Sun-Spots Digest, v7n4
William LeFebvre
Sun-Spots-Request at Rice.edu
Sat Nov 5 03:40:22 AEST 1988
SUN-SPOTS DIGEST Thursday, 3 November 1988 Volume 7 : Issue 4
Today's Topics:
This issue is about the Internet virus
Internet VIRUS alert
Fixes for the virus
Fixes for the virus, #2
Virus report
More on the virus and the fixes
Send contributions to: sun-spots at rice.edu
Send subscription add/delete requests to: sun-spots-request at rice.edu
Bitnet readers can subscribe directly with the CMS command:
TELL LISTSERV AT RICE SUBSCRIBE SUNSPOTS My Full Name
Recent backissues are available via anonymous FTP from "titan.rice.edu".
For volume X, issue Y, "get sun-spots/vXnY". They are also accessible
through the archive server: mail the request "send sun-spots vXnY" to
"archive-server at rice.edu" or mail the word "help" to the same address
for more information.
----------------------------------------------------------------------
Date: Thu, 3 Nov 88 23:52:46 CST
From: William LeFebvre <phil at Rice.edu>
Subject: This issue is about the Internet virus
It seems that starting sometime Wednesday evening, a virus started
spreading itself around many, many different Internet machines. It tried
to attack Rice's main mail gateway, but, in an ironic twist of fate, was
not able to penetrate because the partition it was trying to use was full!
I have tried to accumulate as much information as I can about this. Some
of it was posted to sun-spots, some was obtained from other sources. Some
of the articles were copied from other newsgroups, so the originating
posters may not be familiar names to sun-spots readers. My thanks to all
who contributed: those who just sent copies of messages seen elsewhere
may not be explicitly mentioned, but I am thankful just the same. I would
also like to express my thanks to the people who found the virus and
took the time to find a way of stopping it.
This thing is so amazing and widespread that it made CNN news tonight. It
has caused some serious problems at many research sites across the
country. The reporter even said that the FBI was getting involved in the
investigation!
In an attempt to get this news out as quickly as possible, this is a short
digest and is devoted entirely to messages about the virus.
William LeFebvre
------------------------------
Date: Thu, 3 Nov 88 10:30:59 CST
From: Peter E. Yee <yee at ames.arc.nasa.gov>
Subject: Internet VIRUS alert
We are currently under attack from an Internet VIRUS. It has hit UC
Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames. The
virus comes in via SMTP, and then is able to attack all 4.3BSD and SUN
(3.X?) machines. It sends a RCPT TO that requests that its data be piped
through a shell. It copies in a program, compiles and executes it. This
program copies in VAX and SUN binaries that try to replicate the virus via
connections to TELNETD, FTPD, FINGERD, RSHD, and SMTP. The programs also
appear to have DES tables in them. They appear in /usr/tmp as files that
start with the letter x. Removing them is not enough as they will come
back in the next wave of attacks. For now turning off the above services
seems to be the only help. The virus is able to take advantage of .rhosts
files and hosts.equiv. We are not certain what the final result of the
binaries is, hence the warning.
-Peter Yee
yee at ames.arc.nasa.gov
ames!yee
------------------------------
Date: 3 Nov 88 10:54:57 GMT
From: bostic at OKEEFFE.BERKELEY.EDU (Keith Bostic)
Subject: Fixes for the virus
Approved: ucb-fixes at okeeffe.berkeley.edu
Original-newsgroup: comp.bugs.4bsd.ucb-fixes
Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD
Description:
There's a virus running around; the salient facts. A bug in
sendmail has been used to introduce a virus into a lot of
Internet UNIX systems. It has not been observed to damage the
host system, however, it's incredibly virulent, attempting to
introduce itself to every system it can find. It appears to
use rsh, broken passwords, and sendmail to introduce itself
into the target systems. It affects only VAXen and Suns, as
far as we know.
There are three changes that we believe will immunize your
system. They are attached.
Thanks to the Experimental Computing Facility, Center for
Disease Control for their assistance. (It's pretty late,
and they certainly deserved some thanks, somewhere!)
Fix:
First, either recompile or patch sendmail to disallow the `debug'
option. If you have source, recompile sendmail after first
applying the following patch to the module svrsmtp.c:
*** /tmp/d22039 Thu Nov 3 02:26:20 1988
--- srvrsmtp.c Thu Nov 3 01:21:04 1988
***************
*** 85,92 ****
"onex", CMDONEX,
# ifdef DEBUG
"showq", CMDDBGQSHOW,
- "debug", CMDDBGDEBUG,
# endif DEBUG
# ifdef WIZ
"kill", CMDDBGKILL,
# endif WIZ
--- 85,94 ----
"onex", CMDONEX,
# ifdef DEBUG
"showq", CMDDBGQSHOW,
# endif DEBUG
+ # ifdef notdef
+ "debug", CMDDBGDEBUG,
+ # endif notdef
# ifdef WIZ
"kill", CMDDBGKILL,
# endif WIZ
Then, reinstall sendmail, refreeze the configuration file,
using the command "/usr/lib/sendmail -bz", kill any running
sendmail's, using the ps(1) command and the kill(1) command,
and restart your sendmail. To find out how sendmail is
execed on your system, use grep(1) to find the sendmail start
line in either the files /etc/rc or /etc/rc.local
If you don't have source, apply the following patch to your
sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS
UP! This is mildly tricky -- note, some versions of strings(1),
which we're going to use to find the offset of the string
"debug" in the binary print out the offsets in octal, not
decimal. Run the following shell line to decide how your
version of strings(1) works:
/bin/echo 'abcd' | /usr/ucb/strings -o
Note, make sure the eight control 'G's are preserved in this
line. If this command results in something like:
0000008 abcd
your strings(1) command prints out locations in decimal, else
it's octal.
