Re: And You Thought You Were Paranoid...


Steven M. Schultz (sms@ETN-WLV.EATON.COM)
Thu, 10 Nov 88 09:20:09 PST


> From: nic.MR.NET!tank!nucsrl!naim@ub.d.umn.edu (Naim Abdullah)
> Organization: Northwestern U, Evanston IL, USA
> Subject: And You Thought You Were Paranoid...
> Message-Id: <7080011@eecs.nwu.edu>

Naim Abdullah writes...

> In PRINCIPLE "ls -l" is not enough. The worm had root priveleges,
> it could have
> installed a modified /bin/ls so that if one of the files being listed
> was fsck, vmunix, ls, telnetd etc (the tampered binaries) /bin/ls
> would always show predetermined sizes. In that situation, "ls -l" wouldn't
> be enough.
>

        This is not quite correct, 'sendmail' had changed uid to "daemon"
        (1 on the system here) NOT "root" when executing the worm.
        The worm had NO super user privileges - that would be a serious
        flaw to have 'sendmail' running as "root" at that stage in the
        delivery process. If the system directories and binaries aren't
        writeable by a 'daemon' uid process there shouldn't be a lot
        that could be damaged.

                      Steven Schultz
                      CONTEL Federal Systems IMSD
                      31717 La Tienda Westlake Village CA 91359-5027

                      Internet: sms@etn-wlv.eaton.com



This archive was generated by hypermail 2.0b3 on Thu Mar 09 2000 - 14:44:29 GMT