Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!mailrus!ames!amdcad!sun!pitstop!sundc!seismo!uunet!mcvax!ukc!strath-cs!glasgow!Jim From: jac@doc.ic.ac.uk (Jim Crammond) Newsgroups: comp.mail.sendmail,mail.uk-sendmail-workers Subject: sendmail worm fix (1) Message-ID: <16970.8811071716@sophocles.doc.ic.ac.uk> Date: 7 Nov 88 17:16:53 GMT Sender: daemon@cs.glasgow.ac.uk Lines: 51 Phone: 01-589 5111 ext 5065 X-mailer: mail gatewayed to news (mail-news 1.5a) The following patch has appeared in a few places like sun-spots digest; I'm posting here for those who haven't yet seen it. If you don't have source, apply the following patch to your sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS UP! This is mildly tricky -- note, some versions of strings(1), which we're going to use to find the offset of the string "debug" in the binary print out the offsets in octal, not decimal. Run the following shell line to decide how your version of strings(1) works: /bin/echo 'abcd' | /usr/ucb/strings -o Note, make sure the eight control 'G's are preserved in this line. If this command results in something like: 0000008 abcd your strings(1) command prints out locations in decimal, else it's octal. [ NB I tried this on my sun but it didn't work. However doing a strings -o of sendmail soon told me that on Suns strings(1) prints in decimal -Jim. ] The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!! [ Sendmail 3.2 had the offset 124362 -Jim. ] This script assumes that your strings(1) command prints out the offsets in decimal. Script started on Thu Nov 3 02:08:14 1988 okeeffe:tmp {2} strings -o -a /usr/lib/sendmail | egrep debug 0096972 debug okeeffe:tmp {3} adb -w /usr/lib/sendmail ?m 0 0xffffffff 0 0t10$d radix=10 base ten 96972?s 96972: debug 96972?w 65536 96972: 25701 = 65536 okeeffe:tmp {4} ^D script done on Thu Nov 3 02:09:31 1988 If your strings(1) command prints out the offsets in octal, change the line "0t10$d" to "0t8$d". [ I use the debug option for testing, therefore rather than disable it I changed the "debug" command to a 3 letter command which does not show up with strings(1). The sendmail binary is not readable by ordinary users so I think this is reasonably safe. -Jim. ]