My apologies,
The daemon that I mentioned Ramen used for attack is NOT nfsd but
statd.(thanks Jeff for the correction). I guess probably the kernel is
questionable as well since the source is public. The point is this message
was a friendly "heads up" for people. Take it with a grain of salt, a
shot of tequilla, and be happy.
Enjoy,
On Thu, 18 Jan 2001, Paul D. Robertson wrote:
> On Thu, 18 Jan 2001, -- neil -- wrote:
>
> >
> > Within the last couple of days this worm has been rearing its ugly head.
> > Its seems to be infecting mainly Redhat 6.2 and 7.0 unpatched machines.
> > Specifically its using wuftp and nfsd. The link below is to a guy that
> > reversed engineered it.
>
> There's also code that seems to exploit an LPRng bug. There *appears* to
> be an IRC vector of some sort- I'm not sure if it's a comm. channel or
> inoperable since I haven't had the time or resources to do the depth of
> investigation that I'd like.
>
> Turning off FTP is a generally good idea, and helps tremendously in this
> case because the SYN scanner seems to look for FTP servers before
> iterating through its attacks.
>
> It seems to be confirmed as in the wild and legitimately viral.
>
> Updating systems is still important, and I expect we'll see the usual home
> user and default install cases being the predominance of vulnerability.
> It'll probably also run on systems that have Linux emulation and run x86
> code- which may cover *BSD and Linux/Alpha with em86 (or whatever it's
> called, it's been a while since I had an Alpha desktop.)
>
> BTW: I think the first reports of infection were almost two weeks ago.
>
> Monitoring bandwidth utilization will help for boxes with Ethernet
> adapters, as the thing SYN scans like hell once it's running if it doesn't
> think it's on a ppp link.
>
> Paul
> -----------------------------------------------------------------------------
> Paul D. Robertson "My statements in this message are personal opinions
> [EMAIL PROTECTED] which may have no basis whatsoever in fact."
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
