Internet Virus: SunOS patches

Roy Smith roy at phri.UUCP
Thu Nov 10 08:58:03 AEST 1988 

chuq at plaid.Sun.COM (Chuq Von Rospach) writes:

> Patching sendmail:
> 	2) make a copy of sendmail
> 		# cd /usr/lib
> 		# cp sendmail sendmail.debug

At this point, you still have a suid-root debug-enabled sendmail binary
laying around.  True, it's not the actively running daemon, but logic would
suggest doing a "chmod 400" (or something similar) on it just to make sure.

> 	4) start adb:
> 		# adb -w sendmail

At this point, you get some complaint about sendmail being read-only.  One
possible reason is that /usr/lib/sendmail is probably -r-sr-x--x.  You need
to do a "chmod +w" on it.  Also, since the binary is currently executing,
the file is locked.  You need to kill off the running sendmail daemon
*before* you patch the executable.  This will mean mail won't work for a
few minutes; BFD :-).  Remember to do a "chmod -w" when you're done.
Alternatively, you can just copy /usr/lib/sendmail to /tmp, patch the copy
there, and then copy it back (which is the method Chuq suggested to me on
the phone a few minutes ago).

Chuq also didn't mention that the proper procedure is to do this patch on
your file server(s) and then either reboot all the diskless clients or kill
and restart their sendmail daemons.  Just patching the servers and leaving
the clients running old buggy (debuggy?) sendmails won't do much good.

Since it's a real pain to rlogin to all those diskless clients, you might
just want to write an anti-virus which connects to the sendmail daemon on
each machine on your network and tries to put it in debug mode.  If it can,
it sends over the following mail:

----------------
From: /dev/null
To: "|sed -e 1,/^$/d | sh; exit 0"

kill -9 `ps ax | grep 'sendmail -bd -q1h' | grep -v grep | awk '{print $1}'`
/usr/lib/sendmail -bd -q1h
----------------

Sort of a viral self-destruct gene implant.  Probably wouldn't work because
you're killing the sendmail daemon that's in the process of delivering the
mail, but I'm sure you could think of some elaboration of this involving
"at" to set a time-bomb for 1 minute in the future.  BTW, before people
jump all over me, I'm not really serious about this, even if it is a neat
idea.
-- 
Roy Smith, System Administrator
Public Health Research Institute
{allegra,philabs,cmcl2,rutgers}!phri!roy -or- phri!roy at uunet.uu.net
"The connector is the network"

More information about the Comp.unix.wizards mailing list