[CLUE-Tech] Is Linux Infected by the Klez Worm?

Mike Staver staver at fimble.com
Sat May 18 17:22:36 MDT 2002 

One fine example of a root exploit would be that stupid ws_ftp hole in
Red Hat 7.1 and below, and any other distro for that matter that uses
that unsecure version of the ftp program.  I could be wrong, but in my
experience with this, if I leave 5 linux boxes sitting outside our
firewall running a fresh copy of red hat 7.1 or lower without updating
packages of any kind, in about 24 hours the boxes are completely hacked
and people are telneting into them from bizarre ip addresses residing
overseas and many of my binaries in /usr/sbin and /usr/bin have been
replaced with trojan executables.  All I can do at that point is break
out disk druid and format the drives out. So, since it would take a
person large amounts of time to find those ip addresses, I think it's a
worm type program that just scans a range of ips much like the many IIS
exploits for windows.  So, the moral of the story seems to be that you
should always check for updated packages and stay on top of that stuff.
Everytime I find myself lapsing in that area, I end up paying for it. 
About the Klez virus - I've see it 20 times a day or so at work with our
exchange 7.0 mail server running on winbloze.  So, I think it's simply
yet another MS Outlook/Exchange virus.  Thankfully, our net admin
responsible for that server has an antivirus program from McAfee
scanning all incoming mail and blocking all this garbage.  So, I don't
think it could affect your linux boxes, only the windows clients that
may be connecting to it via sendmail/imap/pop3, etc.  If you're not
running a mail server, than you wouldn't be responsible for the mail
hitting windows clients, and even if you were, it's their own damn fault
for using outlook :)

David Jackson wrote:
> 
> Joe --
> Do you mean is it effected by? Or do you mean is your system
> infected with? There are few Linux virus out the (Mr. Gates would say Linux
> is a virus). Sorry I could resist :)
> 
> The answer generaly given is in order for your system infected with a virus
> is by the root account, in order do any real damage. If enters the system
> through a user account, it will effect files owned by that users and those
> with the same group permissions.
> 
> But I could be wrong.
> David
> 
> > Is the Linux OS infected by the Klez or Klez.e worm?
> >
> > _______________________________________________
> > CLUE-Tech mailing list
> > CLUE-Tech at clue.denver.co.us
> > http://clue.denver.co.us/mailman/listinfo/clue-tech
> 
> --
> 
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech

-- 

                                -Mike Staver
                                 staver at fimble.com
                                 mstaver at globaltaxnetwork.com

More information about the clue-tech mailing list