Usually, a common tactical move is to securely design the system from the start. A /tmp placed on an independent partition, and mounted noexec, nosuid along with chattr +a on logs, and +i on important directories like /sbin, /bin and the like it is a fair policy. As for a quick fix, yes, this will keep away the worm, but not the hacker. One can easily tear apart the worm and create a 'remote shell' trough Apache kind of thing. It is advisable to keep the systems always in good shape (if possible.. I have seen 'updates' that broke things trying to fix others, merely the RedHat 7.0 updates have fallen sometime in this category..) and keep always an open eye (if time/staff permits). All my best, Sandu Mihai - KPNQWest Romania Network Engineer -----Original Message----- From: adamkuj@gatordog.com [mailto:adamkuj@gatordog.com] Sent: 13 septembrie 2002 21:51 To: bugtraq@securityfocus.com Subject: Re: bugtraq.c httpd apache ssl attack Wouldn't it be easier to create a blank /tmp/.bugtraq.c file, chmod 000, owned by root? On Fri, 13 Sep 2002, The Little Prince wrote: > > too easy to chmod 700 gcc to lock it to root? > obviously not as a TOTAL fix > > -Tony > .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. > Anthony J. Biacco Network Administrator/Engineer > thelittleprince@asteroid-b612.org http://www.asteroid-b612.org > > "Every day should be a good day to die" -DJM > .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. > > On 13 Sep 2002, Fernando Nunes wrote: > > > > > > > I am using RedHat 7.3 with Apache 1.3.23. Someone used the > > program "bugtraq.c" to explore an modSSL buffer overflow to get access to > > a shell. The attack creates a file named "/tmp/.bugtraq.c" and compiles it > > using gcc. The program is started with another computer ip address as > > argument. All computer files that the user "apache" can read are exposed. > > The program attacks the following Linux distributions: > > > > Red-Hat: Apache 1.3.6,1.3.9,1.3.12,1.3.19,1.3.20,1.3.22,1.3.23,1.3.26 > > SuSe: Apache 1.3.12,1.3.17,1.3.19,1.3.20,1.3.23 > > Mandrake: 1.3.14,1.3.19 > > Slakware: Apache 1.3.26 > > > > Regards > > Fernando Nunes > > Portugal > > > > > > -- > .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. > Anthony J. Biacco Network Administrator/Engineer > thelittleprince@asteroid-b612.org http://www.asteroid-b612.org > > "Every day should be a good day to die" -DJM > .-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-._.-. > >
