(Courriels de diversion: <grogneront@deteriorais-bannir.com> <delasseraient@agglomererions-aveu.com> <avalerent@tolees-monologua.com> <naufragee@laisserait-voltages.com> <rejouisse@vende-bafouillerez.com> <eraflures@stoppeur-evacuees.com> <visseraient@jaloux-intermediaires.com> <volontaire@mousseline-troquee.com> <fixais@baptisaient-latinistes.com> <tonifiez@diffamez-retrancherons.com> )
trouvé sur la liste suse internationale pour info. Ca a l'air sérieux, qu'en pensez-vous? Bill Parker wrote: > > FYI to all: > > "Worm for Linux x86 found in wild > Mar 25th, 23:35:59 > > "The worm is particularly amusing in that when run, along with > portscanning, wiping logs, and all the other usual things you'd expect > a worm to do, it also hunts for files with a .html suffix and inserts the > contents of the "SAY" variable (above) into them, over-writing whatever > isthere. > Other infection symptoms include a ".w0rm0r/" subdir and suid root copy > of /bin/sh named ".w0rm" in /tmp, and possibly a > "w0rm::2666:777:ADM Inet w0rm:/:/bin/sh" entry in your passwd file. > As far as I can tell, the worm is capable of detecting several well-known > vunerabilities. The logs the Russian company sent us, and the logs that the > worm itself kept, would seem to indicate it's scanning IMAP ports. It > also seems to be scanning POP, rsh/rlogin, telnet and FTP ports, finger, > gopher, etc... > Once it's into your system, the worm presumably begins to scan and look > for vunerable machines again. How it picks the IP addresses to scan is not > presently known to me. Presumably, the "gimmieip" binary takes care > of that. Someone with more time can dissect it and post the results. > Here is a file I found on the infected machine called "/tmp/outro" - it > appears to be a log that the worm kept as it probed some system." > > The entire article is here: > > <http://linuxtoday.com/stories/4408.html> > > Bill Parker, <bparker@dc.net>> > The HURD. > 'Hurd' stands for `Hird of Unix-Replacing Daemons'. > And, then, `Hird' stands for `Hurd of Interfaces Representing Depth'. > > -- > To get out of this list, please send email to majordomo@suse.com with> this text in its body: unsubscribe suse-linux-e > Check out the SuSE-FAQ at http://www.suse.com/Support/Doku/FAQ/ and the > archive at http://www.suse.com/Mailinglists/suse-linux-e/index.html -- Linux hp-41 APTEP SF http://perso.club-internet.fr/jdanield jdanield@club-internet.fr jdanield@usa.net _______________________________________________________________________ Le CULTe sur le ouebe: http://savage.iut-blagnac.fr/