Внимание, Червь на базе последней уязвимости для Samba 2.0 и 2.2 уже путешествует и заражает. Рекомендую проинформировать своих администраторов и пользователей о необходимости немедленного обновления. В случае заражения деактивация червя возможна посредством утилиты, описанной внизу письма. 2ldv: Надо бы в security-announce отправить... ----- Forwarded message from Jelmer Vernooij ----- Date: Thu, 10 Apr 2003 18:36:31 +0200 From: Jelmer Vernooij To: Michael H. Warfield Subject: Re: Heads up... Possible worm on the loose... -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday 10 April 2003 18:27, Michael H. Warfield wrote: > This is just a heads up in case any of you start fielding > questions about a Samba worm. > > We've got some reports from some universities of a "Samba worm" > running loose and infecting systems with the SuckIT rootkit. Primary > target is Linux x86. BSD systems in the same environment are not being > compromised. > > The presumption is that this is based on the recent trans2 > vulnerabiltity and I have some reports indicating a spike in port 139 > scanning just after the 4th that may be related. > > This, right here, is my worst fear with a 0day being posted, > even when there is an exploit in circulation. Someone can immediately > take the 0day and load in into the warhead of a worm and turn it loose. > With indeterminant exploits in the wild or with "proof of concept" code, > they still have to WORK at it to find it or make it work. This makes > it too damn easy and cuts the deployment latency window to zilch. /:-|=| > > At this time, we have copies of the rootkit know what it is. > We also have indications that the payload (the worm egg w/ rootkit) > was being downloaded from a specific central site which is under > investigation right now. We don't have copies of the "dropper" (the > worm head) nor have I received any logs yet to confirm what exploit > what used. > > I'll post more information as I learn it. I just figured some > of you might hear something from other sources and could use the > information. Quite some hosts at the University of Twente here in Holland have been infected (they use SMB and an web-based index program to share files over the campus). Here is some more info: http://hysteria.sk/sd/f/suckit/readme The worm can be disabled using: /usr/share/locale/sk/.sx12/sk u More (Dutch) info on http://www.snt.utwente.nl/actueel/news.php?id=69 Jelmer - -- Jelmer Vernooij - http://nl.linux.org/~jelmer/ 18:31:15 up 22:06, 7 users, load average: 0.19, 0.31, 0.80 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+lZ2PPa9Uoh7vUnYRApS4AJ4hYCrhHXQKtsqlrH5G7vMs9Mj9TQCghQzS HkfxreYTaI92p3MiL8Stf6w= =6siE -----END PGP SIGNATURE----- ----- End forwarded message ----- -- / Alexander Bokovoy --- egrep -n '^[a-z].*\(' $ | sort -t':' +2.0