Sun-Spots-Request@Rice.edu (William LeFebvre) (11/05/88)
SUN-SPOTS DIGEST Thursday, 3 November 1988 Volume 7 : Issue 4 Today's Topics: This issue is about the Internet virus Internet VIRUS alert Fixes for the virus Fixes for the virus, #2 Virus report More on the virus and the fixes Send contributions to: sun-spots@rice.edu Send subscription add/delete requests to: sun-spots-request@rice.edu Bitnet readers can subscribe directly with the CMS command: TELL LISTSERV AT RICE SUBSCRIBE SUNSPOTS My Full Name Recent backissues are available via anonymous FTP from "titan.rice.edu". For volume X, issue Y, "get sun-spots/vXnY". They are also accessible through the archive server: mail the request "send sun-spots vXnY" to "archive-server@rice.edu" or mail the word "help" to the same address for more information. ---------------------------------------------------------------------- Date: Thu, 3 Nov 88 23:52:46 CST From: William LeFebvre <phil@Rice.edu> Subject: This issue is about the Internet virus It seems that starting sometime Wednesday evening, a virus started spreading itself around many, many different Internet machines. It tried to attack Rice's main mail gateway, but, in an ironic twist of fate, was not able to penetrate because the partition it was trying to use was full! I have tried to accumulate as much information as I can about this. Some of it was posted to sun-spots, some was obtained from other sources. Some of the articles were copied from other newsgroups, so the originating posters may not be familiar names to sun-spots readers. My thanks to all who contributed: those who just sent copies of messages seen elsewhere may not be explicitly mentioned, but I am thankful just the same. I would also like to express my thanks to the people who found the virus and took the time to find a way of stopping it. This thing is so amazing and widespread that it made CNN news tonight. It has caused some serious problems at many research sites across the country. The reporter even said that the FBI was getting involved in the investigation! In an attempt to get this news out as quickly as possible, this is a short digest and is devoted entirely to messages about the virus. William LeFebvre ------------------------------ Date: Thu, 3 Nov 88 10:30:59 CST From: Peter E. Yee <yee@ames.arc.nasa.gov> Subject: Internet VIRUS alert We are currently under attack from an Internet VIRUS. It has hit UC Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames. The virus comes in via SMTP, and then is able to attack all 4.3BSD and SUN (3.X?) machines. It sends a RCPT TO that requests that its data be piped through a shell. It copies in a program, compiles and executes it. This program copies in VAX and SUN binaries that try to replicate the virus via connections to TELNETD, FTPD, FINGERD, RSHD, and SMTP. The programs also appear to have DES tables in them. They appear in /usr/tmp as files that start with the letter x. Removing them is not enough as they will come back in the next wave of attacks. For now turning off the above services seems to be the only help. The virus is able to take advantage of .rhosts files and hosts.equiv. We are not certain what the final result of the binaries is, hence the warning. -Peter Yee yee@ames.arc.nasa.gov ames!yee ------------------------------ Date: 3 Nov 88 10:54:57 GMT From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic) Subject: Fixes for the virus Approved: ucb-fixes@okeeffe.berkeley.edu Original-newsgroup: comp.bugs.4bsd.ucb-fixes Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD Description: There's a virus running around; the salient facts. A bug in sendmail has been used to introduce a virus into a lot of Internet UNIX systems. It has not been observed to damage the host system, however, it's incredibly virulent, attempting to introduce itself to every system it can find. It appears to use rsh, broken passwords, and sendmail to introduce itself into the target systems. It affects only VAXen and Suns, as far as we know. There are three changes that we believe will immunize your system. They are attached. Thanks to the Experimental Computing Facility, Center for Disease Control for their assistance. (It's pretty late, and they certainly deserved some thanks, somewhere!) Fix: First, either recompile or patch sendmail to disallow the `debug' option. If you have source, recompile sendmail after first applying the following patch to the module svrsmtp.c: *** /tmp/d22039 Thu Nov 3 02:26:20 1988 --- srvrsmtp.c Thu Nov 3 01:21:04 1988 *************** *** 85,92 **** "onex", CMDONEX, # ifdef DEBUG "showq", CMDDBGQSHOW, - "debug", CMDDBGDEBUG, # endif DEBUG # ifdef WIZ "kill", CMDDBGKILL, # endif WIZ --- 85,94 ---- "onex", CMDONEX, # ifdef DEBUG "showq", CMDDBGQSHOW, # endif DEBUG + # ifdef notdef + "debug", CMDDBGDEBUG, + # endif notdef # ifdef WIZ "kill", CMDDBGKILL, # endif WIZ Then, reinstall sendmail, refreeze the configuration file, using the command "/usr/lib/sendmail -bz", kill any running sendmail's, using the ps(1) command and the kill(1) command, and restart your sendmail. To find out how sendmail is execed on your system, use grep(1) to find the sendmail start line in either the files /etc/rc or /etc/rc.local If you don't have source, apply the following patch to your sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS UP! This is mildly tricky -- note, some versions of