XML-RPC worm
Alan Dayley
alandd at consultpros.com
Tue Nov 8 17:55:17 MST 2005
Matt Mets said:
>> Affected systems will need to be wiped and have the OS
>> reinstalled, in most cases.
>
> um, this would be affected systems that didnt know how to set their
> web server permissions correctly i assume? you think that any decent
> install would do that... ill check the gentoo tonight (which would
> probably have been patched a long time ago anyway), but it doesnt seem
> to make a whole lot of sense to me.
>
> I mean come on, you dont have to reinstall an os to do this stuff...
> thats crazy talk. This is unix, man, there isnt a registry to screw
> up... just reinstall the frigging webserver if you have to.
>
The problem is that the worm installs a back door on the computer,
allowing full remote access to one who knows it is there. Unless you then
have tripwire or some other way to prove that no one has been using that
back door, the only want to get to a known, secure state is to re-install
from scratch.
Personally, I think any box found with a back door installed needs to be
reformated. That's the only way I could be confident it is not
compromised.
Alan
More information about the PLUG-discuss
mailing list