terry@RAND.ORG (Terry West) (11/04/88)
If you have been hit by the current Internet virus (grep for "sed" in your
syslog file), you will want to run the enclosed perl script to make sure
it won't find its way back in as easily the next time.
The enclosed shar file extracts two files: a perl script and a list of
proposed passwords. The passwords were extracted from the object module
that the virus ships to each target site: they were lightly encrypted.
The perl script checks your /etc/passwd file to see whether any of your
users is using one of these passwords.
The virus is known to check (at least) whether the user is a "joe": i.e.
whether the user name is the same as the password; this perl script
checks that as well.
To use it, unpack the shar script (after reading it extremely carefully,
as you always do) and run "vircheck".
Terry West
<terry@rand.org>
p.s.
Thanks to Jim Gillogly for *all* of this.
#! /bin/sh
# This is a shell archive. Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file". To overwrite existing
# files, type "sh file -c". You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g.. If this archive is complete, you
# will see the following message at the end:
# "End of shell archive."
# Contents: vircheck virpasswords
# Wrapped by terry@ipsy on Thu Nov 3 16:10:32 1988
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f 'vircheck' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'vircheck'\"
else
echo shar: Extracting \"'vircheck'\" \(1021 characters\)
sed "s/^X//" >'vircheck' <<'END_OF_FILE'
X#!/usr/local/perl
X#
X# vircheck: brute force password from Internet virus password list
X#
X# 3 Nov 88, Jim Gillogly
X
X$pwfile = "/etc/passwd";
X
X$words = "virpasswords"; # Try all words out of the virus list
X
X$| = 1; # Flush the output
X
Xopen(pw, $pwfile); # Get the password file
Xwhile (<pw>) # a line at a time
X{
X ($user, $pass) = split(/:/); # Get the username and password
X $usalt = substr($pass, 0, 2); # 1st 2 chars are the salt
X print "Trying $user\n";
X $salt = substr($pass, 0, 2); # Get the salt
X open(w1, $words); # Get the dictionary once
X while (<w1>) # For each word from the dictionary
X { chop; # Ignore the newline
X if (crypt($_, $salt) eq $pass) # Check the word
X { print " *****$user: $pass comes from password $_.\n";
X }
X }
X if (crypt($user, $salt) eq $pass) # Is this a "joe"?
X { print " *****$user: $pass comes from password $user.\n";
X }
X
X close(w1);
X}
END_OF_FILE
if test 1021 -ne `wc -c <'vircheck'`; then
echo shar: \"'vircheck'\" unpacked with wrong size!
fi
chmod +x 'vircheck'
# end of 'vircheck'
fi
if test -f 'virpasswords' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'virpasswords'\"
else
echo shar: Extracting \"'virpasswords'\" \(3278 characters\)
sed "s/^X//" >'virpasswords' <<'END_OF_FILE'
Xaaa
Xacademia
Xaerobics
Xairplane
Xalbany
Xalbatross
Xalbert
Xalex
Xalexander
Xalgebra
Xaliases
