On Thu, 18 Jan 2001, -- neil -- wrote:
>
> Within the last couple of days this worm has been rearing its ugly head.
> Its seems to be infecting mainly Redhat 6.2 and 7.0 unpatched machines.
> Specifically its using wuftp and nfsd. The link below is to a guy that
> reversed engineered it.
There's also code that seems to exploit an LPRng bug. There *appears* to
be an IRC vector of some sort- I'm not sure if it's a comm. channel or
inoperable since I haven't had the time or resources to do the depth of
investigation that I'd like.
Turning off FTP is a generally good idea, and helps tremendously in this
case because the SYN scanner seems to look for FTP servers before
iterating through its attacks.
It seems to be confirmed as in the wild and legitimately viral.
Updating systems is still important, and I expect we'll see the usual home
user and default install cases being the predominance of vulnerability.
It'll probably also run on systems that have Linux emulation and run x86
code- which may cover *BSD and Linux/Alpha with em86 (or whatever it's
called, it's been a while since I had an Alpha desktop.)
BTW: I think the first reports of infection were almost two weeks ago.
Monitoring bandwidth utilization will help for boxes with Ethernet
adapters, as the thing SYN scans like hell once it's running if it doesn't
think it's on a ppp link.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
