Re: Virus

Isaac (
Fri, 04 Nov 88 19:13:13 PST

>So the first step might be to (quietly) grep unix filesystems for some
>appropriate (cleartext) substrings that would appear in his files (ie,
>pieces of the infecting shell script). Anyone who owned such files
>before the infection would be suspect.

Another thing that everyone should do is make sure you clean out
your /usr/tmp directories (though most of you have probably done
so allready), and also check if anyone on your net has snarfed up
copies of the stuff left in /usr/tmp. Anyone who's got that stuff
lying around has the potential for starting the whole thing up again!
Of course since everyone out there has plugged the holes it wouldn't
get anywhere, right? :-)

As far as I'm concerned, this virus or worm or whatever you want
to call it was actually a good thing! We can all be thankful that
the thing was benign and didn't cause any real damage. What it did
do (hopefully) is make everyone take a hard look at network security,
or a lack thereof. Everyone likes to think that their system is safe
from viruses and such attacks. This was a very humbling experience
for those who think their net's are invincable. And of course it
rid us of a very nasty security hole in sendmail. Rest assure
people will start to find holes in other network utilities and
get them patched up, and let the rest of us know about it! Ciao....

* Isaac	J. Salzman					      ----
* The RAND Corporation - Information Sciences Dept.	     /o	o/  /
* 1700 Main St., PO Box	2138, Santa Monica, CA 90406-2138    | v |  |
* AT&T:	+1 213-393-0411	x6421 or x7923 (ISL lab)	    _|	 |_/
* ARPA:	salzman@RAND.ORG or salzman@rand-unix.ARPA	   / |	 |
* UUCP:	...!{cbosgd,decvax,sdcrdcf}!randvax!salzman	   | |	 |

This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:43:58 GMT