********************************************************************** DDN MGT Bulletin 43 DCA DDN Defense Communications System 3 Nov 88 Published by: DDN Network Info Center (NIC@SRI-NIC.ARPA) (800) 235-3155 DEFENSE DATA NETWORK MANAGEMENT BULLETIN The DDN MANAGEMENT BULLETIN is distributed online by the DDN Network Information Center under DCA contract as a means of communicating official policy, procedures and other information of concern to management personnel at DDN facilities. Back issues may be read through the TACNEWS server ("@n" command at the TAC) or may be obtained by FTP (or Kermit) from the SRI-NIC host [26.0.0.73 or 10.0.0.51] using login="anonymous" and password="guest". The pathname for bulletins is DDN-NEWS:DDN-MGT-BULLETIN-nn.TXT (where "nn" is the bulletin number). ********************************************************************** BSD 4.2 AND 4.3 SOFTWARE PROBLEM RESOLUTION A virus is currently affecting a number of network hosts and may affect yours. It is spread via the electronic mail system (SMTP and Sendmail) and attacks machines running 4.3 and 4.2 UNIX BSD and possibly SUN 3.X machines. The following are three messages which provide some background information about the virus, and supply a fix. The fix will prevent reinfection by the virus, but it will not fix any damage the virus has done. If you have any further questions about this bulletin, please contact the Network Information Center at (800) 235-3155 or (415) 859-3695. This fix is also available for FTP from SRI-NIC.ARPA as NETINFO:VIRUS-PATCH.TXT. BACKGROUND: 2-Nov-88 23:45:39-PST,1520;000000000000 Received: from ames.arc.nasa.gov by SRI-NIC.ARPA with TCP; Wed, 2 Nov 88 23:26:54 PST Received: Wed, 2 Nov 88 23:28:00 PST by ames.arc.nasa.gov (5.59/1.2) Date: Wed, 2 Nov 88 23:28:00 PST From: Peter E. Yee Message-Id: <8811030728.AA18199@ames.arc.nasa.gov> To: mkl@sri-nic.arpa Subject: Internet VIRUS alert Cc: postmaster@sri-nic.arpa, tcp-ip@sri-nic.arpa X-Lines: 19 We are currently under attack from an Internet VIRUS. It has hit UC Berkeley, UC San Diego, Lawrence Livermore, Stanford, and NASA Ames. The virus comes in via SMTP, and then is able to attack all 4.3BSD and SUN (3.X?) machines. It sends a RCPT TO that requests that its data be piped through a shell. It copies in a program, compiles and executes it. This program copies in VAX and SUN binaries that try to replicate the virus via connections to TELNETD, FTPD, FINGERD, RSHD, and SMTP. The programs also appear to have DES tables in them. They appear in /usr/tmp as files that start with the letter x. Removing them is not enough as they will come back in the next wave of attacks. For now turning off the above services seems to be the only help. The virus is able to take advantage of .rhosts files and hosts.equiv. We are not certain what the final result of the binaries is, hence the warning. I can be contacted at (415) 642-7447. Phil Lapsley and Kurt Pires at this number are also conversant with the virus. -Peter Yee yee@ames.arc.nasa.gov ames!yee SOFTWARE PATCH: 3-Nov-88 04:06:58-PST,4162;000000000001 Received: from okeeffe.Berkeley.EDU by SRI-NIC.ARPA with TCP; Thu, 3 Nov 88 03:37:45 PST Received: by okeeffe.Berkeley.EDU (5.61/1.29) id AA22168; Thu, 3 Nov 88 02:56:25 PST Date: Thu, 3 Nov 88 02:56:25 PST From: bostic%okeeffe.Berkeley.EDU@ucbvax.Berkeley.EDU (Keith Bostic) Message-Id: <8811031056.AA22168@okeeffe.Berkeley.EDU> To: tcp-ip@sri-nic.arpa Subject: Virus fixes Subject: Fixes for the virus Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD Description: There's a virus running around; the salient facts. A bug in sendmail has been used to introduce a virus into a lot of Internet UNIX systems. It has not been observed to damage the host system, however, it's incredibly virulent, attempting to introduce itself to every system it can find. It appears to use rsh, broken passwords, and sendmail to introduce