This seems so similar to the Millennium Internet Worm that hit me
a couple years ago.  Strange thing is, there is so little about
it on the Internet (google search for "millennium internet worm"
shows 9 hits, all but two are from my e-mails or web site.  The
other two are in Korea which seems to describe how to launch a
similar worm.

I know this thing is still out there, and still works on Red Hat
as I have received e-mail about it as recently as November, 2000.
Red Hat closed the trouble ticket without explanation, just "It
is closed" so it is not fixed.  I guess there are not too many 
outbreaks of MIW to concern too many people.

George


Kevin Brown wrote:
> 
> Looks to be an automated self propagating script.  Uses lpr or wuftp
> vulnerabilities to get in, closes the holes, installs a root kit and then tries
> to find a new site to hit.  So unlike a windows worm that just needs an idiot
> user to propagate it, this one requires that the admin didn't close those two
> holes by either upgrading the daemons or, as I do, shutting them
> off/uninstalling the unnecessary rpms.
> 
> > > this bears reading folks....
> > > looks like the cyberpunks are at it again. :(
> > > http://www.theregister.co.uk/content/6/16168.html
> >
> > I always knew there was a connection between worms and ramen noodles.
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss