Path: utzoo!utgpu!attcan!uunet!ncrlnk!ncrcae!hubcap!gatech!udel!rochester!rutgers!mit-eddie!bu-cs!purdue!decwrl!sgi!vjs@rhyolite.SGI.COM From: vjs@rhyolite.SGI.COM (Vernon Schryver) Newsgroups: comp.sys.sgi Subject: Re: virus, fix for 3000 part 05 of 05 (last) Summary: Sorry about that. Keywords: security binaries worm ftp Message-ID: <21871@sgi.SGI.COM> Date: 10 Nov 88 02:02:54 GMT References: <21697@sgi.SGI.COM> <1795@sbcs.sunysb.edu> <21798@sgi.SGI.COM> <1799@sbcs.sunysb.edu> Sender: daemon@sgi.SGI.COM Organization: Silicon Graphics, Inc., Mountain View, CA Lines: 51 There are a number of ways to subvert a binary as it wanders thru the network. Another problem with posting binaries is that they are big. Finally, the Internet Police might come and break our fingers. Silicon Graphics has not in the past posted many (if any) binaries. I hope we won't have to in the future. The circumstances last week were exceptional, and there was little time. It might have been better if there had been time to write a small program which could have been used to patch the 4D binaries. We could have posted the source for such a tool. If you don't trust the posted binaries, I think the official BSD patch works with adb on 3000's, although I have not tried it. Perhaps you could attack a 4D binary on a 3000 with adb. However, the official BSD patch, which zeros the entry in the command table, does not close the security problem; it simply broke the worm. If you have played with the hole a little, you will have noticed that you can't become root with it. At least, the best I have done is UID=1 and UID=1147, though I have not spent much time at it. The sendmail problem will be fixed in a forthcoming release for 4D's. If you have sendmail source, you might want to port it, closing the hole yourself. It is a straight forward port, if a bit of a mess since IRIS's are SV with BSD extensions extended with YP, rather than straight BSD. Perhaps a way could be found to put useful binaries on a neutral archive, which could be reached via anonymous ftp. Where are the info-IRIS archives these days? Please accept our apologies if the worm, which afflicted only Suns and VAX's, caused any anxiety. In defense of the one or two of us who typed -DDEBUG in the production makefile (only 2 people come to mind, but I will not say more :-), shipping exactly what we use on our personal machines helps reduce bugs in general. In particular, I have used the debugging stuff to resolve problems on our Internet gateway. If you are at all concerned about security, stop worrying about sendmail and IMMEDIATELY install the fixes recently posted in comp.bugs.4bsd.ucp-fixes for ftpd. If you cannot do that, you should remove the user name 'ftp' from /etc/passwd. As others have said, this applies to all 4.3BSD ftp's. (The official fix for this will also be in a forthcoming 4D release.) General prudence would also have you turn off IP forwarding, to not allow outside users to login as guest, and to generally keep /etc/passwd small on your gateways. Vernon Schryver Silicon Graphics vjs@sgi.com