dbfunk@ICAEN.UIOWA.EDU (David B. Funk) (11/05/88)
Incase you've not been reading the news, there's a computer
virus running around the Internet. Here's an excerpt taken
from UUNET:
Newsgroups: news.announce,news.sysadmin
Date: Thu, 3 Nov 88 02:58:55 PST
From: bostic@okeeffe.Berkeley.EDU (Keith Bostic)
Subject: Virus (READ THIS IMMEDIATELY)
Approved: spaf@cs.purdue.edu
Distribution: world
Description:
There's a virus running around; the salient facts. A bug in
sendmail has been used to introduce a virus into a lot of
Internet UNIX systems. It has not been observed to damage the
host system, however, it's incredibly virulent, attempting to
introduce itself to every system it can find. It appears to
use rsh, broken passwords, and sendmail to introduce itself
into the target systems. It affects only VAXen and Suns, as
far as we know.
We Apollo-ites can sit this one out and smile though. The version of
sendmail that was distributed with SR9.5 Domain/IX does NOT have the
buggy "debug" code that this virius used to get around. I have not
checked out the SR10 version but I assume that it's OK also.
If you are connected to a network with VAXen or Suns you might want
to watch out, the virus can use the ".rhosts" and "host.equiv"
files on a infected host to try to get in to other systems.
Dave Funkcasey@admin.cognet.ucla.edu (Casey Leedom) (11/07/88)
| From: dbfunk@ICAEN.UIOWA.EDU (David B. Funk) | | The version of sendmail that was distributed with SR9.5 Domain/IX does | NOT have the buggy "debug" code that this virus used to get around. I | have not checked out the SR10 version but I assume that it's OK also. Unfortunately SR10s sendmail comes with debug mode compiled in. But, much as I've been known to criticize Apollo, I can't blame them for this one. In their effort to implement 4.3BSD as closely as possible, they simply picked up a problem that Berkeley left in (it should also be noted that in general I'm a pro-Berkeley-ite). Anyone running SR10 should attempt to use the instructions mailed out by Keith Bostic of CSRG at Berkeley to patch their SR10 sendmail binaries. Unfortunately, it'll be a very short lived attempt since Apollo still doesn't ship adb. I've appended a short program that will overwrite the keyword "debug" with 0xff's as per the suggestion from Berkeley. Note that the program should work without arguments for virgin SR10.0 68000 sendmail binaries. Anything else will probably have to have the proper offset of the debug keyword passed in on the command line (use ``strings -o /usr/lib/sendmail | egrep debug'' - the number printed out should work). Note also that I've tried to make the program as paranoid as possible. It reads the binary first and if "debug\0" isn't found at the indicated offset, it terminates without writing anything. However, as you always should, make a back up copy of your sendmail binary and check the program over yourself CAREFULLY. (Insert usual disclaimers of responsibility should this program not work as advertised, etc.) Casey ----- #include <stdio.h> #include <sys/file.h> #include <apollo_$std.h> #ifdef m68000 # define DEBUG_OFFSET 75762L #else DON'T HAVE ANY NUMBERS FOR OTHER ACHITECTURES #endif static char buf[sizeof("debug")]; main(int argc, char **argv) { int fd, n, i; long debug_offset; extern int errno; if (argc == 1) debug_offset = DEBUG_OFFSET; else if (argc == 2 && argv[1][0] >= '0' && argv[1][0] <= '9') debug_offset = atoi(argv[1]); else { fprintf(stderr, "usage: %s [ sendmail-debug-keyword-offset ]\n", argv[0]); exit(1); } fd = open("/usr/lib/sendmail", O_RDWR); if (fd < 0) { perror("open: /usr/lib/sendmail"); exit(1); } if (lseek(fd, debug_offset, L_SET) < 0) { perror("lseek: /usr/lib/sendmail"); exit(1); } n = read(fd, buf, sizeof(buf)); if (n < 0) { perror("read: /usr/lib/sendmail"); exit(1); } if (n != sizeof(buf)) { fprintf(stderr, "%s: unable to read %d bytes, only got %d.\n", argv[0], sizeof(buf), n); exit(1); } if (strncmp(buf, "debug", sizeof(buf))) { fprintf(stderr, "%s: offset %ld in /usr/lib/sendmail does not contain\n", argv[0], debug_offset); fprintf(stderr, "the word \"debug\". /usr/lib/sendmail NOT changed.\n"); exit(1); } if (lseek(fd, debug_offset, L_SET) < 0) { perror("lseek"); exit(1); } for (i = 0; i < sizeof(buf) && buf[i]; i++) buf[i] = '\377'; n = write(fd, buf, sizeof(buf)); if (n < 0) { perror("write"); exit(1); } if (n != sizeof(buf)) { fprintf(stderr, "%s: unable to write %d bytes, only got %d out!.\n", argv[0], sizeof(buf), n); fprintf(stderr, "/usr/lib/sendmail may be corrupted!!!\n"); exit(1); } if (close(fd) < 0) { perror("close"); fprintf(stderr, "%s: /usr/lib/sendmail was written to successfully before close failed.\n", argv[0]); fprintf(stderr, "/usr/lib/sendmail may be corrupted!!!\n"); exit(1); } exit(0); }