I've noticed two sun/solaris (2.6) machines in the last 24 hours running a unicode exploit similar in principle to the lion worms in that they generate random IP addresses, and then try to run the exploit. The exploit primarily consists of a perl script, however it also creates a .rhosts within root's directory, open to the world. The package is untarred to /dev/cuc, originating from /tmp/uni.tar. Of course, the processes do not appear in normal 'ps' output, however they do appear in the root shell listening on port 600. Both of these machines were wide open with no apparent regard for any security. If anyone is interested in the package, I have most of it, so let me know if you would like it. -brad
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 08:48:54 PDT