From owner-freebsd-questions Sun Aug 5 9: 3:39 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-27-141-144.mmcable.com [24.27.141.144]) by hub.freebsd.org (Postfix) with SMTP id 6B24A37B403 for ; Sun, 5 Aug 2001 09:03:35 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 5312 invoked by uid 100); 5 Aug 2001 16:03:33 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15213.28245.595461.103253@guru.mired.org> Date: Sun, 5 Aug 2001 11:03:33 -0500 To: Jim Conner Cc: questions@freebsd.org Subject: Re: just how many known viruses are there for FreeBSD? In-Reply-To: <20038027@toto.iv> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jim Conner types: > At 12:47 PM 08.02.2001 -0400, Jerry Murdock wrote: > >Actually Code Red is one of the more clever ones. It is not a simple VBScript > >hack. If a new unchecked buffer/remote execution exploit was found in an > >Apache module then something similar could be constructed without need for > >root access, using many of the same concepts. > This is not entirely true. The apache server would have to be running as > root which if exploited then allows the malicious code to do things as > root. That's not true at all. The code red worm doesn't do anything that needs root access. Read the CERT's description of it at . An exploit in Apache - or an Apache module - that lets an attacker download code and run it in that process is sufficient for what it does. > AFAIK, the Apache webserver by default runs as the user 'nobody' > which then the malicious code may only be run as that unprivileged user. I > admit that some admin run the server as root (not wise...of course. Even > the configs for the server state its not wise) which in this case I could > see where said virus could cause harm. That depends on your definition of "harm". It could be claimed that the code red worm doesn't harm a system, as the only thing it does to the disk is create a scratch file to note that it's there. However, some versions caused the web server to start sending defaced pages, and all versions can create a noticable system load. A properly administered web server won't be able to do much more than that. I'm not sure how true that is on WNT or W2K, but the description of some of the worms activities - writing on C: and shared libraries - are enough to cause me to recommend avoiding those platforms. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message