XML-RPC worm

Matt Mets matt.mets at gmail.com
Tue Nov 8 19:01:17 MST 2005 

Hi,

I'm really sorry, i thought this message was from a personal friend of
mine whose name is also Kevin.  Those are still basically my thoughts,
but I would have written them much more formally had I realised that
(and I dont mean to be so snooty about Gentoo, that is just a standing
joke between the two of us because he switched to Debian for unrelated
reasons).

I guess what I was getting at was that it seems to be an exploit in
PHP, not in Linux itself, so it seems to be a much less severe problem
than it is being made out to be... you cant install a systemwide
backdoor if you dont have correct permissions.  Granted, it is
probably a good idea to reinstall if you are unsure.

Also, I'd like to note Unix-based exploits are some of the oldest on
the book, because Unix a pretty old operating system.

I am really sorry that I posted that message to the group...

On 11/8/05, Alan Dayley <alandd at consultpros.com> wrote:
> Matt Mets said:
> >> Affected systems will need to be wiped and have the OS
> >> reinstalled, in most cases.
> >
> > um, this would be affected systems that didnt know how to set their
> > web server permissions correctly i assume?  you think that any decent
> > install would do that... ill check the gentoo tonight (which would
> > probably have been patched a long time ago anyway), but it doesnt seem
> > to make a whole lot of sense to me.
> >
> > I mean come on, you dont have to reinstall an os to do this stuff...
> > thats crazy talk.  This is unix, man, there isnt a registry to screw
> > up...  just reinstall the frigging webserver if you have to.
> >
>
> The problem is that the worm installs a back door on the computer,
> allowing full remote access to one who knows it is there.  Unless you then
> have tripwire or some other way to prove that no one has been using that
> back door, the only want to get to a known, secure state is to re-install
> from scratch.
>
> Personally, I think any box found with a back door installed needs to be
> reformated.  That's the only way I could be confident it is not
> compromised.
>
> Alan
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

More information about the PLUG-discuss mailing list