Steven M. Schultz (sms@ETN-WLV.EATON.COM)
Thu, 10 Nov 88 09:20:09 PST
> From: nic.MR.NETfirstname.lastname@example.org (Naim Abdullah)
> Organization: Northwestern U, Evanston IL, USA
> Subject: And You Thought You Were Paranoid...
> Message-Id: <email@example.com>
Naim Abdullah writes...
> In PRINCIPLE "ls -l" is not enough. The worm had root priveleges,
> it could have
> installed a modified /bin/ls so that if one of the files being listed
> was fsck, vmunix, ls, telnetd etc (the tampered binaries) /bin/ls
> would always show predetermined sizes. In that situation, "ls -l" wouldn't
> be enough.
This is not quite correct, 'sendmail' had changed uid to "daemon"
(1 on the system here) NOT "root" when executing the worm.
The worm had NO super user privileges - that would be a serious
flaw to have 'sendmail' running as "root" at that stage in the
delivery process. If the system directories and binaries aren't
writeable by a 'daemon' uid process there shouldn't be a lot
that could be damaged.
CONTEL Federal Systems IMSD
31717 La Tienda Westlake Village CA 91359-5027
This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT