Re: Compromised Linux box stories (Re: [SLUG] upgrading complicated installs)

[Adrian Chadd <adrian@xxxxxxxxxxxxxxx>]

On Mon, Jun 02, 2008, Rick Welykochy wrote:
> Daniel Pittman wrote:
> 
> >[2]  formmail.  I say no more.
> 
> The perl language has been pretty bullet proof. I do recall
> one string-based exploit in the many many years I have been using
> it.

Shit code can be written on all platforms.

> That said, yup, scripts like formmail are written by monkeys
> in the 11th level hell and sent to torment sys admins.
> 
> I was running an ISP and in my early days I stupidly allowed
> some customers to upload their own perl CGI scripts to our
> (only) main web server. After watching the machine being brought
> down to its knees due to inexperienced coding (don't ask) I
> learnt my lesson very quickly.
> 
> They only way to allow user-supplied scripts nowadays is via
> some sort of virtualisation scheme with solid sandboxing. Even
> then, poor coding can gobble up heaps of resources needlessly.

The trouble is that the entry barrier for coding is so low, you can
"code" without any "clue".




Adrian