chen@digital.sps.mot.com (Jinfu Chen) (10/05/89)
People at comp.virus are getting quite excited about the coming "Friday the 13th" (Oct 13th). This reminds me the infamous ARPANET-worm last November, so I just tried the following to our SMTP gateway node (running SR10.1.0.4), and to my surprise: [ first look for 'debug' string in sendmail ] > $ strings /usr/lib/sendmail | grep -i debug > debug > Debug set [ then, connected to digital.sps.mot.com on SMTP port ] > 220 digital.sps.mot.com Sendmail 5.51.2/SMI-3.2 ready at Wed, 4 Oct 89 20:21:41 MDT > DEBUG > 200 Debug set > quit > 221 digital.sps.mot.com closing connection > > ====finis: stat 0 e_flags 1 > dropenvelope 1cdb8 id="AA14672" flags=1 > Connection closed by foreign host. Should I get panic?! I don't know if the "DEBUG" command in this version of SMTP from Apollo is immune to the ARPANET worm. Could someone from Apollo verify this? One of the recent Apollo patch is related to `fingerd' and the document says it's been inoculated against the virus publicized on USENET. Does this apply to sendmail? -- Jinfu Chen (602)898-5338 | Disclaimer: Motorola, Inc. Logic IC Div., Mesa, AZ | ...{somewhere}!uunet!dover!digital!chen | My employer doesn't pay chen@digital.sps.mot.com | me to express opinions. ----------
pcc@apollo.HP.COM (Peter Craine) (10/06/89)
In article <46098421.81da@digital.sps.mot.com> chen@digital.sps.mot.com (Jinfu Chen) writes: >People at comp.virus are getting quite excited about the coming "Friday the 13th" >(Oct 13th). This reminds me the infamous ARPANET-worm last November, so I just >tried the following to our SMTP gateway node (running SR10.1.0.4), and to my >surprise: > [sendmail DEBUG stuff deleted] > >Should I get panic?! I don't know if the "DEBUG" command in this version of >SMTP from Apollo is immune to the ARPANET worm. Could someone from Apollo >verify this? > >One of the recent Apollo patch is related to `fingerd' and the document says >it's been inoculated against the virus publicized on USENET. Does this apply >to sendmail? > >-- You don't have to panic. Sendmail is inoculated at SR10.2 so that THAT virus attack won't work (unless you use the undocument, unsupported option that I'm not going to talk about). Theoretically, if somebody did enough work, they could find a way to get the old internet virus to work against SR10.0 and SR10.1 systems. But the attack would be very difficult to engineer (I'm reasonably sure). I'm not going to go into a dissertation about how that virus (worm, actually) worked, but it's a tad more difficult than it would be on a "real UNIX" system. I'm not going to say anything stupid like "Gee, our system is impervious to attack" (I'll wait while you finish laughing), but that particular attack isn't as easy as some people believe. BTW, the hole in fingerd that we fixed was that fingerd never checked how long the data was that was being passed to it. There is now an (enforced) limit. [flame suit on] Peter Craine, NACS *I* don't wany my own opinions. Why would HPOLLO want them?