ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #329 [more of the same ...] (1 message, 1537 bytes)
NOTICE: securitydigest.org recognises the rights of all third-party works.
START OF DOCUMENT
From: henry@GARP.MIT.EDU (Henry Mensch)
To: [not phage]
Date: Mon 16:45:52 05/12/1988 EST
Subject: more of the same ...
References: [Thread Prev: 341] [Thread Next: 330] [Message Prev: 327] [Message Next: 331]
Article <email@example.com.UUCP> Nov 16 18:32 Subject: Re: Internet worm in Sweden? Keywords: worms and other slimy things From: prl@iis.UUCP (Peter Lamb @ Integrated Systems Lab., ETH Zuerich) (43 lines) In article <firstname.lastname@example.org.UUCP> prl@iis.UUCP (Peter Lamb) writes: >There was a newspaper report (Tages Anzeiger, Zurich 14 Nov) today >of a `virus' attacking a number of machines in Sweden. The report was >very low in details (and very short). >The attack was said to have been unsuccessful because of typing mistakes. >Has this report turned up elsewhere? >For anyone who really knows: >Was it an attempt to emulate the Internet worm, and did it use >the decompiled code of the Internet worm? I have had a response from this message; it appears that it wasn't *the* worm, but an attempt to use the wormhole manually. >(The decompiled code _is_ floating around. I was sent a version... >you can be sure that your local friendly hackers group also has a copy by now) Much more interest was shown in this... I have had a number of requests for a copy of this source. 1) I am willing to forward it to interested persons BUT, only via postmaster or root at a well-known net site (well-known to me, that is). Your national gateway, the main mail gate for a major university or well-known company, for example. 2) Remember that postmaster and root at these sites are in general *VERY* busy people (me, too!). Do not request this simply out of idle curiosity. 3) Only contact me for a copy if you have a reasonable address for me to forward the source to (see (1) and (2)). >In any case, if you haven't fixed your sendmail/fingerd, do it *now*! Still holds true... -- Peter Lamb uucp: uunet!mcvax!ethz!prl eunet: email@example.com Tel: +411 256 5241 Integrated Systems Laboratory ETH-Zentrum, 8092 Zurich Article <firstname.lastname@example.org> Nov 16 11:02 Subject: Re: Internet worm in Sweden? Keywords: worms and other slimy things From: email@example.com (Ola Stromfors @ CIS Dept, Univ of Linkoping, Sweden) (20 lines) In article <firstname.lastname@example.org.UUCP> prl@iis.UUCP (Peter Lamb) writes: >There was a newspaper report (Tages Anzeiger, Zurich 14 Nov) today >of a `virus' attacking a number of machines in Sweden. The report was ... >Was it an attempt to emulate the Internet worm, and did it use >the decompiled code of the Internet worm? The thing attempted was to use the same method (sendmail in debug mode) as the worm to get access to two machines here, but it was NOT the worm. >The attack was said to have been unsuccessful because of typing mistakes. There was a typo in the command (the sed pattern was not quoted correctly). What they tried was to append a line to /etc/passwd, which would not have succeded even without the typo, because sendmail runs shell as daemon, not root. Our sendmail was patched the same day (monday 7th) as the "attack", but sendmail was not restarted on all machines until tuesday morning. Ola Stromfors email@example.com
END OF DOCUMENT
|ISSN 1742-948X 01 (Online) | 2005/03/01 | Copyright 2002-2008 securitydigest.org. All rights reserved.|