The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #002 [Yet more on the virus] (1 message, 1036 bytes)
NOTICE: recognises the rights of all third-party works.


From: Gene Spafford <spaf>
To: [not phage]
Date: Thu 14:50:52 03/11/1988 EST
Subject: Yet more on the virus
References: [Thread Prev: 012] [Thread Next: 003] [Message Prev: 001] [Message Next: 003]

As some of you have already found, Keith's patch is not enough.
The damn virus also runs through all host names and user names trying
to do "rsh" commands.  If you have paths via .rhosts or hosts.equiv
files, the virus can continue to manifest itself.    It looks in
*lots* of places for ideas for userids and hostnames -- a core dump
run through strings provides very interesting reading.

It compiles itself into a file named "sh" and then runs it.  First thing
it does then is clobber the argv.  Look for processes running on your
machine with command name fields of "(sh)" that are eating up
lots of cpu time.

According to Brian Kantor, BBN is recommending to sites (especially Milnet
sites) that they disconnect until this virus is eradicated.

If any of you have sendmail logging that captures hostinfo, save it.
Also save logs that show users coming in with rsh.  We might be able
to get a vector on the source.