Complete.Org: Mailing Lists: Archives: discussion: April 2000:
[aclug-L] Re: Repeat of virus warning
Home

[aclug-L] Re: Repeat of virus warning

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: "'discussion@xxxxxxxxx'" <discussion@xxxxxxxxx>
Subject: [aclug-L] Re: Repeat of virus warning
From: "Michael A. Holmes" <maholmes@xxxxxxxxxx>
Date: Thu, 6 Apr 2000 23:18:07 -0500
Reply-to: discussion@xxxxxxxxx


-----Original Message-----
From:   David Duffey [SMTP:dduffey@xxxxxxx]
Sent:   Thursday, April 06, 2000 10:36 AM
To:     discussion@xxxxxxxxx
Subject:        [aclug-L] Re: Repeat of virus warning


Hey, I have some curiosity questions.

"Michael A. Holmes" wrote:
>
> Since my first email is not showing up, I will repeat it.
>
> Now my linux box is totally down.
>
> last monnt, I downloaded varicad and put it in the root directory
> Tonight I get an email from them.  When I opened it, a terminal window 
came
> up and the follownig was in it.:

What e-mail client are you using, was there an attachment that you
clicked
on? what was the filename, did it end in .sh?

I was using Kmail, as I enjoy the quickness and power, and no, I did not 
click on anything other than the next email to read.  I come home and read 
email before bed.

I suppose if your MUA was using mime types, and .sh had sh associated
as a viewer and your MUA automatically viewed attachments then this
makes sense.

> >su
> >my secret password was typed in and then accepted
> root@/home/mike> fdisk /mbr
> root@/home/mike>

Where you logged in as root, or as a normal user? I'm confused
at how this trojan knew your root password, unless they have an
extremely fast passwd crack, or have cracked su (unlikely) then this
attack has been specificy designed for you.

I was logged in as /home/mike.  I only use root to install programs and set 
configurations.  And where else do you install programs to let all users 
run?

fdisk /mbr doesn't make sense to me under UN*X, first off the '/'
and second, all UN*X fdisk's I have seen leave the mbr out because
it isn't the responsibilty of fdisk to create data, just tables.

No clue here, but I had to put the master boot back up in here before I 
could access the linux partitions.  I just got a kernel panic.


> at this point, my hard drive went nuts.  I pressed the power button.
> whent I rebooted, it went into linux, but could not find /hda9 or 10 my
> /home and /stchuff drives.  Pine was the only email client I could pull 
up.
>  I tried to send this email.  But I see it never made it.  Now windows is
> the only thing left on the computer.  I cannot even get linux to come up.
>
> How the (&&*%^ can this happen. I though linux was bullet proof.  When I
> put it in the root directory, did i give it root authority for some
> hiddenscript??

Well, to put in in the root directory you have to be root user, if the
file was owned by a normal user then a 'mv' will move the permissions
with
that (the user), if you use 'cp' then the file will be owned by root
(but
still shouldn't have "root authority" ie stick bit).

> I am so pissed it is unreal.  I finally had sound and everything running.

Is there any way that I can follow the same steps to get this
email/virus/trojan?

I still have the directory this was in, but I do not know how to save my 
mail from the devastated directory.  In /home/mike, the Netscape still 
runs, but it takes about three tries to get usernet to start up.  I gave 
all users authority to start ppp0, but for some reason, it takes two or 
three tries for /mike to get the ppp0 up and running.  Other users can pop 
it right up on the first try.

Michael
Sorry,

--
David Duffey <dduffey@xxxxxxxxxxxxxxx>                    1605 Hillcrest
Dr X30
               http://DavidDuffey.com                     Manhattan, KS
66502
                                                          (785)395-2630

-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


-- This is the discussion@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]
  • [aclug-L] Re: Repeat of virus warning, Michael A. Holmes <=