Date: Mon, 1 Jul 2002 19:46:29 +0200 (CEST) From: =?iso-8859-1?q?m=20p?= <sumirati@yahoo.de> To: bjm1287@ritvax.isc.rit.edu Cc: questions@FreeBSD.ORG Subject: RE: Apache Worm Comments??? Message-ID: <20020701174629.56209.qmail@web13307.mail.yahoo.com>
next in thread | raw e-mail | index | archive | help
> Does anyone know how you can tell if you have the worm or not? Also, > will simply uninstalling and re-installing Apache clean the worm? I > assume it would...but I'm curious what others think. > > --Brian Hi Brian, please take a look at the mailinglist archives for bugtraq (at http://www.securityfocus.com) and the freebsd-securtiy mailinglist archives. There you will find a binary (Version 1 of the worm it seems) and the source (for Version 2.0 it seems). The source seems to be a bit more advanced. The discussion of the source and the binary lasted the whole weekend. No, uninstalling and re-installing will _not_ clean the worm. From what the people looking at the binary and the source said, the worm will put itself in /tmp/.a - that is hard-coded in the source. So check there and delete For all worms/trojans/root-kits/virii there is the old sentence: IF someone had root access to your machine - DON'T trust ANY binary. Backup your data, install a fresh, new version of your OS, apply the security patches and restore your configuration and data. That is the only way (if you not have something like tripwire running in an environment where YOU absolutely trust it - I don't). Hope that clarify the issue a little bit. Marc __________________________________________________________________ Gesendet von Yahoo! Mail - http://mail.yahoo.de Yahoo! präsentiert als offizieller Sponsor das Fußball-Highlight des Jahres: - http://www.FIFAworldcup.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020701174629.56209.qmail>