From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <aen@altlinux.ru>
Message-ID: <3E95A75D.9030906@altlinux.ru>
Date: Thu, 10 Apr 2003 21:18:21 +0400
From: aen <aen@altlinux.ru>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; ru-RU; rv:1.3) Gecko/20030309
X-Accept-Language: ru-ru, ru
MIME-Version: 1.0
To: community@altlinux.ru
X-Enigmail-Version: 0.73.1.0
X-Enigmail-Supports: pgp-inline, pgp-mime
Content-Type: multipart/mixed;
 boundary="------------020503090609070807020506"
Subject: [Comm] [Fwd: [sisyphus] Fw: Re: Heads up...  Possible worm on the loose...]
Sender: community-admin@altlinux.ru
Errors-To: community-admin@altlinux.ru
X-BeenThere: community@altlinux.ru
X-Mailman-Version: 2.0.9
Precedence: bulk
Reply-To: community@altlinux.ru
List-Unsubscribe: <http://www.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=unsubscribe>
List-Id: <community.altlinux.ru>
List-Post: <mailto:community@altlinux.ru>
List-Help: <mailto:community-request@altlinux.ru?subject=help>
List-Subscribe: <http://www.altlinux.ru/mailman/listinfo/community>,
	<mailto:community-request@altlinux.ru?subject=subscribe>
List-Archive: <http://www.altlinux.ru/pipermail/community/>
Archived-At: <http://lore.altlinux.org/community/3E95A75D.9030906@altlinux.ru/>
List-Archive: <http://lore.altlinux.org/community/>
List-Post: <mailto:mandrake-russian@linuxteam.iplabs.ru>

This is a multi-part message in MIME format.
--------------020503090609070807020506
Content-Type: text/plain; charset=KOI8-R; format=flowed
Content-Transfer-Encoding: 8bit

Напоминаю, что наши updates уже давно выложены.

--------------020503090609070807020506
Content-Type: message/rfc822;
 name="[sisyphus] Fw: Re: Heads up...  Possible worm on the loose..."
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
 filename="[sisyphus] Fw: Re: Heads up...  Possible worm on the loose..."

Return-Path: <sisyphus-admin@altlinux.ru>
Delivered-To: aen@localhost
Received: from master.altlinux.ru (localhost.localdomain [127.0.0.1])
	by basalt.office.altlinux.org (Postfix) with ESMTP
	id 9EDBC441; Thu, 10 Apr 2003 20:48:52 +0400 (MSD)
Received: from lrn.ru (linux.ru.net [62.118.250.6])
	by master.altlinux.ru (Postfix) with ESMTP
	id 9C4A2E31CF; Thu, 10 Apr 2003 20:48:51 +0400 (MSD)
Received: from lrn.ru (localhost.localdomain [127.0.0.1])
	by lrn.ru (Postfix) with ESMTP
	id 5412B4814E; Thu, 10 Apr 2003 20:48:24 +0400 (MSD)
Delivered-To: sisyphus@lrn.ru
Received: from master.altlinux.ru (master.altlinux.ru [62.118.250.235])
	by lrn.ru (Postfix) with ESMTP
	id 7766F480A5; Thu, 10 Apr 2003 20:47:43 +0400 (MSD)
Received: from mail.belcaf.minsk.by (mail.sam-solutions.net [217.21.35.41])
	by master.altlinux.ru (Postfix) with ESMTP
	id BC79EE31CF; Thu, 10 Apr 2003 20:47:40 +0400 (MSD)
Received: from pc152.belcaf.minsk.by ([192.168.111.180]) by
          mail.belcaf.minsk.by (MTA 4.15) with ESMTP id HD4ZZE00.001; Thu,
          10 Apr 2003 19:47:38 +0300 
Received: by pc152.belcaf.minsk.by (Postfix, from userid 501)
	id 6EDCF16742; Thu, 10 Apr 2003 19:39:21 +0300 (EEST)
From: Alexander Bokovoy <a.bokovoy@sam-solutions.net>
To: devel@altlinux.ru
Cc: sisyphus@altlinux.ru
Message-ID: <20030410163921.GB7994@sam-solutions.net>
Mail-Followup-To: devel@altlinux.ru, sisyphus@altlinux.ru
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S"
Content-Disposition: inline
Subject: [sisyphus] Fw: Re: Heads up...  Possible worm on the loose...
Sender: sisyphus-admin@altlinux.ru
Errors-To: sisyphus-admin@altlinux.ru
X-BeenThere: sisyphus@altlinux.ru
X-Mailman-Version: 2.0.9
Precedence: bulk
Reply-To: sisyphus@altlinux.ru
List-Unsubscribe: <http://altlinux.ru/mailman/listinfo/sisyphus>,
	<mailto:sisyphus-request@altlinux.ru?subject=unsubscribe>
List-Id: <sisyphus.altlinux.ru>
List-Post: <mailto:sisyphus@altlinux.ru>
List-Help: <mailto:sisyphus-request@altlinux.ru?subject=help>
List-Subscribe: <http://altlinux.ru/mailman/listinfo/sisyphus>,
	<mailto:sisyphus-request@altlinux.ru?subject=subscribe>
List-Archive: <http://altlinux.ru/pipermail/sisyphus/>
Date: Thu, 10 Apr 2003 19:39:21 +0300


