users don't maintain their PHP apps, they can have holes that let the worm create files in /tmp or /var/tmp/. If you install in the default places, the worm knows where your Mambo modules directory is. Sure, the worm wants to pull in a rootkit, and maybe Sarge with security updates will prevent the root escalation. That depends on the rootkit, and the worm. But even if it only gets UID 33 (www-data), it can pull in and run PHP code. Your box can become a spammer bot or an attack bot that way, and you can help propagate the worm to other hosts where the rootkit might succeed. I think it's a major security bug for /tmp and /var/tmp to be mounted with exec privileges. It's a major security problem for the Web server user to be able to create and run executables anywhere. I hope the Debian maintainers are going to fix it, because the PHP application community never will. Cameron -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
