[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-developers] Re: OpenSSL patch for Linux worm?

Subject: RE: [cobalt-developers] Re: OpenSSL patch for Linux worm?
From: "Matthew Nuzum" <cobalt@xxxxxxxxxxxxx>
Date: Tue Sep 17 20:00:03 2002
Organization: Bearfruit.org
List-id: Discussion Forum for developers on Sun Cobalt Networks products <cobalt-developers.list.cobalt.com>

> Rick Garcia wrote:
> 
> > #chmod 0 `which gcc`
> >
> > Can anyone confirm that this is enough to stop the current SSL worm
> threat?
> 
> This will stop the threat, but at the expense of letting anyone who
has
> shell access use the gnu c compiler.
> 
> Jeff

Don't some PKG files use GCC when installing?  The one that comes to
mind is the pkgmaster neomail released a while back.  I wonder if others
need it as well.

Changing mode 700 should be OK, since the admin httpd process runs as
root it will still have execute permission on gcc, but apache and other
users would not.

BTW, I had one computer hit by the worm.  Fortunately it's very easy to
clean.  There are three files in the /tmp folder.  .bugtraq, .bugtraq.c
.uubugtraq. you can see them by running the ls -a command.  If you run
ls -la you can see when you were violated.

Remove the three files, do a ps -ax | grep bugtraq to find out the PID
of the worm and then kill it.

Temporarily prevent future exploits by finding the line in
/etc/httpd/conf/httpd.conf that begins with SSLCipherSuite and find the
part that says: +SSLv2 and change the + to a !
Save the file, restart apache by doing /etc/rc.d/init.d/httpd restart
and then make sure your SSL sites still work.

You know, we should be thankful that the person released this particular
worm.  It's relatively benign, easy to catch and could have been much
worse.  Now, we'll all have an opportunity to patch our servers before
someone releases a seriously destructive version.

Additionally, the worm leaves it's entire source code behind.  They even
left it completely commented and documented.  I haven't used C in 4 or 5
years, but I didn't have much trouble at all figuring out what's going
on in there.  It's almost like the person who released it was just
trying to say "Wake up knuckle headed sys-admins... there's an openssl
update that you need to get!"

I hope we all get the message.  One last BTW: I love my cobalt raq
servers, however I'm starting to feel that they are a serious liability.
I can't manually update/patch them without the fear of breaking the
ability to get future updates from Cobalt, but if I wait for the
"official" updates to come around, my server will never get patched.
Not to mention the SHP fiasco...  Maybe I need to revisit that thread on
the developer list about installing 2.4 based Linux onto the Raq's.

--
Matthew Nuzum
www.bearfruit.org
cobalt@xxxxxxxxxxxxx

Follow-Ups:
- RE: [cobalt-developers] Re: OpenSSL patch for Linux worm?
  - From: Gerald Waugh
- RE: [cobalt-developers] Re: OpenSSL patch for Linux worm?
  - From: E.B. Dreger

References:
- Re: [cobalt-developers] Re: OpenSSL patch for Linux worm?
  - From: Jeff Lasman

Prev by Date: Re: [cobalt-developers] locate weirdness
Next by Date: [cobalt-developers] Microsoft Scripting engine - update by Sun??
Previous by thread: Re: [cobalt-developers] Re: OpenSSL patch for Linux worm?
Next by thread: RE: [cobalt-developers] Re: OpenSSL patch for Linux worm?

Sun Cobalt Developers Message Index

Sun Cobalt Developers Thread Index