By Michael Hall,
Editor
Cheese the Friendly Worm is loose, out to close back doors left
open by the recent Lion worm, which exploited vulnerabilities in
BIND.
According to the Computer Emergency Response Team at Carnegie
Mellon, the Cheese worm exploits the same back door Lion used,
applies a patch to eliminate the back doors left by Lion, then runs
scans from the host it’s just visited to find other infected
machines with port 10008 open, and spreads to them, applying its
patch as it goes.
This mail on the SecurityFocus.com incidents mailing list
described the worm in action:
It scans 10008 port which opened by 1i0n worm. and removes rootshells from inetd.conf It says # removes rootshells running from /etc/inetd.conf # after a l10n infection... (to stop pesky haqz0rs # messing up your box even worse than it is already) # This code was not written with malicious intent. # Infact, it was written to try and do some good. Funny ? It was found in the directory "/tmp/.cheese/" and following files are found in this directory ADL cheese cheese.uue psm