The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #130 [Re: The virus some more stuff on this virus] (1 message, 920 bytes)
NOTICE: recognises the rights of all third-party works.


From: ames!claris!portal!!
To: [not phage]
Date: Sat 05:13:26 05/11/1988 EST
Subject: Re: The virus some more stuff on this virus
References: [Thread Prev: 127] [Thread Next: 404] [Message Prev: 077] [Message Next: 048]

The patch from Keith Bostic in the last message is *not* sufficient to
halt the spread of the virus.  We have discovered from looking at the
binaries that the virus also attempts to spread itself via "rsh"
commands to other machines.  It looks through a *lot* of files to find
possible vectors to spread.

If you have a bunch of machines with hosts.equiv set or .rhosts files,
you should shut them *all* down at the same time after you have fixed
sendmail to prevent a further infestation.  If you don't clear out
the versions in memory, you won't protect your other machines.

The virus runs itself with the name "sh" and then overwrites argv,
so if a "ps ax" shows any processes named "(sh)" without a controlling
tty, you have a problem.  Due to the use of other uids from rsh,
don't make any conclusions if the uid is one of your normal users.

Also, check your mailq (do a mailq command).  If you see any entries
that pipe themselves through sed and sh, delete them from the queue
before you restart your machines.

Non-internet sites do not need to worry about this virus (for now!),
but be aware that mail and news may not be flowing everywhere for some
time -- many sites are disconnecting from the Internet completely
until the virus is contained.