Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!ucbvax!ETN-WLV.EATON.COM!sms
From: sms@ETN-WLV.EATON.COM (Steven M. Schultz)
Newsgroups: comp.protocols.tcp-ip
Subject: Re: And You Thought You Were Paranoid...
Message-ID: <8811101720.AA23823@ETN-WLV.EATON.COM>
Date: 10 Nov 88 17:20:09 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 28

> From: nic.MR.NET!tank!nucsrl!naim@ub.d.umn.edu  (Naim Abdullah)
> Organization: Northwestern U, Evanston IL, USA
> Subject: And You Thought You Were Paranoid...
> Message-Id: <7080011@eecs.nwu.edu>
 
Naim Abdullah writes...

> In PRINCIPLE "ls -l" is not enough. The worm had root priveleges,
> it could have 
> installed a modified /bin/ls so that if one of the files being listed
> was fsck, vmunix, ls, telnetd etc (the tampered binaries) /bin/ls
> would always show predetermined sizes. In that situation, "ls -l" wouldn't
> be enough.
> 

	This is not quite correct, 'sendmail' had changed uid to "daemon"
	(1 on the system here) NOT "root" when executing the worm. 
	The worm had NO super user privileges - that would be a serious 
	flaw to have 'sendmail' running as "root" at that stage in the
	delivery process. If the system directories and binaries aren't 
	writeable by a 'daemon' uid process there shouldn't be a lot 
	that could be damaged.

 		      Steven Schultz
 		      CONTEL Federal Systems IMSD
 		      31717 La Tienda Westlake Village CA 91359-5027
 
 		      Internet: sms@etn-wlv.eaton.com