strings(1), which we're going to use to find the offset of the string "debug" in the binary print out the offsets in octal, not decimal. Run the following shell line to decide how your version of strings(1) works: /bin/echo 'abcd' | /usr/ucb/strings -o Note, make sure the eight control 'G's are preserved in this line. If this command results in something like: 0000008 abcd your strings(1) command prints out locations in decimal, else it's octal. The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!! This script assumes that your strings(1) command prints out the offsets in decimal. Script started on Thu Nov 3 02:08:14 1988 okeeffe:tmp {2} strings -o -a /usr/lib/sendmail | egrep debug 0096972 debug okeeffe:tmp {3} adb -w /usr/lib/sendmail ?m 0 0xffffffff 0 0t10$d radix=10 base ten 96972?s 96972: debug 96972?w 0 96972: 25701 = 0 okeeffe:tmp {4} ^D script done on Thu Nov 3 02:09:31 1988 If your strings(1) command prints out the offsets in octal, change the line "0t10$d" to "0t8$d". After you've fixed sendmail, move both /bin/cc and /bin/ld to something else. (The virus uses the cc and the ld commands to rebuild itself to run on your system.) Finally, kill any processes on your system that don't belong there. Suspicious ones have "(sh)" or "xNNNNNNN" where the N's are random digits, as the command name on the ps(1) output line. One more thing, if you find files in /tmp or /usr/tmp that have names like "xNNNNNN,l1.c", or "xNNNNNN,sun3.o", or "xNNNNNNN,vax.o" where the N's are random digits, you've been infected. ------------------------------ Date: 3 Nov 88 16:12:19 GMT From: bostic@OKEEFFE.BERKELEY.EDU (Keith Bostic) Subject: Fixes for the virus, #2 Approved: ucb-fixes@okeeffe.berkeley.edu Original-newsgroup: comp.bugs.4bsd.ucb-fixes Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD Description: This is a followup message, to clear up two points. First off, a better value to use to PATCH your sendmail executable is 0xff; if you're using the patch script, change: 96972?w 0 to: 96972?w 65535 Secondly, note, if, when you run strings(1) on your sendmail executable, greping for ``debug'', you don't get any output, don't worry about the problem, your system is already (we think) safe. ------------------------------ Date: 4 Nov 88 04:37:03 GMT From: mkkam@csune.cs.uh.edu (Francis Kam) Subject: Virus report A virus-like intruder was found last night on sun1.cs.uh.edu, sun2.cs.uh.edu, and sun3.cs.uh.edu. The attack lasted for about 3 hours. No visible damage is found so far. The observed symptoms are: 1) doing a 'ps -aux' will find processes owned by 'daemon' and named (sh) are running and self-forking themselves; 2) some of them will do a 'rsh <otherhosts> exec /bin/sh'; 3) occasionally one of these processes will 'cc' some programs named as 'x<nnnnnnnn>' where nnnnnn are random numbers; then it will fork itself and run one of those compiled binary; 4) doing a 'trace -p' onto these processes show that they look at a) yellow pages b) user files (both randomly and sequential) c) run 'netstat -r -n' d) does select(2) on certain sockets; A suspected source of the infection is a bug in /usr/lib/sendmail. The followings are done on our systems: 1) remove ~/.rhosts 2) remove /etc/hosts.equiv (if possible) 3) remove anonymous ftp 4) patch /usr/lib/sendmail following bostic@okeeffe.berkeley.edu's advice [[ appears earlier in this digest. --wnl ]] 5) reboot all machines with the new sendmail 6) disable server user logon 7) remove all setuid script if possible 8) check all file modes in /, /bin, /etc/, /usr/bin, /usr/ucb to be less than 755 Thank you for those who work overnight to track the problem and post the patches. Francis Kam CSC-3475 Internet: mkkam@cs.uh.edu Computer Science Department mkkam@sun1.cs.uh.edu University of Houston CSNET: mkkam@houston.csnet 4800 Calhoun Phone: (713)749-1748 Houston, TX 77004. (713)749-4791 ------------------------------ Date: 3 Nov 88 19:58:27 GMT From: news@cs.purdue.EDU (News Knower) Subject: More on the virus and the fixes Approved: news@cs.purdue.EDU Original-newsgroup: news.sysadmin The patch from Keith Bostic in the last message is *not* sufficient to halt the spread of the virus. We have discovered from looking at the binaries that the virus also attempts to spread itself via "rsh" commands to other machines. It looks through a *lot* of files to find possible vectors to spread. If you have a bunch of machines with hosts.equiv set or .rhosts files, you should shut them *all* down at the same time after you have fixed sendmail to prevent a further infestation. If you don't clear out the versions in memory, you won't protect your other machines. The virus runs itself with the name "sh" and then overwrites argv, so if a "ps ax" shows any processes named "(sh)" without a controlling tty, you have a problem. Due to the use of other uids from rsh, don't make any conclusions if the uid is one of your normal users. Also, check your mailq (do a mailq command). If you see any entries that pipe themselves through sed and sh, delete them from the queue before you restart your machines. Non-internet sites do not need to worry about this virus (for now!), but be aware that mail and news may not be flowing everywhere for some time -- many sites are disconnecting from the Internet completely until the virus is contained. ------------------------------ End of SUN-Spots Digest ***********************