Path: utzoo!attcan!uunet!yale!cmcl2!phri!roy From: roy@phri.UUCP (Roy Smith) Newsgroups: comp.unix.wizards Subject: Re: Internet Virus: SunOS patches Summary: Chuq's patch instructions are not quite correct. Message-ID: <3596@phri.UUCP> Date: 9 Nov 88 22:58:03 GMT References: <76493@sun.uucp> Reply-To: roy@phri.UUCP (Roy Smith) Organization: Public Health Research Inst. (NY, NY) Lines: 53 chuq@plaid.Sun.COM (Chuq Von Rospach) writes: > Patching sendmail: > 2) make a copy of sendmail > # cd /usr/lib > # cp sendmail sendmail.debug At this point, you still have a suid-root debug-enabled sendmail binary laying around. True, it's not the actively running daemon, but logic would suggest doing a "chmod 400" (or something similar) on it just to make sure. > 4) start adb: > # adb -w sendmail At this point, you get some complaint about sendmail being read-only. One possible reason is that /usr/lib/sendmail is probably -r-sr-x--x. You need to do a "chmod +w" on it. Also, since the binary is currently executing, the file is locked. You need to kill off the running sendmail daemon *before* you patch the executable. This will mean mail won't work for a few minutes; BFD :-). Remember to do a "chmod -w" when you're done. Alternatively, you can just copy /usr/lib/sendmail to /tmp, patch the copy there, and then copy it back (which is the method Chuq suggested to me on the phone a few minutes ago). Chuq also didn't mention that the proper procedure is to do this patch on your file server(s) and then either reboot all the diskless clients or kill and restart their sendmail daemons. Just patching the servers and leaving the clients running old buggy (debuggy?) sendmails won't do much good. Since it's a real pain to rlogin to all those diskless clients, you might just want to write an anti-virus which connects to the sendmail daemon on each machine on your network and tries to put it in debug mode. If it can, it sends over the following mail: ---------------- From: /dev/null To: "|sed -e 1,/^$/d | sh; exit 0" kill -9 `ps ax | grep 'sendmail -bd -q1h' | grep -v grep | awk '{print $1}'` /usr/lib/sendmail -bd -q1h ---------------- Sort of a viral self-destruct gene implant. Probably wouldn't work because you're killing the sendmail daemon that's in the process of delivering the mail, but I'm sure you could think of some elaboration of this involving "at" to set a time-bomb for 1 minute in the future. BTW, before people jump all over me, I'm not really serious about this, even if it is a neat idea. -- Roy Smith, System Administrator Public Health Research Institute {allegra,philabs,cmcl2,rutgers}!phri!roy -or- phri!roy@uunet.uu.net "The connector is the network"