VIRUS-L Digest Wednesday, 9 Nov 1988 Volume 1 : Issue 1 Today's Topics: digest format It's done, and some info. A couple of forwarded comments on VMS and Unix security RE: Re: MILNET/ARPANET Virus Today's NYT Re: VIRUS on ARPA net On viruses, viri and virii ... --------------------------------------------------------------------------- From: preedy@NSWC-WO.ARPA Subject: digest format To: VIRUS-L@LEHIIBM1.BITNET Keywords: edited Ken, It sounds like a good idea to me to start getting the "digests". I am tired of getting duplicates and ascii trash. Hope this isn't too much of a bother for you and you can continue to do it. Thanks for the effort. It is appreciated. You are saving a lot of people precious time. Pat Reedy preedy@NSWC-WO.ARPA [Ed. Thanks for the input! The effort involved is actually quite minimal thanks to a set of GNU EMACS digestifying routines by David Steiner. It takes me about as much time to create a digest as it would to read my own mail.] ------------------------------ Date: Wed, 9 Nov 1988 11:45:33 EST From: Ken van Wyk To: virus-l Subject: It's done, and some info. As announced, VIRUS-L is now a digest format list. To you, the readers, nothing different has to be done. To send mail to the list, just send mail to VIRUS-L@LEHIIBM1.BITNET exactly as before. Subscribing and un-subscribing is also identical to the way it was before. A couple of problems have been solved by the change. The list is now open to non-subscribers as well. That is, you needn't be on the list to send things to it. This should eliminate the "You are not authorized to send to VIRUS-L" messages that many of you have experienced. Digests will be numbered starting with this one, Volume 1, Issue 1. The Issues will continue to increase until 1989 at which time Volume 2, Issue 1 will come out. Backlogs are still kept in the same format - weekly files stored by the LISTSERV. Ken ------------------------------ Date: Wed, 9 Nov 1988 15:17:26 EST From: Ken van Wyk To: virus-l@lehiibm1.bitnet Subject: A couple of forwarded comments on VMS and Unix security Here's a couple of messages found floating around on the Usenet regarding VMS vulnerability to a potential worm such as the recent Internet worm, and a comment on Unix system security. The latter comment was made on the same newsgroup (comp.protocols.tcp-ip) as the first after some security concerns were discussed regarding the ease at which the Internet worm was able to propogate. Ken From: ajt@mace.cc.purdue.edu (Andrew J Thomas) Newsgroups: comp.os.vms,comp.protocols.tcp-ip Subject: Viruses and VMS Date: 9 Nov 88 05:21:39 GMT Organization: Purdue University Most of you are probably aware of the worm ("virus") that spread around the network last week. The worm spread by three methods: password guessing, a sendmail bug, and a fingerd bug. Any VMS systems running TCP/IP software may be vulnerable to future viruses/worms. There are two things to check for: the smtp server, and the finger server. We are running the Wollongong TCP/IP software (no eunice). The smtp server does not have the debug mode enabled, so it is not subject to attack. This can be checked by telneting to smtpd port and typing 'debug'. If it accepts the debug command, you have a potentianl security hole. The second bug is in the finger server. The finger server can read in an optional line of username(s). The bug is that it doesnt check to see if the line exceeds the buffer size. If it does, it overwrites memory. You can check this by telneting to the fingerd port and entering a line longer than 512 chars. If you get no finger response, or get an error message, you have a potential problem. I am not sure how it could be exploited. The Wollongong fingerd program has this bug. I was unable to get the fixed BSD fingerd.c to work. However, I did come up with a solution that seems to work. I copied [netdist.user]finger.exe to [netdist.serv]fingerd.exe. This change takes effect as soon as the file is copied, no need to reboot. I've done this on our system and it works fine. Why does this work? The Wollongong fingerd has a "feature" that causes it to ignore usernames parameters (even though it can overrun the buffer reading them) and will just give a list logged on users, even if information about one user is requested. Since the finger program will not read input, it wont overrun the buffer. Its default ouput is the same