[LUAU] Millenium Worm

George Toft LinuxAdvocate at iname.com
Fri Apr 16 08:55:05 PDT 1999 

George Toft wrote:
> 
> Anyone know anything about the Millenium Internet
> Worm?  I got a nastygram from Oceanic about an
> all night hack attack against another user's
> computer, so I looked in my logs, and found my
> system hasn't logged anything for almost a
> week, and I found a new user "mw" with no
> password.  So I used locate to find anything
> related to mw, and found a whole package
> installed in /var/named/, with a note:
> 
> #!/bin/.mwsh
> # Dear Admin, if you read this file you have been 0wned
> # by the Millennium Internet Worm. This is a program
> # that exploits some remote bugs to gain access, installs
> # itself and goes on copying itself to other systems.
> # This is a modular worm, which means that other exploits
> used
> # to spawn itself can be added easily, like a frontend
> # script to a sniffer. For now, this exploits
> # * imap4 v10.X * qualcomm popper * bind with iquery *
> mountd
> # This worm is linux specific. This could be changed by
> # porting the exploits and shell code to other systems.
> # This means, do not expect that non-linux boxes will
> # be completely unaffected by variants.
> # We will now try to patch the stuff you should have
> # replaced a long time ago. - Anonymous =oP~
> 
> This thing is all over my gateway, but not in
> any other Linux machine.  Looking at the code,
> it looks like it scans all Class A, B, and C
> addresses, but I guess I caught it before it
> got up to 192.168.x.x.
> 
> Anyone want a copy of the worm (for some interesting
> dissection)?
> 
> I guess it was time to reinstall the OS anyway.

The people at Oceanic are awesome.  Without even
looking at the worm's code, they have been able
to determine there is no threat to any other
Oceanic customer.  I hope some day I can diagnose
problems that way.  NOT!!!

George
--
     __   __  __________  __
    / /  / / / / __  / / / /  Home Page: http://luau.hi.net
   / /__/ /_/ / /_/ / /_/ /
  /____/\____/_/ /_/\____/  LUAU - Linux Users AnonymoUs - Hawaii

   To unsubscribe: echo unsubscribe luau | mail majordomo at luau.hi.net
           LUAU meetings are the 3rd Tuesday of each month 6pm

More information about the LUAU mailing list