The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #329 [more of the same ...] (1 message, 1537 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/329.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: henry@GARP.MIT.EDU (Henry Mensch)
To: [not phage]
Date: Mon 16:45:52 05/12/1988 EST
Subject: more of the same ...
References: [Thread Prev: 341] [Thread Next: 330] [Message Prev: 327] [Message Next: 331]

Article <677@eiger.iis.UUCP> Nov 16 18:32
Subject: Re: Internet worm in Sweden?
Keywords: worms and other slimy things
From: prl@iis.UUCP (Peter Lamb @ Integrated Systems Lab., ETH Zuerich)
(43 lines)

In article <675@eiger.iis.UUCP> prl@iis.UUCP (Peter Lamb) writes:
>There was a newspaper report (Tages Anzeiger, Zurich 14 Nov) today
>of a `virus' attacking a number of machines in Sweden. The report was
>very low in details (and very short).
>The attack was said to have been unsuccessful because of typing mistakes.
>Has this report turned up elsewhere?
>For anyone who really knows:
>Was it an attempt to emulate the Internet worm, and did it use
>the decompiled code of the Internet worm?

I have had a response from this message; it appears that it wasn't *the*
worm, but an attempt to use the wormhole manually.

>(The decompiled code _is_ floating around. I was sent a version...
>you can be sure that your local friendly hackers group also has a copy by now)

Much more interest was shown in this... I have had a number of requests
for a copy of this source.

1)      I am willing to forward it to interested persons BUT,
        only via postmaster or root at a well-known net site
        (well-known to me, that is). Your national gateway, the main
        mail gate for a major university or well-known company, for
        example.

2)      Remember that postmaster and root at these sites are in general
        *VERY* busy people (me, too!). Do not request this simply out
        of idle curiosity.

3)      Only contact me for a copy if you have a reasonable address for me
        to forward the source to (see (1) and (2)).

>In any case, if you haven't fixed your sendmail/fingerd, do it *now*!

Still holds true...

--
Peter Lamb
uucp:  uunet!mcvax!ethz!prl     eunet: prl@ethz.uucp    Tel:   +411 256 5241
Integrated Systems Laboratory
ETH-Zentrum, 8092 Zurich

Article <1045@mina.liu.se> Nov 16 11:02
Subject: Re: Internet worm in Sweden?
Keywords: worms and other slimy things
From: ola@mina.liu.se (Ola Stromfors @ CIS Dept, Univ of Linkoping, Sweden)
(20 lines)

In article <675@eiger.iis.UUCP> prl@iis.UUCP (Peter Lamb) writes:
>There was a newspaper report (Tages Anzeiger, Zurich 14 Nov) today
>of a `virus' attacking a number of machines in Sweden. The report was
 ...
>Was it an attempt to emulate the Internet worm, and did it use
>the decompiled code of the Internet worm?

The thing attempted was to use the same method (sendmail in debug mode)
as the worm to get access to two machines here, but it was NOT the worm.

>The attack was said to have been unsuccessful because of typing mistakes.

There was a typo in the command (the sed pattern was not quoted correctly).
What they tried was to append a line to /etc/passwd, which would not
have succeded even without the typo, because sendmail runs shell as daemon,
not root.

Our sendmail was patched the same day (monday 7th) as the "attack", but
sendmail was not restarted on all machines until tuesday morning.

        Ola Stromfors   sos@ida.liu.se

END OF DOCUMENT