Re: [SuSE Linux] Worm for Linux x86 found in wild

Fri, 26 Mar 1999 21:31:29 -0500 


The ADM worm in not new.  You can get the source code on any hacker
site.  One of the responders to that article even posted the url to the
ADM source code.

Bill Parker wrote:
> 
> FYI to all:
> 
> "Worm for Linux x86 found in wild
>  Mar 25th, 23:35:59
> 
> "The worm is particularly amusing in that when run, along with
> portscanning, wiping logs, and all the other usual things you'd expect
> a worm to do, it also hunts for files with a .html suffix and inserts the
> contents of the "SAY" variable (above) into them, over-writing whatever
> isthere.
>   Other infection symptoms include a ".w0rm0r/" subdir and suid root copy
> of /bin/sh named ".w0rm" in /tmp, and possibly a
> "w0rm::2666:777:ADM Inet w0rm:/:/bin/sh" entry in your passwd file.
>   As far as I can tell, the worm is capable of detecting several well-known
> vunerabilities. The logs the Russian company sent us, and the logs that the
> worm itself kept, would seem to indicate it's scanning IMAP ports. It
> also seems to be scanning POP, rsh/rlogin, telnet and FTP ports, finger,
> gopher, etc...
>   Once it's into your system, the worm presumably begins to scan and look
> for vunerable machines again. How it picks the IP addresses to scan is not
> presently known to me. Presumably, the "gimmieip" binary takes care
> of that. Someone with more time can dissect it and post the results.
>   Here is a file I found on the infected machine called "/tmp/outro" - it
> appears to be a log that the worm kept as it probed some system."
> 
> The entire article is here:
> 
> <http://linuxtoday.com/stories/4408.html>
> 
> Bill Parker, <[EMAIL PROTECTED]>
> 
> The HURD.
> 'Hurd' stands for `Hird of Unix-Replacing Daemons'.
> And, then, `Hird' stands for `Hurd of Interfaces Representing Depth'.
> 
> --
> To get out of this list, please send email to [EMAIL PROTECTED] with
> this text in its body: unsubscribe suse-linux-e
> Check out the SuSE-FAQ at http://www.suse.com/Support/Doku/FAQ/ and the
> archive at http://www.suse.com/Mailinglists/suse-linux-e/index.html
--
To get out of this list, please send email to [EMAIL PROTECTED] with
this text in its body: unsubscribe suse-linux-e
Check out the SuSE-FAQ at http://www.suse.com/Support/Doku/FAQ/ and the
archive at http://www.suse.com/Mailinglists/suse-linux-e/index.html

Reply via email to