On Wed, Apr 27, 2005 at 03:50:57PM +0100, Nigel Wade wrote:
Number of infections 0-49, number of sites 0-2 - over 3 years.
Wow, it's speading like wildfire... help, help!
It has no escalation mechanism, so can only infect ELF files to which the user infected has write permission.
Threat ~0.
Looks like it spread to root from a user account in this case. Threat is obviously somewhat greater than 0. Caution and good practices are still required.
There's no evidence that the virus escalated its own privilege. More likely that a root process executed an infected binary.
Moral of the story - don't execute binaries installed during a break-in just to see what they do, especially when logged in as root - and don't have "." in root's path!
-- Nigel Wade, System Administrator, Space Plasma Physics Group, University of Leicester, Leicester, LE1 7RH, UK E-mail : nmw@xxxxxxxxxxxx Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555