Re: Virus detection and prevention

Stuart Cracraft (!!!
5 Nov 88 07:05:23 GMT

In article <> terry@RAND.ORG (Terry West) writes:
>If you have been hit by the current Internet virus (grep for "sed" in your
>syslog file), you will want to run the enclosed perl script to make sure
>it won't find its way back in as easily the next time.

Jim's PERL script is very handy. Below is a version with a fix for
an annoyance. When a password field is empty, the crypt matches
against every password in the sample word list, thus producing lots
of output. This version is a bit more terse:

# vircheck: brute force password from Internet virus password list
# 4 Nov 88, Stuart Cracraft -- handle blank passwd field
# (was outputting entire wordlist)
# 3 Nov 88, Jim Gillogly

$pwfile = "virpasswords";

$words = "/etc/passwd"; # Try all words out of the virus list

$| = 1; # Flush the output

open(pw, $pwfile); # Get the password file
while (<pw>) # a line at a time
        ($user, $pass) = split(/:/); # Get the username and password
        if ($pass eq "")
            print " *****$user: blank password field.\n";
        else {
         $usalt = substr($pass, 0, 2); # 1st 2 chars are the salt
         print "Trying $user\n";
         $salt = substr($pass, 0, 2); # Get the salt
         open(w1, $words); # Get the dictionary once
         while (<w1>) # For each word from the dictionary
         { chop; # Ignore the newline
                 if (crypt($_, $salt) eq $pass) # Check the word
                 { print " *****$user: $pass comes from password $_.\n";
         if (crypt($user, $salt) eq $pass) # Is this a "joe"?
         { print " *****$user: $pass comes from password $user.\n";


This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:43:58 GMT