[lug] More Redhat worm discussion
Gary Frerking
garyf at turbopower.com
Mon Apr 23 15:26:11 MDT 2001
At the risk of PETA coming after me for beating a four-legged animal, I
came across something interesting while reading an analysis of the Lion
worm (one of the recent worms that target Redhat servers).
The analysis is here:
http://www.whitehats.com/library/worms/lion/index.html
The paragraph that caught my interest is:
"My worm testing was greatly complicated by my choice of example target
platform: a default server install of Redhat 6.2. I thought that it was
probably the most popular distribution and version of Linux in use on
the Internet. Thus, it would be the best example of a typical worm
target. Indeed, the BIND exploit specifically listed Redhat 6.2 as the
target platform! However, Redhat does not enable the named service by
default. When it is activated (via linuxconf or ntsysv utilities), named
is run as user named, such as "named -u named". The only way Redhat 6.2
can be vulnerable to the BIND exploit is when the administrator manually
adds named to the startup scripts, then intentionally runs it as root by
deleting the "-u named" portion of the startup command. After extensive
testing, I determined that this was true for all published BIND exploits
that claim to affect Redhat 6.2. Then I was convinced that I must have
missed something. A very warm thanks goes to Andreas Östling, who
described seeing the very same results I had seen and gave me
encouragement to continue the analysis."
So...
The way I read it, according to this guy you actually have to jump
through hoops to make a default installation of Redhat 6.2 vulnerable.
This obviously doesn't mean the default Redhat 6.2 installation is
secure in all respects, but to me it sheds a little light on how this
kind of thing is being misrepresented by the press and by word-of-mouth.
-- Gary
More information about the LUG
mailing list