Xalphabet
Xama
Xamorphous
Xanalog
Xanchor
Xandromache
Xanimals
Xanswer
Xanthropogenic
Xanvils
Xanything
Xaria
Xariadne
Xarrow
Xarthur
Xathena
Xatmosphere
Xaztecs
Xazure
Xbacchus
Xbailey
Xbanana
Xbananas
Xbandit
Xbanks
Xbarber
Xbaritone
Xbass
Xbassoon
Xbatman
Xbeater
Xbeauty
Xbeethoven
Xbeloved
Xbenz
Xbeowulf
Xberkeley
Xberliner
Xberyl
Xbeverly
Xbicameral
Xbob
Xbrenda
Xbrian
Xbridget
Xbroadway
Xbumbling
Xburgess
Xcampanile
Xcantor
Xcardinal
Xcarmen
Xcarolina
Xcaroline
Xcascades
Xcastle
Xcat
Xcayuga
Xceltics
Xcerulean
Xchange
Xcharles
Xcharming
Xcharon
Xchester
Xcigar
Xclassic
Xclusters
Xcoffee
Xcoke
Xcollins
Xcommrades
Xcomputer
Xcondo
Xcookie
Xcooper
Xcornelius
Xcouscous
Xcreation
Xcreosote
Xcretin
Xdaemon
Xdancer
Xdaniel
Xdanny
Xdave
Xdecember
Xdefoe
Xdeluge
Xdesperate
Xdevelop
Xdieter
Xdigital
Xdiscovery
Xdisney
Xdog
Xdrought
Xduncan
Xeager
Xeasier
Xedges
Xedinburgh
Xedwin
Xedwina
Xegghead
Xeiderdown
Xeileen
Xeinstein
Xelephant
Xelizabeth
Xellen
Xemerald
Xengine
Xengineer
Xenterprise
Xenzyme
Xersatz
Xestablish
Xestate
Xeuclid
Xevelyn
Xextension
Xfairway
Xfelicia
Xfender
Xfermat
Xfidelity
Xfinite
Xfishers
Xflakes
Xfloat
Xflower
Xflowers
Xfoolproof
Xfootball
Xforesight
Xformat
Xforsythe
Xfourier
Xfred
Xfriend
Xfrighten
Xfun
Xfungible
Xgabriel
Xgardner
Xgarfield
Xgauss
Xgeorge
Xgertrude
Xginger
Xglacier
Xgnu
Xgolfer
Xgorgeous
Xgorges
Xgosling
Xgouge
Xgraham
Xgryphon
Xguest
Xguitar
Xgumption
Xguntis
Xhacker
Xhamlet
Xhandily
Xhappening
Xharmony
Xharold
Xharvey
Xhebrides
Xheinlein
Xhello
Xhelp
Xherbert
Xhiawatha
Xhibernia
Xhoney
Xhorse
Xhorus
Xhutchins
Ximbroglio
Ximperial
Xinclude
Xingres
Xinna
Xinnocuous
Xirishman
Xisis
Xjapan
Xjessica
Xjester
Xjixian
Xjohnny
Xjoseph
Xjoshua
Xjudith
Xjuggle
Xjulia
Xkathleen
Xkermit
Xkernel
Xkirkland
Xknight
Xladle
Xlambda
Xlamination
Xlarkin
Xlarry
Xlazarus
Xlebesgue
Xlee
Xleland
Xleroy
Xlewis
Xlight
Xlisa
Xlouis
Xlynne
Xmacintosh
Xmack
Xmaggot
Xmagic
Xmalcolm
Xmark
Xmarkus
Xmarty
Xmarvin
Xmaster
Xmaurice
Xmellon
Xmerlin
Xmets
Xmichael
Xmichelle
Xmike
Xminimum
Xminsky
Xmoguls
Xmoose
Xmorley
Xmozart
Xnancy
Xnapoleon
Xnepenthe
Xness
Xnetwork
Xnewton
Xnext
Xnoxious
Xnutrition
Xnyquist
Xoceanography
Xocelot
Xolivetti
Xolivia
Xoracle
Xorca
Xorwell
Xosiris
Xoutlaw
Xoxford
Xpacific
Xpainless
Xpakistan
Xpam
Xpapers
Xpassword
Xpatricia
Xpenguin
Xpeoria
Xpercolate
Xpersimmon
Xpersona
Xpete
Xpeter
Xphilip
Xphoenix
Xpierre
Xpizza
Xplover
Xplymouth
Xpolynomial
Xpondering
Xpork
Xposter
Xpraise
Xprecious
Xprelude
Xprince
Xprinceton
Xprotect
Xprotozoa
Xpumpkin
Xpuneet
Xpuppet
Xrabbit
Xrachmaninoff
Xrainbow
Xraindrop
Xraleigh
Xrandom
Xrascal
Xreally
Xrebecca
Xremote
Xrick
Xripple
Xrobotics
Xrochester
Xrolex
Xromano
Xronald
Xrosebud
Xrosemary
Xroses
Xruben
Xrules
Xruth
Xsal
Xsaxon
Xscamper
Xscheme
Xscott
Xscotty
Xsecret
Xsensor
Xserenity
Xsharks
Xsharon
Xsheffield
Xsheldon
Xshiva
Xshivers
Xshuttle
Xsignature
Xsimon
Xsimple
Xsinger
