Date: Sun, 5 Aug 2001 11:03:33 -0500 From: Mike Meyer <mwm@mired.org> To: Jim Conner <jconner@enterit.com> Cc: questions@freebsd.org Subject: Re: just how many known viruses are there for FreeBSD? Message-ID: <15213.28245.595461.103253@guru.mired.org> In-Reply-To: <20038027@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Jim Conner <jconner@enterit.com> types: > At 12:47 PM 08.02.2001 -0400, Jerry Murdock wrote: > >Actually Code Red is one of the more clever ones. It is not a simple VBScript > >hack. If a new unchecked buffer/remote execution exploit was found in an > >Apache module then something similar could be constructed without need for > >root access, using many of the same concepts. > This is not entirely true. The apache server would have to be running as > root which if exploited then allows the malicious code to do things as > root. That's not true at all. The code red worm doesn't do anything that needs root access. Read the CERT's description of it at <URL: http://www.cert.org/advisories/CA-2001-19.html >. An exploit in Apache - or an Apache module - that lets an attacker download code and run it in that process is sufficient for what it does. > AFAIK, the Apache webserver by default runs as the user 'nobody' > which then the malicious code may only be run as that unprivileged user. I > admit that some admin run the server as root (not wise...of course. Even > the configs for the server state its not wise) which in this case I could > see where said virus could cause harm. That depends on your definition of "harm". It could be claimed that the code red worm doesn't harm a system, as the only thing it does to the disk is create a scratch file to note that it's there. However, some versions caused the web server to start sending defaced pages, and all versions can create a noticable system load. A properly administered web server won't be able to do much more than that. I'm not sure how true that is on WNT or W2K, but the description of some of the worms activities - writing on C: and shared libraries - are enough to cause me to recommend avoiding those platforms. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15213.28245.595461.103253>