[LUAU] Millenium Worm

bbraun at sparcy.synack.net bbraun at sparcy.synack.net
Fri Apr 16 12:55:03 PDT 1999 

You use RedHat or SuSE don't you?
All these have been known about for a year or more.
Check the bugtraq and rootshell advisories on the
things referenced in the script.

mountd was a major one that redhat screwed up on
big time.  It was known a long time before the
distribution was shipped.  In fact Olaf 
(the maintainer) posted information about the 
exploit to the linux nfs mailing lists, I believe.
Almost all other distributions were using a 
relativly recent version of mountd, so they were
ok.

The pop and imap exploits were running around about
a year ago now, I think.  If you're running an open
pop or imap server, you deserve what you get.  I 
don't know of a single pop or imap server that hasn't
had major problems in the past, and I at least mucked
with UW's imap and pop servers last summer, found
a potential exploit in the *kerberos* code, and the
maintainers response was "I don't maintain that code.
If there is a potential security issue with it, the
code will be removed in the next release."  Whatever.

And then the bind exploit...  Well over a year old.

Not that I seriously expect people to keep up with
the latest software, you can spend a serious amount
of time doing that.  The main point is that most of
you are running relativly recent distributions, and
still people like RedHat are shipping distributions
with known security holes.  These things don't go
away if you ignore them.
Another thing is that a stock installation of any
OS is likely to have serious problems.  Do I really
need to be running an anonymous ftp server on my
desktop?  Do I really want to nfs export / to 
everyone? (solaris) Do I really need 4 accounts without 
a password and with a valid shell? (IRIX)

As Bill Cheswick of Bell Labs says, all services should
be turned off by default, until you run a script 
called "screw-me".

These script kiddie attacks are bad and you can argue
that these people are bad and evil and should go away.
But you really get what you deserve, I think.

I just spent the last week cleaning up Boulder after
an automated attack on the CU campus here.  The sysadmins
could have prevented it, but nooooo.  They thought it was
more fun to play quake than to do their jobs. 
Bitter about bad sysadmins?  No, not me.  Not at all.  
Too bad they didn't lose any critical data.

Rob

On Thursday, Apr 1999 at 17:44:33 George Toft wrote: 
 | Anyone know anything about the Millenium Internet
 | Worm?  I got a nastygram from Oceanic about an
 | all night hack attack against another user's
 | computer, so I looked in my logs, and found my
 | system hasn't logged anything for almost a
 | week, and I found a new user "mw" with no
 | password.  So I used locate to find anything
 | related to mw, and found a whole package
 | installed in /var/named/, with a note:
--
     __   __  __________  __
    / /  / / / / __  / / / /  Home Page: http://luau.hi.net
   / /__/ /_/ / /_/ / /_/ /
  /____/\____/_/ /_/\____/  LUAU - Linux Users AnonymoUs - Hawaii

   To unsubscribe: echo unsubscribe luau | mail majordomo at luau.hi.net
           LUAU meetings are the 3rd Tuesday of each month 6pm

More information about the LUAU mailing list