--AhhlLboLdkugWU4S
Content-Type: text/plain; charset=koi8-r
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Внимание, Червь на базе последней уязвимости для Samba 2.0 и 2.2 уже
путешествует и заражает. Рекомендую проинформировать своих администраторов
и пользователей о необходимости немедленного обновления. В случае
заражения деактивация червя возможна посредством утилиты, описанной внизу
письма.

2ldv: Надо бы в security-announce отправить...

----- Forwarded message from Jelmer Vernooij -----

Date: Thu, 10 Apr 2003 18:36:31 +0200
From: Jelmer Vernooij
To: Michael H. Warfield 
Subject: Re: Heads up...  Possible worm on the loose...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thursday 10 April 2003 18:27, Michael H. Warfield wrote:
> 	This is just a heads up in case any of you start fielding
> questions about a Samba worm.
>
> 	We've got some reports from some universities of a "Samba worm"
> running loose and infecting systems with the SuckIT rootkit.  Primary
> target is Linux x86.  BSD systems in the same environment are not being
> compromised.
>
> 	The presumption is that this is based on the recent trans2
> vulnerabiltity and I have some reports indicating a spike in port 139
> scanning just after the 4th that may be related.
>
> 	This, right here, is my worst fear with a 0day being posted,
> even when there is an exploit in circulation.  Someone can immediately
> take the 0day and load in into the warhead of a worm and turn it loose.
> With indeterminant exploits in the wild or with "proof of concept" code,
> they still have to WORK at it to find it or make it work.  This makes
> it too damn easy and cuts the deployment latency window to zilch.  /:-|=|
>
> 	At this time, we have copies of the rootkit know what it is.
> We also have indications that the payload (the worm egg w/ rootkit)
> was being downloaded from a specific central site which is under
> investigation right now.  We don't have copies of the "dropper" (the
> worm head) nor have I received any logs yet to confirm what exploit
> what used.
>
> 	I'll post more information as I learn it.  I just figured some
> of you might hear something from other sources and could use the
> information.
Quite some hosts at the University of Twente here in Holland have been 
infected (they use SMB and an web-based index program to share files 
over the campus). Here is some more info:

http://hysteria.sk/sd/f/suckit/readme

The worm can be disabled using:
/usr/share/locale/sk/.sx12/sk u 

More (Dutch) info on  http://www.snt.utwente.nl/actueel/news.php?id=69

Jelmer

- -- 
Jelmer Vernooij <jelmer@nl.linux.org> - http://nl.linux.org/~jelmer/
 18:31:15 up 22:06,  7 users,  load average: 0.19, 0.31, 0.80
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+lZ2PPa9Uoh7vUnYRApS4AJ4hYCrhHXQKtsqlrH5G7vMs9Mj9TQCghQzS
HkfxreYTaI92p3MiL8Stf6w=
=6siE
-----END PGP SIGNATURE-----

----- End forwarded message -----

-- 
/ Alexander Bokovoy
---
egrep -n '^[a-z].*\(' $ | sort -t':' +2.0

--AhhlLboLdkugWU4S
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE+lZ45ncWKdrYPwpkRAouZAKDP+H8vKLEd9CPx7aHlCGKFABJmzACgm3OC
a+MRtq/P6kKcfl6JLseXKKM=
=Q7gN
-----END PGP SIGNATURE-----

--AhhlLboLdkugWU4S--
_______________________________________________
Sisyphus mailing list
Sisyphus@altlinux.ru
http://altlinux.ru/mailman/listinfo/sisyphus


--------------020503090609070807020506--