ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #130 [Re: The virus some more stuff on this virus] (1 message, 920 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
To: [not phage]
Date: Sat 05:13:26 05/11/1988 EST
Subject: Re: The virus some more stuff on this virus
References: [Thread Prev: 127] [Thread Next: 404] [Message Prev: 077] [Message Next: 048]
The patch from Keith Bostic in the last message is *not* sufficient to halt the spread of the virus. We have discovered from looking at the binaries that the virus also attempts to spread itself via "rsh" commands to other machines. It looks through a *lot* of files to find possible vectors to spread. If you have a bunch of machines with hosts.equiv set or .rhosts files, you should shut them *all* down at the same time after you have fixed sendmail to prevent a further infestation. If you don't clear out the versions in memory, you won't protect your other machines. The virus runs itself with the name "sh" and then overwrites argv, so if a "ps ax" shows any processes named "(sh)" without a controlling tty, you have a problem. Due to the use of other uids from rsh, don't make any conclusions if the uid is one of your normal users. Also, check your mailq (do a mailq command). If you see any entries that pipe themselves through sed and sh, delete them from the queue before you restart your machines. Non-internet sites do not need to worry about this virus (for now!), but be aware that mail and news may not be flowing everywhere for some time -- many sites are disconnecting from the Internet completely until the virus is contained.
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|