Cheese the Friendly Worm On the Loose (patching lion-compromised machines as it goes)May 17, 2001, 14:09 (28 Talkback[s])
(Other stories by Michael Hall)
By Michael Hall, Editor
Cheese the Friendly Worm is loose, out to close back doors left open by the recent Lion worm, which exploited vulnerabilities in BIND.
According to the Computer Emergency Response Team at Carnegie Mellon, the Cheese worm exploits the same back door Lion used, applies a patch to eliminate the back doors left by Lion, then runs scans from the host it's just visited to find other infected machines with port 10008 open, and spreads to them, applying its patch as it goes.
This mail on the SecurityFocus.com incidents mailing list described the worm in action:
It scans 10008 port which opened by 1i0n worm. and removes rootshells from inetd.conf It says # removes rootshells running from /etc/inetd.conf # after a l10n infection... (to stop pesky haqz0rs # messing up your box even worse than it is already) # This code was not written with malicious intent. # Infact, it was written to try and do some good. Funny ? It was found in the directory "/tmp/.cheese/" and following files are found in this directory ADL cheese cheese.uue psm