Path: utzoo!attcan!uunet!husc6!bloom-beacon!apple!bionet!agate!ucbvax!ucsd!orion.cf.uci.edu!paris.ics.uci.edu!venera.isi.edu!cracraft From: cracraft@venera.isi.edu (Stuart Cracraft) Newsgroups: comp.protocols.tcp-ip Subject: Re: Virus detection and prevention Message-ID: <6702@venera.isi.edu> Date: 5 Nov 88 07:05:23 GMT References: <8811040037.AA01678@rand.org> Reply-To: cracraft@venera.isi.edu.UUCP (Stuart Cracraft) Organization: Information Sciences Institute, Univ. of So. California Lines: 50 In article <8811040037.AA01678@rand.org> terry@RAND.ORG (Terry West) writes: >If you have been hit by the current Internet virus (grep for "sed" in your >syslog file), you will want to run the enclosed perl script to make sure >it won't find its way back in as easily the next time. Jim's PERL script is very handy. Below is a version with a fix for an annoyance. When a password field is empty, the crypt matches against every password in the sample word list, thus producing lots of output. This version is a bit more terse: #!/usr/local/perl # # vircheck: brute force password from Internet virus password list # # 4 Nov 88, Stuart Cracraft -- handle blank passwd field # (was outputting entire wordlist) # 3 Nov 88, Jim Gillogly $pwfile = "virpasswords"; $words = "/etc/passwd"; # Try all words out of the virus list $| = 1; # Flush the output open(pw, $pwfile); # Get the password file while () # a line at a time { ($user, $pass) = split(/:/); # Get the username and password if ($pass eq "") { print " *****$user: blank password field.\n"; } else { $usalt = substr($pass, 0, 2); # 1st 2 chars are the salt print "Trying $user\n"; $salt = substr($pass, 0, 2); # Get the salt open(w1, $words); # Get the dictionary once while () # For each word from the dictionary { chop; # Ignore the newline if (crypt($_, $salt) eq $pass) # Check the word { print " *****$user: $pass comes from password $_.\n"; } } if (crypt($user, $salt) eq $pass) # Is this a "joe"? { print " *****$user: $pass comes from password $user.\n"; } close(w1); } }