[4004] in bugtraq
Re: [linux-security] Re: Linux virus
daemon@ATHENA.MIT.EDU (Flack Man)
Tue Feb 4 17:39:39 1997
Date: Tue, 4 Feb 1997 14:45:13 -0600
Reply-To: Flack Man <flackman@PHC.LIB.UMN.EDU>
From: Flack Man <flackman@PHC.LIB.UMN.EDU>
X-To: linux-security@redhat.com
To: BUGTRAQ@netspace.org
In-Reply-To: <Pine.SUN.3.94.970204120302.26570C@dfw.dfw.net>
Of course, having the binary for the virus makes things much
easier. Try bliss --uninfect-files-please (or something very close to it,
been many months since I've looked at it). You'll find all your binaries
intact. Realize this isn't a real virus (yet).
-FM
On Tue, 4 Feb 1997, Aleph One wrote:
> On Fri, 31 Jan 1997, Peter wrote:
- [CHOP!!] -
>
> Disinfection of the test machine was pretty simple, because of the log of
> infected files is available. Simply a case of 'cat'ing new copies of the
> binaries into the infected ones, and then adding back any set[ug]id bits that
> have been lost.
>
> If you do get infected, remember
> 0) do not log any more sessions in.
> 1) disconnect the network card
> 2) kill all non-essential processes (killall5 if it's still OK)
> 3) replace all the binaries in /tmp/.bliss
>
> You could probably script the last one, but it's probably a bit dangerous to
> do so.
