[ale] RED HAT WORM
Michael H. Warfield
mhw at wittsend.com
Sun Jan 21 11:04:07 EST 2001
On Sun, Jan 21, 2001 at 04:46:47AM -0500, Frank Zamenski wrote:
> >
> > On Sat, Jan 20, 2001 at 12:12:01AM -0500, Bob wrote:
> > > This worm can infect Red Hat 6.2 and Red Hat 7 running on Intel systems
> > > and deface web sites.
> > RedHat 6.2 systems which have not been kept up to date and
> > RedHat 7.0 First Edition. RedHat 7.0 Second Edition (Respin) is not
> > vulnerable or is RedHat 6.2 if the updates have been applied. You're
> > also safe from the worm (but not the exploits it uses) if you don't
> > have ftp enabled. It uses ftp to decide if you are vulnerable or not.
> > It does not need anonymous ftp access to do so, either, it only needs
> > the ftp banner.
> > Mike
> "... it only needs the ftp banner."
> (I almost hate to ask. :) Ok, why not just remove the banner?
You should hate to ask.
Why not just fix the problems. All three of the exploits have
been fixed for months. Fixing the banner without updating those packages
is just rediculous, you are still vulnerable to people who come along
manually and root your box! Updating the packages (which, since ftp is
one of them, change the banner as well) fixes the problems and you don't
have to do any tinkering that still leaves you vulnerable.
So why on God's green earth would you even want to consider taking
the lame approach of just changing the banner and leaving the system
vulnerable to attack?
> -fgz
> > --
> > Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
> > (The Mad Wizard) | (678) 463-0932 |
> http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes we live in the best of all
> > PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list