Complete.Org: Mailing Lists: Archives: discussion: April 2000:
[aclug-L] Re: Repeat of virus warning
Home

[aclug-L] Re: Repeat of virus warning

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: discussion@xxxxxxxxx
Subject: [aclug-L] Re: Repeat of virus warning
From: David Duffey <dduffey@xxxxxxx>
Date: Thu, 06 Apr 2000 10:36:18 -0500
Reply-to: discussion@xxxxxxxxx

Hey, I have some curiosity questions.

"Michael A. Holmes" wrote:
> 
> Since my first email is not showing up, I will repeat it.
> 
> Now my linux box is totally down.
> 
> last monnt, I downloaded varicad and put it in the root directory
> Tonight I get an email from them.  When I opened it, a terminal window came
> up and the follownig was in it.:

What e-mail client are you using, was there an attachment that you
clicked
on? what was the filename, did it end in .sh?

I suppose if your MUA was using mime types, and .sh had sh associated
as a viewer and your MUA automatically viewed attachments then this
makes sense.

> >su
> >my secret password was typed in and then accepted
> root@/home/mike> fdisk /mbr
> root@/home/mike>

Where you logged in as root, or as a normal user? I'm confused
at how this trojan knew your root password, unless they have an
extremely fast passwd crack, or have cracked su (unlikely) then this
attack has been specificy designed for you.

fdisk /mbr doesn't make sense to me under UN*X, first off the '/'
and second, all UN*X fdisk's I have seen leave the mbr out because
it isn't the responsibilty of fdisk to create data, just tables.

> at this point, my hard drive went nuts.  I pressed the power button.
> whent I rebooted, it went into linux, but could not find /hda9 or 10 my
> /home and /stchuff drives.  Pine was the only email client I could pull up.
>  I tried to send this email.  But I see it never made it.  Now windows is
> the only thing left on the computer.  I cannot even get linux to come up.
> 
> How the (&&*%^ can this happen. I though linux was bullet proof.  When I
> put it in the root directory, did i give it root authority for some
> hiddenscript??

Well, to put in in the root directory you have to be root user, if the
file was owned by a normal user then a 'mv' will move the permissions
with
that (the user), if you use 'cp' then the file will be owned by root
(but
still shouldn't have "root authority" ie stick bit).

> I am so pissed it is unreal.  I finally had sound and everything running.

Is there any way that I can follow the same steps to get this
email/virus/trojan?

Sorry,

-- 
David Duffey <dduffey@xxxxxxxxxxxxxxx>                    1605 Hillcrest
Dr X30
               http://DavidDuffey.com                     Manhattan, KS
66502
                                                          (785)395-2630

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]