Re: Virus detection and prevention


Stuart Cracraft (orion.cf.uci.edu!paris.ics.uci.edu!venera.isi.edu!cracraft@ucsd.edu)
5 Nov 88 07:05:23 GMT


In article <8811040037.AA01678@rand.org> terry@RAND.ORG (Terry West) writes:
>If you have been hit by the current Internet virus (grep for "sed" in your
>syslog file), you will want to run the enclosed perl script to make sure
>it won't find its way back in as easily the next time.

Jim's PERL script is very handy. Below is a version with a fix for
an annoyance. When a password field is empty, the crypt matches
against every password in the sample word list, thus producing lots
of output. This version is a bit more terse:

#!/usr/local/perl
#
# vircheck: brute force password from Internet virus password list
#
# 4 Nov 88, Stuart Cracraft -- handle blank passwd field
# (was outputting entire wordlist)
# 3 Nov 88, Jim Gillogly

$pwfile = "virpasswords";

$words = "/etc/passwd"; # Try all words out of the virus list

$| = 1; # Flush the output

open(pw, $pwfile); # Get the password file
while (<pw>) # a line at a time
{
        ($user, $pass) = split(/:/); # Get the username and password
        if ($pass eq "")
        {
            print " *****$user: blank password field.\n";
        }
        else {
         $usalt = substr($pass, 0, 2); # 1st 2 chars are the salt
         print "Trying $user\n";
         $salt = substr($pass, 0, 2); # Get the salt
         open(w1, $words); # Get the dictionary once
         while (<w1>) # For each word from the dictionary
         { chop; # Ignore the newline
                 if (crypt($_, $salt) eq $pass) # Check the word
                 { print " *****$user: $pass comes from password $_.\n";
                 }
         }
         if (crypt($user, $salt) eq $pass) # Is this a "joe"?
         { print " *****$user: $pass comes from password $user.\n";
         }

         close(w1);
    }
}



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:43:58 GMT