itself into the target systems. It affects only VAXen and Suns, as far as we know. There are three changes that we believe will immunize your system. They are attached. Thanks to the Experimental Computing Facility, Center for Disease Control for their assistance. (It's pretty late, and they certainly deserved some thanks, somewhere!) Fix: First, either recompile or patch sendmail to disallow the `debug' option. If you have source, recompile sendmail after first applying the following patch to the module svrsmtp.c: *** /tmp/d22039 Thu Nov 3 02:26:20 1988 --- srvrsmtp.c Thu Nov 3 01:21:04 1988 *************** *** 85,92 **** "onex", CMDONEX, # ifdef DEBUG "showq", CMDDBGQSHOW, - "debug", CMDDBGDEBUG, # endif DEBUG # ifdef WIZ "kill", CMDDBGKILL, # endif WIZ --- 85,94 ---- "onex", CMDONEX, # ifdef DEBUG "showq", CMDDBGQSHOW, # endif DEBUG + # ifdef notdef + "debug", CMDDBGDEBUG, + # endif notdef # ifdef WIZ "kill", CMDDBGKILL, # endif WIZ Then, reinstall sendmail, refreeze the configuration file, using the command "/usr/lib/sendmail -bz", kill any running sendmail's, using the ps(1) command and the kill(1) command, and restart your sendmail. To find out how sendmail is execed on your system, use grep(1) to find the sendmail start line in either the files /etc/rc or /etc/rc.local If you don't have source, apply the following patch to your sendmail binary. SAVE A COPY OF IT FIRST, IN CASE YOU MESS UP! This is mildly tricky -- note, some versions of strings(1), which we're going to use to find the offset of the string "debug" in the binary print out the offsets in octal, not decimal. Run the following shell line to decide how your version of strings(1) works: /bin/echo 'abcd' | /usr/ucb/strings -o Note, make sure the eight control 'G's are preserved in this line. If this command results in something like: 0000008 abcd your strings(1) command prints out locations in decimal, else it's octal. The patch script for sendmail. NOTE, YOUR OFFSETS MAY VARY!! This script assumes that your strings(1) command prints out the offsets in decimal. Script started on Thu Nov 3 02:08:14 1988 okeeffe:tmp {2} strings -o -a /usr/lib/sendmail | egrep debug 0096972 debug okeeffe:tmp {3} adb -w /usr/lib/sendmail ?m 0 0xffffffff 0 0t10$d radix=10 base ten 96972?s 96972: debug 96972?w 0 96972: 25701 = 0 okeeffe:tmp {4} ^D script done on Thu Nov 3 02:09:31 1988 If your strings(1) command prints out the offsets in octal, change the line "0t10$d" to "0t8$d". After you've fixed sendmail, move both /bin/cc and /bin/ld to something else. (The virus uses the cc and the ld commands to rebuild itself to run on your system.) Finally, kill any processes on your system that don't belong there. Suspicious ones have "(sh)" or "xNNNNNNN" where the N's are random digits, as the command name on the ps(1) output line. One more thing, if you find files in /tmp or /usr/tmp that have names like "xNNNNNN,l1.c", or "xNNNNNN,sun3.o", or "xNNNNNNN,vax.o" where the N's are random digits, you've been infected. ------------------ 3-Nov-88 09:09:57-PST,898;000000000000 Received: from okeeffe.Berkeley.EDU by SRI-NIC.ARPA with TCP; Thu, 3 Nov 88 08:14:43 PST Received: by okeeffe.Berkeley.EDU (5.61/1.29) id AA22875; Thu, 3 Nov 88 08:13:50 PST Date: Thu, 3 Nov 88 08:13:50 PST From: bostic%okeeffe.Berkeley.EDU@ucbvax.Berkeley.EDU (Keith Bostic) Message-Id: <8811031613.AA22875@okeeffe.Berkeley.EDU> To: tcp-ip@sri-nic.arpa Subject: Virus posting #2 Subject: Virus posting #2 Index: usr.lib/sendmail/src/srvrsmtp.c 4BSD Description: This is a followup message, to clear up two points. First off, a better value to use to PATCH your sendmail executable is 0xff; if you're using the patch script, change: 96972?w 0 to: 96972?w 65535 Secondly, note, if, when you run strings(1) on your sendmail executable, greping for ``debug'', you don't get any output, don't worry about the problem, your system is already (we think) safe.