Path: utzoo!attcan!uunet!husc6!mailrus!purdue!decwrl!ucbvax!RAND.ORG!salzman%aja From: salzman%aja@RAND.ORG (Isaac) Newsgroups: comp.protocols.tcp-ip Subject: Re: Virus Message-ID: <8811050313.AA10370@aja.rand.org> Date: 5 Nov 88 03:13:13 GMT References: <19881104194515.0.GLR@MOSCOW-CENTRE.AI.MIT.EDU> Sender: daemon@ucbvax.BERKELEY.EDU Organization: The Internet Lines: 32 >So the first step might be to (quietly) grep unix filesystems for some >appropriate (cleartext) substrings that would appear in his files (ie, >pieces of the infecting shell script). Anyone who owned such files >before the infection would be suspect. Another thing that everyone should do is make sure you clean out your /usr/tmp directories (though most of you have probably done so allready), and also check if anyone on your net has snarfed up copies of the stuff left in /usr/tmp. Anyone who's got that stuff lying around has the potential for starting the whole thing up again! Of course since everyone out there has plugged the holes it wouldn't get anywhere, right? :-) As far as I'm concerned, this virus or worm or whatever you want to call it was actually a good thing! We can all be thankful that the thing was benign and didn't cause any real damage. What it did do (hopefully) is make everyone take a hard look at network security, or a lack thereof. Everyone likes to think that their system is safe from viruses and such attacks. This was a very humbling experience for those who think their net's are invincable. And of course it rid us of a very nasty security hole in sendmail. Rest assure people will start to find holes in other network utilities and get them patched up, and let the rest of us know about it! Ciao.... -- * Isaac J. Salzman ---- * The RAND Corporation - Information Sciences Dept. /o o/ / * 1700 Main St., PO Box 2138, Santa Monica, CA 90406-2138 | v | | * AT&T: +1 213-393-0411 x6421 or x7923 (ISL lab) _| |_/ * ARPA: salzman@RAND.ORG or salzman@rand-unix.ARPA / | | * UUCP: ...!{cbosgd,decvax,sdcrdcf}!randvax!salzman | | |