Subject: Re: Code-red worm (snicker snicker...)
To: Brian Hechinger <wonko@arkham.ws>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 08/02/2001 14:24:30
In message <20010802141326.H5407@wintermute.arkham.ws>, Brian Hechinger writes:
>On Thu, Aug 02, 2001 at 08:09:08PM +0200, Michael Kukat wrote:
>>
>>
>> But don't think you are safe, because your Alpha can't execute the i386-code
>> of the script kiddies. Interpreter scripts (like usual shell scripts) just r
>un,
>> if the buffer overflow allows execution of code. So just start with "#!/bin/
>sh"
>> and it will run on every platform, can modify /etc/inetd.conf, HUP it, and
>> voila, your shell on some port is open...
>
>you run your web server as root? then you get what you deserve. :)
>
It's worth noting that the effects of the current Code Red worm would
be identical if it were running as "www". It spread, which requires
network access; it defaced the site, which requires "www" access; and
it tried to flood www.whitehouse.gov, which again requires network
access.
--Steve Bellovin, http://www.research.att.com/~smb