Re: XML-RPC worm

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Matt Mets
Date:  
To: alandd, Main PLUG discussion list
Subject: Re: XML-RPC worm
Hi,

I'm really sorry, i thought this message was from a personal friend of
mine whose name is also Kevin. Those are still basically my thoughts,
but I would have written them much more formally had I realised that
(and I dont mean to be so snooty about Gentoo, that is just a standing
joke between the two of us because he switched to Debian for unrelated
reasons).

I guess what I was getting at was that it seems to be an exploit in
PHP, not in Linux itself, so it seems to be a much less severe problem
than it is being made out to be... you cant install a systemwide
backdoor if you dont have correct permissions. Granted, it is
probably a good idea to reinstall if you are unsure.

Also, I'd like to note Unix-based exploits are some of the oldest on
the book, because Unix a pretty old operating system.

I am really sorry that I posted that message to the group...

On 11/8/05, Alan Dayley <> wrote:
> Matt Mets said:
> >> Affected systems will need to be wiped and have the OS
> >> reinstalled, in most cases.
> >
> > um, this would be affected systems that didnt know how to set their
> > web server permissions correctly i assume? you think that any decent
> > install would do that... ill check the gentoo tonight (which would
> > probably have been patched a long time ago anyway), but it doesnt seem
> > to make a whole lot of sense to me.
> >
> > I mean come on, you dont have to reinstall an os to do this stuff...
> > thats crazy talk. This is unix, man, there isnt a registry to screw
> > up... just reinstall the frigging webserver if you have to.
> >
>
> The problem is that the worm installs a back door on the computer,
> allowing full remote access to one who knows it is there. Unless you then
> have tripwire or some other way to prove that no one has been using that
> back door, the only want to get to a known, secure state is to re-install
> from scratch.
>
> Personally, I think any box found with a back door installed needs to be
> reformated. That's the only way I could be confident it is not
> compromised.
>
> Alan
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss