The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #347 [Re: Worm Talk..] (1 message, 1550 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/347.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: angelo@jvncf.csc.org (Michael F. Angelo)
To: [not phage]
Date: Wed 07:31:42 07/12/1988 EST
Subject: Re: Worm Talk..
References: [Thread Prev: 345] [Thread Next: 352] [Message Prev: 346] [Message Next: 348]

Did you hear about the 'new' worm on the network?

> Return-path: <APRIL@SRI-NIC.ARPA>
> Received: from umix.cc.umich.edu by um.cc.umich.edu via UMnet; Mon, 5 Dec 88 20:47:33 EST
> Received: by umix.cc.umich.edu       id AA01388; Mon, 5 Dec 88 19:34:11 EST
> Received: Mon, 5 Dec 88 19:35:14 EST from SRI-NIC.ARPA by merit.edu
> Date: Mon, 5 Dec 88 16:34:14 PST
> From: April Marine <APRIL@SRI-NIC.ARPA>
> To: trouble@merit.edu
> Message-Id: <12452108375.41.APRIL@SRI-NIC.ARPA>
> 
> Here is the message I referred to on the phone with Debra.  Again, this
> is only what we know right now and we send it to you in the interest of
> passing on potentially useful information, not because we recommend any
> official action.
> 
> thanks,
> April Marine
> Supervisor, NIC Reference Services
>                 ---------------
> 
> Mail-From: NIC created at  5-Dec-88 15:44:22
> Date: Mon, 5 Dec 88 15:44:22 PST
> From: DDN Reference <NIC@SRI-NIC.ARPA>
> Subject: possible new FTP vulnerability
> To: afddn.ops@gunter-adam.arpa, navtasc@nems.arpa,
>     as-ops-oi@HUACHUCA-EMH1.ARMY.MIL, navtelcom@ddn2.arpa, ddn-hqmc@ddn3.arpa
> cc: nic@SRI-NIC.ARPA
> Message-ID: <12452099298.33.NIC@SRI-NIC.ARPA>
> 
> 
> The DDN Network Information Center has received word of a possible new
> attempt to gain unauthorized access to host systems.  This attempt is
> again aimed at UNIX 4.2 and 4.3 systems, but may affect VMS system as
> well.  Access is gained through the FTP program.  Having accessed the
> machine, the unauthorized program becomes root, creates a new login
> binary, changes passwords, and resets the system time to disguise when
> files it changed were written.
> 
> At this point, it seems that systems which implemented the patch
> distributed in DDN Management Bulletin #46 can be vulnerable to this
> new problem as well.  Completely disabling FTP on your host will
> prevent access by this program and/or its spread to other machines.
> It is recommended that you monitor your host closely for unusual
> activity.
> 
> We have no other information at this time.  As information and
> solutions become known, they will be made available.  The Monitoring
> Center at (800) 451-7413, (202) 692-5746, or AV 455-1472 should have
> the latest techincal information.
> 
> The user assistance number at the DDN Network Information Center
> is (800) 235-3155.
> -------
> -------
>
Michael F. Angelo
-------------------------------------------------------------------------
John von Neumann National Super Computer Center	| ARPA:  angelo@jvnca.csc.org
665 College Rd. East,				| BITNET:angelo@jvncc.bitnet
Princeton, N.J. 08543				| UUCP:  rutgers!jvnca!angelo
Senior Systems Programmer, Unix Development ETA-10
UNISIG Symposium Coordinator
-------------------------------------------------------------------------

END OF DOCUMENT