Re: Removing Perl.Santy

[Barrie Dempster <barrie () reboot-robot net>]

On Mon, 2005-01-31 at 16:34 -0600, Michael Rice wrote:
> Not knowing anything about it except what's on the symantec site, I
> would.
>
> a) get rid of the phpBB that made you vulnerable in the first place
> (upgrade or replace)

I can understand your other steps but I am confused as to this ones
effectiveness.

The reason the OP was infected by the worm was because they didn't apply
a fix which was publicly available the same day as the vulnerability
was. Then over a month later a worm appeared and took advantage of this
lapse in security. Hardly the fault of the software in use. The OP
obviously has need for a web based forum so getting rid of one for
another doesn't seem to offer any real security especially considering
his current vendor had a fix for the bug extremely quickly.

The only valid reason for replacing the product in this situation is if
there is a *proven* more secure alternative. phpBB2 is extremely common
and therefore well audited code, changing to other similar software will
only mean relearning different software and possibly having to
reconfigure IDS's and other monitoring/reporting systems in order to
acknowledge the change, doing so changes the behaviour of the server and
makes baseline analysis more difficult.

As I said the rest of your advice I agree with but dropping software
because a worm utilised a vulnerability that should have been and could
have been patched seems overkill and most likely would lead to a less
secure system. Can you elaborate on why you think this is an effective
measure ?

-- 
With Regards..
Barrie Dempster (zeedo) - Fortiter et Strenue

blog: http://zeedo.blogspot.com
site: http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part