as fingerd, but without the bug. The usual disclaimers apply to this solution. I don't know about the CMU TCP/IP code. Since it is written in bliss, and not just a straight port of BSD to VMS, it may not have any problems. If anybody knows for sure, I would like to know, and I am sure others would also. Andy Thomas ajt@bilbo.bio.purdue.edu ajt@j.cc.purdue.edu From: scott@attcan.UUCP (Scott MacQuarrie) Newsgroups: comp.protocols.tcp-ip,comp.unix.wizards Subject: Re: Crackers and Worms Date: 8 Nov 88 22:40:09 GMT Organization: AT&T Canada Inc., Toronto There is a product available from AT&T's Federal Systems group called MLS (Multi-Level Security) which provides B1-level security in a System V Release 3.1 environment. I have seen the product on a 3B2, it's availablity from other vendors would probably require work by those vendors. (Yes Henry, we might even help them do that :-) ). Scott MacQuarrie AT&T Canada Inc. uunet!attcan!scott p.s. Opinions are my own. ------------------------------ Date: Wed, 9 Nov 88 15:53 EDT From: Savoir faire is everywhere! Subject: RE: Re: MILNET/ARPANET Virus I have noticed how some people are applauding the intelligence of the Cornell student who created the virus. Just remember that his show of "greatness" required many system administrators to work overtime to fix the effects of the virus. If I was the judge at the trial, I would require the student to reimburse the universities the money required to fix the computer systems. -Santanu Sircar- ------------------------------ Date: Wed, 09 Nov 88 09:51 EST To: Virus Discussion List From: John B Harlan Subject: Today's NYT For anyone who hasn't already seen it, this morning's National Edition of the New York Times (Wednesday, Nov. 9) carries an article on the "worm," entitled, "The computer jam: how it came about," by John Markoff. It runs on page 38. John Harlan JBH693@IrishMVS.BITNET ------------------------------ Date: Wed, 9 Nov 88 08:31:37 PST From: cliff@Lbl.Bitnet (Cliff Stoll) Subject: Re: VIRUS on ARPA net To: VIRUS-L@LEHIIBM1.bitnet Thanks for your note about the virus survey. I'm buried under responses -- probably 1 or 200 hundred. So it will be a week or two before I collate them and bring some sense to it all. Of couse I will make all the information public. I hope I'll be able to write a paper, perhaps into the communications of the ACM or some other academic journal. Strange -- a sort of epidemiology of a virus infection. Phooey: I would rather do astronomy. Best of cheers, Clif Stoll oops cliff Stoll oops again, Cliff Stoll ------------------------------ Date: Wed, 09 Nov 88 14:17:24 +0200 From: Y. Radai To: VIRUS-L@LEHIIBM1 Subject: On viruses, viri and virii ... Ben Chi writes that it is an error to use "virii" as the plural of "virus". Right. I suspect that the source of this error is that someone, by analogy with the fact that the plural of "radius" is "radii", decided that the plural of "virus" should be "virii". His mistake was in not noticing that one of the "i"s in "radii" was already present in the singular. In any case, the hideous mis- spelling "virii" has propagated faster than a virus and has become quite common on our list. Ben says that to form the plural of "virus", try "viruses" or, if you must, "viri". But Greg (LYPOWY@UNCAMULT) says it can only be "viruses", not "viri". Greg is right ... but for the wrong reason. He claims that it is because "virus" is NOT a Latin word. But it most certainly IS. (It means "poison", "slime" or "stench".) However, the point is that not all words ending in "us", *even if they are of Latin origin*, form their English plurals by replacing the "us" by "i". (If you think otherwise, try using forms such as "circi", "chori", "minusi", "boni", "campi" and "cauci"!) In the present case, as you'll find if you consult a comprehensive enough dictionary (like Webster's Third New International), "viruses" is the only correct plural form. "Viri" is an understandable mistake; "virii" is a gross error. Y. Radai Hebrew Univ. of Jerusalem P.S. Since our terminology is based so much on analogy with microbiology, try any textbook on that subject. I've never seen any form there other than "viruses". If the microbiologists can get it right, why can't we? ------------------------------ End of VIRUS-L Digest ********************* Downloaded From P-80 International Information Systems 304-744-2253