From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Sat, 12 Apr 2003 12:23:49 +0400 From: =?KOI8-R?Q?=E5=D7=C7=C5=CE=C9=CA_=F7=2E_=E8=CF=D2=CF=C8=CF=D2=C9=CE?= To: Sarlug mailing list Message-Id: <20030412122349.135bbfc6.horohorinev@mail.ru> X-Mailer: Sylpheed version 0.8.11 (GTK+ 1.2.10; i586-alt-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=KOI8-R Content-Transfer-Encoding: 8bit Subject: [Sarlug] Fw: [security-announce] Fw: Re: Heads up... Possible worm on the loose... Sender: sarlug-admin@lug.ru Errors-To: sarlug-admin@lug.ru X-BeenThere: sarlug@lug.ru X-Mailman-Version: 2.0.9 Precedence: bulk Reply-To: sarlug@lug.ru List-Unsubscribe: , List-Id: Saratov Linux User Group Maillist List-Post: List-Help: List-Subscribe: , List-Archive: Archived-At: List-Archive: List-Post: Begin forwarded message: Date: Fri, 11 Apr 2003 11:53:47 +0300 From: Alexander Bokovoy To: security-announce-submit@altlinux.ru Subject: [security-announce] Fw: Re: Heads up... Possible worm on the loose... Внимание, Червь на базе последней уязвимости для Samba 2.0 и 2.2 уже путешествует и заражает. Рекомендую проинформировать своих администраторов и пользователей о необходимости немедленного обновления. В случае заражения деактивация червя возможна посредством утилиты, описанной внизу письма. 2ldv: Надо бы в security-announce отправить... ----- Forwarded message from Jelmer Vernooij ----- Date: Thu, 10 Apr 2003 18:36:31 +0200 From: Jelmer Vernooij To: Michael H. Warfield Subject: Re: Heads up... Possible worm on the loose... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 10 April 2003 18:27, Michael H. Warfield wrote: > This is just a heads up in case any of you start fielding > questions about a Samba worm. > > We've got some reports from some universities of a "Samba worm" > running loose and infecting systems with the SuckIT rootkit. Primary > target is Linux x86. BSD systems in the same environment are not being > compromised. > > The presumption is that this is based on the recent trans2 > vulnerabiltity and I have some reports indicating a spike in port 139 > scanning just after the 4th that may be related. > > This, right here, is my worst fear with a 0day being posted, > even when there is an exploit in circulation. Someone can immediately > take the 0day and load in into the warhead of a worm and turn it loose. > With indeterminant exploits in the wild or with "proof of concept" code, > they still have to WORK at it to find it or make it work. This makes > it too damn easy and cuts the deployment latency window to zilch. /:-|=| > > At this time, we have copies of the rootkit know what it is. > We also have indications that the payload (the worm egg w/ rootkit) > was being downloaded from a specific central site which is under > investigation right now. We don't have copies of the "dropper" (the > worm head) nor have I received any logs yet to confirm what exploit > what used. > > I'll post more information as I learn it. I just figured some > of you might hear something from other sources and could use the > information. Quite some hosts at the University of Twente here in Holland have been infected (they use SMB and an web-based index program to share files over the campus). Here is some more info: http://hysteria.sk/sd/f/suckit/readme The worm can be disabled using: /usr/share/locale/sk/.sx12/sk u More (Dutch) info on http://www.snt.utwente.nl/actueel/news.php?id=69 Jelmer - -- Jelmer Vernooij - http://nl.linux.org/~jelmer/ 18:31:15 up 22:06, 7 users, load average: 0.19, 0.31, 0.80 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+lZ2PPa9Uoh7vUnYRApS4AJ4hYCrhHXQKtsqlrH5G7vMs9Mj9TQCghQzS HkfxreYTaI92p3MiL8Stf6w= =6siE -----END PGP SIGNATURE----- ----- End forwarded message ----- -- / Alexander Bokovoy --- egrep -n '^[a-z].*\(' $ | sort -t':' +2.0 -- Best regards, mailto: genix@sendmail.ru Genix http://saratov.lug.ru Registered Linux User #219993 JID: genix@jabber.org -= С моих слов записано верно, мною прочитано =-