2 Nov
2017
2 Nov
'17
6:56 p.m.
One of the temporary condoms with a hole in it that was going around immediately after the
worm hit was to emacs /usr/ucb/sendmail (or whatever directory you keep all your stinky
hippie software in), ^S DEBUG ESC M-b ^D ^Q ^@ ^X ^S (that is, null out the first
character of the “DEBUG” command).
Apparently some bright Sun sysadmin immediately applied that patch to the sendmail server
running on sun.com <http://sun.com/>...
I needed to verify a sun.com email address on a mailing list I ran, so I went “telnet
sun.com <http://sun.com/> 25” and hit return a couple times to flush out the telnet
negotiation characters (the telnet client sends a few characters of telnet protocol like
an “interpret as command” escape sequence like “IAC DON’T RANDOMLY-LOSE", so hitting
return causes a syntax error and reads a fresh new line).
The second return I hit entered an empty line that matched the DEBUG command whose name
was now the null string.
When I did “expn foo(a)sun.com <mailto:foo@sun.com>” it dumped out pages of debugging
information!!!
So I’d accidentally put sun.com’s sendmail into debug mode by pressing return, since
they'd effectively renamed the “DEBUG” command to “”, which stopped the worm, but not
me!
-Don
On 1 Nov 2017, at 23:17, Dave Horsfall
<dave(a)horsfall.org> wrote:
The infamous Morris Worm was released in 1988; making use of known vulnerabilities in
Sendmail/finger/RSH (and weak passwords), it took out a metric shitload of SUN-3s and 4BSD
Vaxen (the author claimed that it was accidental, but the idiot hadn't tested it on
an isolated network first). A temporary "condom" was discovered by Rich Kulawiec
with "mkdir /tmp/sh".
--
Dave Horsfall DTM (VK2KFU) "Those who don't understand security will
suffer."