[LUAU] Millenium Worm

George Toft LinuxAdvocate at iname.com
Thu Apr 15 20:44:33 PDT 1999 

Anyone know anything about the Millenium Internet
Worm?  I got a nastygram from Oceanic about an
all night hack attack against another user's
computer, so I looked in my logs, and found my
system hasn't logged anything for almost a
week, and I found a new user "mw" with no
password.  So I used locate to find anything
related to mw, and found a whole package
installed in /var/named/, with a note:

#!/bin/.mwsh
# Dear Admin, if you read this file you have been 0wned
# by the Millennium Internet Worm. This is a program
# that exploits some remote bugs to gain access, installs
# itself and goes on copying itself to other systems.
# This is a modular worm, which means that other exploits
used
# to spawn itself can be added easily, like a frontend
# script to a sniffer. For now, this exploits
# * imap4 v10.X * qualcomm popper * bind with iquery *
mountd
# This worm is linux specific. This could be changed by
# porting the exploits and shell code to other systems.
# This means, do not expect that non-linux boxes will
# be completely unaffected by variants.
# We will now try to patch the stuff you should have
# replaced a long time ago. - Anonymous =oP~

This thing is all over my gateway, but not in
any other Linux machine.  Looking at the code, 
it looks like it scans all Class A, B, and C
addresses, but I guess I caught it before it
got up to 192.168.x.x.

Anyone want a copy of the worm (for some interesting
dissection)?

I guess it was time to reinstall the OS anyway.

-- 
George Toft    http://gtoft.dynip.com/LinuxAdvocate/
        __     __   _    __   __   __  ___    ___
       |  |   |  | | \  |  | |  | |  | \  \  /  /
  -o)  |  |   |  | |  \_|  | |  | |  |  \  \/  /   (o-
  /\\  |  |__ |  | |       | |  |_|  |  /  /\  \   //\
 _\_v  |_____||__| |__|\___| \_______| /__/  \__\  v_/_

     Don't fear the penguins...
--
     __   __  __________  __
    / /  / / / / __  / / / /  Home Page: http://luau.hi.net
   / /__/ /_/ / /_/ / /_/ /
  /____/\____/_/ /_/\____/  LUAU - Linux Users AnonymoUs - Hawaii

   To unsubscribe: echo unsubscribe luau | mail majordomo at luau.hi.net
           LUAU meetings are the 3rd Tuesday of each month 6pm

More information about the LUAU mailing list