[4005] in bugtraq
Re: [linux-security] Re: Linux virus
daemon@ATHENA.MIT.EDU (Scott VanRavenswaay)
Tue Feb 4 19:16:12 1997
Date: Tue, 4 Feb 1997 16:45:53 -0600
Reply-To: Scott VanRavenswaay <scottvr@DFW.NET>
From: Scott VanRavenswaay <scottvr@DFW.NET>
X-To: Flack Man <flackman@PHC.LIB.UMN.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.93.970204144206.2582D-100000@phc.lib.umn.edu>
It's 'uninfect-files-please' or 'disinfect-files-please'.
BOTH of those strings will work.
Other command-line options include 'dont-run-original' and
'just-run-bliss'.
Scott VanRavenswaay
System Administrator
DFW Internet Services, Inc.
On Tue, 4 Feb 1997, Flack Man wrote:
> Of course, having the binary for the virus makes things much
> easier. Try bliss --uninfect-files-please (or something very close to it,
> been many months since I've looked at it). You'll find all your binaries
> intact. Realize this isn't a real virus (yet).
>
>
> -FM
>
> On Tue, 4 Feb 1997, Aleph One wrote:
>
> > On Fri, 31 Jan 1997, Peter wrote:
> - [CHOP!!] -
> >
> > Disinfection of the test machine was pretty simple, because of the log of
> > infected files is available. Simply a case of 'cat'ing new copies of the
> > binaries into the infected ones, and then adding back any set[ug]id bits that
> > have been lost.
> >
> > If you do get infected, remember
> > 0) do not log any more sessions in.
> > 1) disconnect the network card
> > 2) kill all non-essential processes (killall5 if it's still OK)
> > 3) replace all the binaries in /tmp/.bliss
> >
> > You could probably script the last one, but it's probably a bit dangerous to
> > do so.
>
