Path: utzoo!utgpu!watmath!clyde!att!osu-cis!tut.cis.ohio-state.edu!cwjcc!hal!nic.MR.NET!tank!nucsrl!gore
From: gore@eecs.nwu.edu (Jacob Gore)
Newsgroups: comp.unix.wizards
Subject: Re: How did the worm become nobody?
Message-ID: <11410012@eecs.nwu.edu>
Date: 26 Nov 88 22:15:26 GMT
References: <11410011@eecs.nwu.edu>
Organization: Northwestern U, Evanston IL, USA
Lines: 18

I asked:

>/ comp.unix.wizards / gore@eecs.nwu.edu (Jacob Gore) / Nov 25, 1988 /
>On my system, the /usr/tmp/ files it left behind were owned by user
>'nobody'.  Can anybody tell me how that happened?

The first two replies came from Doug Kingston <dpk@morgan.com> and from
<smb@ulysses.uucp> (thanks!), and I'm sure I'll get more before this
message gets out, so thanks, in advance, to all who have replied.

The answer is in the /etc/inetd.conf file:

>finger	stream	tcp	nowait	nobody	/etc/fingerd	fingerd

The worm got through the fingerd hole, and fingerd is run as user 'nobody'.

Jacob Gore				Gore@EECS.NWU.Edu
Northwestern Univ., EECS Dept.		{oddjob,gargoyle,att}!nucsrl!gore