[sisyphus] Fw: Re: Heads up... Possible worm on the loose...
Alexander Bokovoy
=?iso-8859-1?q?a=2Ebokovoy_=CE=C1_sam-solutions=2Enet?=
Чт Апр 10 20:39:21 MSD 2003
Внимание, Червь на базе последней уязвимости для Samba 2.0 и 2.2 уже
путешествует и заражает. Рекомендую проинформировать своих администраторов
и пользователей о необходимости немедленного обновления. В случае
заражения деактивация червя возможна посредством утилиты, описанной внизу
письма.
2ldv: Надо бы в security-announce отправить...
----- Forwarded message from Jelmer Vernooij -----
Date: Thu, 10 Apr 2003 18:36:31 +0200
From: Jelmer Vernooij
To: Michael H. Warfield
Subject: Re: Heads up... Possible worm on the loose...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thursday 10 April 2003 18:27, Michael H. Warfield wrote:
> This is just a heads up in case any of you start fielding
> questions about a Samba worm.
>
> We've got some reports from some universities of a "Samba worm"
> running loose and infecting systems with the SuckIT rootkit. Primary
> target is Linux x86. BSD systems in the same environment are not being
> compromised.
>
> The presumption is that this is based on the recent trans2
> vulnerabiltity and I have some reports indicating a spike in port 139
> scanning just after the 4th that may be related.
>
> This, right here, is my worst fear with a 0day being posted,
> even when there is an exploit in circulation. Someone can immediately
> take the 0day and load in into the warhead of a worm and turn it loose.
> With indeterminant exploits in the wild or with "proof of concept" code,
> they still have to WORK at it to find it or make it work. This makes
> it too damn easy and cuts the deployment latency window to zilch. /:-|=|
>
> At this time, we have copies of the rootkit know what it is.
> We also have indications that the payload (the worm egg w/ rootkit)
> was being downloaded from a specific central site which is under
> investigation right now. We don't have copies of the "dropper" (the
> worm head) nor have I received any logs yet to confirm what exploit
> what used.
>
> I'll post more information as I learn it. I just figured some
> of you might hear something from other sources and could use the
> information.
Quite some hosts at the University of Twente here in Holland have been
infected (they use SMB and an web-based index program to share files
over the campus). Here is some more info:
http://hysteria.sk/sd/f/suckit/readme
The worm can be disabled using:
/usr/share/locale/sk/.sx12/sk u
More (Dutch) info on http://www.snt.utwente.nl/actueel/news.php?id=69
Jelmer
- --
Jelmer Vernooij <jelmer на nl.linux.org> - http://nl.linux.org/~jelmer/
18:31:15 up 22:06, 7 users, load average: 0.19, 0.31, 0.80
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+lZ2PPa9Uoh7vUnYRApS4AJ4hYCrhHXQKtsqlrH5G7vMs9Mj9TQCghQzS
HkfxreYTaI92p3MiL8Stf6w=
=6siE
-----END PGP SIGNATURE-----
----- End forwarded message -----
--
/ Alexander Bokovoy
---
egrep -n '^[a-z].*\(' $ | sort -t':' +2.0
----------- следующая часть -----------
Было удалено вложение не в текстовом формате...
Имя : =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Тип : application/pgp-signature
Размер : 189 байтов
Описание: =?iso-8859-1?q?=CF=D4=D3=D5=D4=D3=D4=D7=D5=C5=D4?=
Url : <http://lists.altlinux.org/pipermail/sisyphus/attachments/20030410/cf6ff27e/attachment-0010.bin>
Подробная информация о списке рассылки Sisyphus