The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!!
This script assumes that your strings(1) command prints out
the offsets in decimal.
Script started on Thu Nov 3 02:08:14 1988
okeeffe:tmp {2} strings -o -a /usr/lib/sendmail | egrep debug
0096972 debug
okeeffe:tmp {3} adb -w /usr/lib/sendmail
?m 0 0xffffffff 0
0t10$d
radix=10 base ten
96972?s
96972: debug
96972?w 0
96972: 25701 = 0
okeeffe:tmp {4} ^D
script done on Thu Nov 3 02:09:31 1988
If your strings(1) command prints out the offsets in octal,
change the line "0t10$d" to "0t8$d".
After you've fixed sendmail, move both /bin/cc and /bin/ld to
something else. (The virus uses the cc and the ld commands
to rebuild itself to run on your system.)
Finally, kill any processes on your system that don't belong there.
Suspicious ones have "(sh)" or "xNNNNNNN" where the N's are random
digits, as the command name on the ps(1) output line.
One more thing, if you find files in /tmp or /usr/tmp that
have names like "xNNNNNN,l1.c", or "xNNNNNN,sun3.o", or
"xNNNNNNN,vax.o" where the N's are random digits, you've been
infected.
------------------------------
Date: 3 Nov 88 16:12:19 GMT
From: bostic at OKEEFFE.BERKELEY.EDU (Keith Bostic)
Subject: Fixes for the virus, #2
Approved: ucb-fixes at okeeffe.berkeley.edu
Original-newsgroup: comp.bugs.4bsd.ucb-fixes
Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD
Description:
This is a followup message, to clear up two points.
First off, a better value to use to PATCH your sendmail
executable is 0xff; if you're using the patch script,
change:
96972?w 0
to:
96972?w 65535
Secondly, note, if, when you run strings(1) on your sendmail
executable, greping for ``debug'', you don't get any output,
don't worry about the problem, your system is already (we
think) safe.
------------------------------
Date: 4 Nov 88 04:37:03 GMT
From: mkkam at csune.cs.uh.edu (Francis Kam)
Subject: Virus report
A virus-like intruder was found last night on sun1.cs.uh.edu,
sun2.cs.uh.edu, and sun3.cs.uh.edu. The attack lasted for about 3 hours.
No visible damage is found so far. The observed symptoms are:
1) doing a 'ps -aux' will find processes owned by 'daemon' and named
(sh) are running and self-forking themselves;
2) some of them will do a 'rsh <otherhosts> exec /bin/sh';
3) occasionally one of these processes will 'cc' some programs named
as 'x<nnnnnnnn>' where nnnnnn are random numbers; then it will fork
itself and run one of those compiled binary;
4) doing a 'trace -p' onto these processes show that they look at
a) yellow pages
b) user files (both randomly and sequential)
c) run 'netstat -r -n'
d) does select(2) on certain sockets;
A suspected source of the infection is a bug in /usr/lib/sendmail.
The followings are done on our systems:
1) remove ~/.rhosts
2) remove /etc/hosts.equiv (if possible)
3) remove anonymous ftp
4) patch /usr/lib/sendmail following bostic at okeeffe.berkeley.edu's
advice [[ appears earlier in this digest. --wnl ]]
5) reboot all machines with the new sendmail
6) disable server user logon
7) remove all setuid script if possible
8) check all file modes in /, /bin, /etc/, /usr/bin, /usr/ucb to be less than
755
Thank you for those who work overnight to track the problem and post the
patches.
Francis Kam CSC-3475
Internet: mkkam at cs.uh.edu Computer Science Department
mkkam at sun1.cs.uh.edu University of Houston
CSNET: mkkam at houston.csnet 4800 Calhoun
Phone: (713)749-1748 Houston, TX 77004.
(713)749-4791
------------------------------
Date: 3 Nov 88 19:58:27 GMT
From: news at cs.purdue.EDU (News Knower)
Subject: More on the virus and the fixes
Approved: news at cs.purdue.EDU
Original-newsgroup: news.sysadmin
The patch from Keith Bostic in the last message is *not* sufficient to
halt the spread of the virus. We have discovered from looking at the
binaries that the virus also attempts to spread itself via "rsh" commands
to other machines. It looks through a *lot* of files to find possible
vectors to spread.
If you have a bunch of machines with hosts.equiv set or .rhosts files, you
should shut them *all* down at the same time after you have fixed sendmail
to prevent a further infestation. If you don't clear out the versions in
memory, you won't protect your other machines.
The virus runs itself with the name "sh" and then overwrites argv, so if a
"ps ax" shows any processes named "(sh)" without a controlling tty, you
have a problem. Due to the use of other uids from rsh, don't make any
conclusions if the uid is one of your normal users.
Also, check your mailq (do a mailq command). If you see any entries that
pipe themselves through sed and sh, delete them from the queue before you
restart your machines.
Non-internet sites do not need to worry about this virus (for now!), but
be aware that mail and news may not be flowing everywhere for some time --
many sites are disconnecting from the Internet completely until the virus
is contained.
------------------------------
End of SUN-Spots Digest
***********************
More information about the Comp.sys.sun
mailing list