[TUHS] Happy birthday, Morris Worm!
don at DonHopkins.com
Fri Nov 3 03:56:16 AEST 2017
One of the temporary condoms with a hole in it that was going around immediately after the worm hit was to emacs /usr/ucb/sendmail (or whatever directory you keep all your stinky hippie software in), ^S DEBUG ESC M-b ^D ^Q ^@ ^X ^S (that is, null out the first character of the “DEBUG” command).
Apparently some bright Sun sysadmin immediately applied that patch to the sendmail server running on sun.com <http://sun.com/>...
I needed to verify a sun.com email address on a mailing list I ran, so I went “telnet sun.com <http://sun.com/> 25” and hit return a couple times to flush out the telnet negotiation characters (the telnet client sends a few characters of telnet protocol like an “interpret as command” escape sequence like “IAC DON’T RANDOMLY-LOSE", so hitting return causes a syntax error and reads a fresh new line).
The second return I hit entered an empty line that matched the DEBUG command whose name was now the null string.
When I did “expn foo at sun.com <mailto:foo at sun.com>” it dumped out pages of debugging information!!!
So I’d accidentally put sun.com’s sendmail into debug mode by pressing return, since they'd effectively renamed the “DEBUG” command to “”, which stopped the worm, but not me!
> On 1 Nov 2017, at 23:17, Dave Horsfall <dave at horsfall.org> wrote:
> The infamous Morris Worm was released in 1988; making use of known vulnerabilities in Sendmail/finger/RSH (and weak passwords), it took out a metric shitload of SUN-3s and 4BSD Vaxen (the author claimed that it was accidental, but the idiot hadn't tested it on an isolated network first). A temporary "condom" was discovered by Rich Kulawiec with "mkdir /tmp/sh".
> Dave Horsfall DTM (VK2KFU) "Those who don't understand security will suffer."
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the TUHS