From owner-freebsd-stable@FreeBSD.ORG Thu Dec 10 10:28:06 2009 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 197B41065676 for ; Thu, 10 Dec 2009 10:28:06 +0000 (UTC) (envelope-from mkushnir@lohika.com) Received: from sbox.lohika.com (sbox.lohika.com [217.9.0.182]) by mx1.freebsd.org (Postfix) with ESMTP id 8A5E98FC0A for ; Thu, 10 Dec 2009 10:28:05 +0000 (UTC) X-IronPort-AV: E=Sophos;i="4.47,374,1257112800"; d="scan'208";a="3459847" Received: from unknown (HELO dekker.lohika.com) ([172.20.100.30]) by sbox-local.lohika.com with ESMTP; 10 Dec 2009 12:18:01 +0200 Received: from emkushnir.lv.lohika.com ([172.22.60.77]) (authenticated bits=0) by dekker.lohika.com (8.14.2/8.14.2) with ESMTP id nBAALhTe017730 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Dec 2009 12:21:47 +0200 (EET) (envelope-from mkushnir@lohika.com) Message-ID: <4B20CAA0.5030409@lohika.com> Date: Thu, 10 Dec 2009 12:17:04 +0200 From: Markiyan Kushnir User-Agent: Thunderbird 2.0.0.9 (X11/20080311) MIME-Version: 1.0 To: "squirrel@isot.com" References: <70b530187d5c4ef4336260f6fdf72193@mail.isot.com> <4B20BCEE.5020704@datapipe.com> In-Reply-To: <4B20BCEE.5020704@datapipe.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.94.2/10143/Thu Dec 10 07:25:18 2009 on dekker.lohika.com X-Virus-Status: Clean Cc: FreeBSD-STABLE Mailing List Subject: Re: Hacked - FreeBSD 7.1-Release X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2009 10:28:06 -0000 As long as you have to re-install everything from scratch, you can consider installing 8.0 and having your services jailed. The new jail is announced to be much improved. Markiyan. Paul Procacci wrote: > >> But far as rtld vulnerability, doesn't it require at least a local > user account? > > No, it requires a script and a kiddie. ;) You'd expect your > "index.php" (or similar) files would require a ftp/ssh/telnet > connection, but useful "kids" have useful resources 'n which these > things are not always required. > > Anyone can execute any code (apparently) on your machine via the > exploit, having anything they want running on your machine, (i.e. that > can set their env to whatever they want and get access to your machine > pre -p5. > > Your safest bet especially since you weren't patched to the latest > FreeBSD version which includes the rtld patch, is to simply not trust > your machine at all; regardless of whether you are patching it now or > not. I'd personally save your data, reformat the machine, and reinstall > the items you need. > > ~Cheers > > This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/emaildisclaimer.aspx for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"