Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cwjcc!gatech!ncar!tank!nucsrl!gore
From: gore@eecs.nwu.edu (Jacob Gore)
Newsgroups: comp.unix.wizards
Subject: How did the worm become nobody?
Message-ID: <11410011@eecs.nwu.edu>
Date: 26 Nov 88 02:41:28 GMT
Organization: Northwestern U, Evanston IL, USA
Lines: 16

A question to people who know how the Internet Worm of 88 (yeah, I know,
the year isn't over yet :-) worked:

On my system, the /usr/tmp/ files it left behind were owned by user
'nobody'.  Can anybody tell me how that happened?

Some facts:

The OS is Mt. Xinu's 4.3BSD+NFS (the machine is a VAX, if that matters).
Ypserv and ypbind are running, but aren't doing much (we use bind's resolv
library directly, and don't yp passwords).  The mail system is MMDF, so it
wasn't the sendmail attack that got to us (we did check if the same trick
works with MMDF; it doesn't).

Jacob Gore				Gore@EECS.NWU.Edu
Northwestern Univ., EECS Dept.		{oddjob,gargoyle,att}!nucsrl!gore