Xsingle
Xsmile
Xsmiles
Xsmooch
Xsmother
Xsnatch
Xsnoopy
Xsoap
Xsocrates
Xsossina
Xsparrows
Xspit
Xspring
Xspringer
Xsquires
Xstrangle
Xstratford
Xstuttgart
Xsubway
Xsuccess
Xsummer
Xsuper
Xsuperstage
Xsupport
Xsupported
Xsurfer
Xsuzanne
Xswearer
Xsymmetry
Xtangerine
Xtape
Xtarget
Xtarragon
Xtaylor
Xtelephone
Xtemptation
Xthailand
Xtiger
Xtoggle
Xtomato
Xtopography
Xtortoise
Xtoyota
Xtrails
Xtrivial
Xtrombone
Xtubas
Xtuttle
Xumesh
Xunhappy
Xunicorn
Xunknown
Xurchin
Xutility
Xvasant
Xvertigo
Xvicky
Xvillage
Xvirginia
Xwarren
Xwater
Xweenie
Xwhatnot
Xwhiting
Xwhitney
Xwill
Xwilliam
Xwilliamsburg
Xwillie
Xwinston
Xwisconsin
Xwizard
Xwombat
Xwoodwind
Xwormwood
Xyacov
Xyang
Xyellowstone
Xyosemite
Xzap
Xzimmerman
END_OF_FILE
if test 3278 -ne `wc -c <'virpasswords'`; then
echo shar: \"'virpasswords'\" unpacked with wrong size!
fi
chmod +x 'virpasswords'
# end of 'virpasswords'
fi
echo shar: End of shell archive.
exit 0tep@helix.UUCP (Tom Perrine x397) (11/05/88)
Well, that was a nice perl script, but how do I get "perl"? Tom Perrine Logicon(Tactical and Training Systems Division) San Diego CA (619) 455-1330 UUland: uunet!nosc!hamachi!tots!tep Internet: hamachi!tots!tep@NOSC.MIL (last resort:Perrine@DOCKMASTER.ARPA) "There is a special place in Hell reserved for people who park in File Lanes."
cracraft@venera.isi.edu (Stuart Cracraft) (11/05/88)
In article <8811040037.AA01678@rand.org> terry@RAND.ORG (Terry West) writes: >If you have been hit by the current Internet virus (grep for "sed" in your >syslog file), you will want to run the enclosed perl script to make sure >it won't find its way back in as easily the next time. Jim's PERL script is very handy. Below is a version with a fix for an annoyance. When a password field is empty, the crypt matches against every password in the sample word list, thus producing lots of output. This version is a bit more terse: #!/usr/local/perl # # vircheck: brute force password from Internet virus password list # # 4 Nov 88, Stuart Cracraft -- handle blank passwd field # (was outputting entire wordlist) # 3 Nov 88, Jim Gillogly $pwfile = "virpasswords"; $words = "/etc/passwd"; # Try all words out of the virus list $| = 1; # Flush the output open(pw, $pwfile); # Get the password file while (<pw>) # a line at a time { ($user, $pass) = split(/:/); # Get the username and password if ($pass eq "") { print " *****$user: blank password field.\n"; } else { $usalt = substr($pass, 0, 2); # 1st 2 chars are the salt print "Trying $user\n"; $salt = substr($pass, 0, 2); # Get the salt open(w1, $words); # Get the dictionary once while (<w1>) # For each word from the dictionary { chop; # Ignore the newline if (crypt($_, $salt) eq $pass) # Check the word { print " *****$user: $pass comes from password $_.\n"; } } if (crypt($user, $salt) eq $pass) # Is this a "joe"? { print " *****$user: $pass comes from password $user.\n"; } close(w1); } }