[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] profile of a bind worm
- Subject: Re: [cobalt-security] profile of a bind worm
- From: "Kevin D" <kdlists@xxxxxxxxxxxxxxx>
- Date: Mon, 11 Jun 2001 13:15:45 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
From: "Dan Keller" <dan@xxxxxxxxxx>
> At 10:38 AM 6/11/01 -0400, you wrote:
> >I had a very interesting encounter with a bind worm this weekend...
>
> Brr, scary!
Actually, since the worm was trapped as user named, it was a quite
interesting study. Now if the worm had gained root access, it would have
been scary...
> >...I should have frozen the processes and killed them
> >off from their frozen state.
>
> How would you have done that? How do you freeze a process?
kill -s SIGSTOP <pid>
The program doesn't know that this signal was sent from the tty, and thus
the thinking goes that you wouldnt trigger a logical bomb set to go off when
the program catches a SIGTERM signal.
HOWEVER I don't know of a way to kill the process while its frozen. The idea
would be to freeze it, and then evaluate the program to see if there was a
logical bomb attached to the SIGTERM signal (i'd probably just run it on a
red hat box that's not one of my servers). Then you can just send the
program a SIGCONT followed by SIGTERM (standard kill).
For more info:
http://www.ddj.com/articles/2000/0011/0011g/0011g.htm ("Don't Panic"
section)
Kevin