On Thu, Jan 17, 2001 at 10:07:32PM -0500, Jonathan D. Proulx wrote: > :Apparently it targets RH-6.2 and RH-7 based servers but as > :of now does not seem to be destructive. > : > :Does anybody have any further info on this worm ? > > rpc.statd, wu-ftpd, lprng sploits. 'apt-get update' and you're safe. From what I gather you don't even need to do that. The worm seems to have hardcoded offsets to specifically take advantage of the Redhat builds. So even if you're running a vulnerable version of the software you're not likely to be bitten with this. The reason is that the Redhat binaries a just different enough than the Debian binaries (different configure options, different versions of libraries, etc). It wouldn't be hard to reconfigure the worm to be effective against Debian, but it probably wouldn't be worth it. There are a lot more clueless Redhat admins out there than clueless Debian admins. Plus, as you point out, we've got apt-get and security.debian.org. Incedentally, machines under my control have been probed several times over the past few days. The worm does appear pretty wide spread. noah -- _______________________________________________________ | Web: http://web.morgul.net/~frodo/ | PGP Public Key: http://web.morgul.net/~frodo/mail.html
Attachment:
pgpDoXtpDQFoV.pgp
Description: PGP signature