gore@eecs.nwu.edu (Jacob Gore) (11/26/88)
A question to people who know how the Internet Worm of 88 (yeah, I know,
the year isn't over yet :-) worked:
On my system, the /usr/tmp/ files it left behind were owned by user
'nobody'. Can anybody tell me how that happened?
Some facts:
The OS is Mt. Xinu's 4.3BSD+NFS (the machine is a VAX, if that matters).
Ypserv and ypbind are running, but aren't doing much (we use bind's resolv
library directly, and don't yp passwords). The mail system is MMDF, so it
wasn't the sendmail attack that got to us (we did check if the same trick
works with MMDF; it doesn't).
Jacob Gore Gore@EECS.NWU.Edu
Northwestern Univ., EECS Dept. {oddjob,gargoyle,att}!nucsrl!goregore@eecs.nwu.edu (Jacob Gore) (11/27/88)
I asked: >/ comp.unix.wizards / gore@eecs.nwu.edu (Jacob Gore) / Nov 25, 1988 / >On my system, the /usr/tmp/ files it left behind were owned by user >'nobody'. Can anybody tell me how that happened? The first two replies came from Doug Kingston <dpk@morgan.com> and from <smb@ulysses.uucp> (thanks!), and I'm sure I'll get more before this message gets out, so thanks, in advance, to all who have replied. The answer is in the /etc/inetd.conf file: >finger stream tcp nowait nobody /etc/fingerd fingerd The worm got through the fingerd hole, and fingerd is run as user 'nobody'. Jacob Gore Gore@EECS.NWU.Edu Northwestern Univ., EECS Dept. {oddjob,gargoyle,att}!nucsrl!gore