FYI to all:
"Worm for Linux x86 found in wild
Mar 25th, 23:35:59
"The worm is particularly amusing in that when run, along with
portscanning, wiping logs, and all the other usual things you'd expect
a worm to do, it also hunts for files with a .html suffix and inserts the
contents of the "SAY" variable (above) into them, over-writing whatever
isthere.
Other infection symptoms include a ".w0rm0r/" subdir and suid root copy
of /bin/sh named ".w0rm" in /tmp, and possibly a
"w0rm::2666:777:ADM Inet w0rm:/:/bin/sh" entry in your passwd file.
As far as I can tell, the worm is capable of detecting several well-known
vunerabilities. The logs the Russian company sent us, and the logs that the
worm itself kept, would seem to indicate it's scanning IMAP ports. It
also seems to be scanning POP, rsh/rlogin, telnet and FTP ports, finger,
gopher, etc...
Once it's into your system, the worm presumably begins to scan and look
for vunerable machines again. How it picks the IP addresses to scan is not
presently known to me. Presumably, the "gimmieip" binary takes care
of that. Someone with more time can dissect it and post the results.
Here is a file I found on the infected machine called "/tmp/outro" - it
appears to be a log that the worm kept as it probed some system."
The entire article is here:
<http://linuxtoday.com/stories/4408.html>
Bill Parker, <[EMAIL PROTECTED]>
The HURD.
'Hurd' stands for `Hird of Unix-Replacing Daemons'.
And, then, `Hird' stands for `Hurd of Interfaces Representing Depth'.
--
To get out of this list, please send email to [EMAIL PROTECTED] with
this text in its body: unsubscribe suse-linux-e
Check out the SuSE-FAQ at http://www.suse.com/Support/Doku/FAQ/ and the
archive at http://www.suse.com/Mailinglists/suse-linux-e/index.html
