Security Incidents mailing list archives

Re: The x.c worm

From: Dave Dittrich <dittrich () cac washington edu>
Date: Tue, 4 Sep 2001 13:03:16 -0700 (PDT)

(Use Bill's "xcfind" tool for local host detection, but realize that
it may, in future, give false positive results if a rootkit or

                                ^^^^^^^^

loadable kernel module is used in conjunction with an exploit like
this.)


Oops, sorry.  I meant it might give false *negatives* in future.
(A problem with looking for specific file names, paths, and ports,
which are all pretty easy to change or hide.)

--
Dave Dittrich                           Computing & Communications
dittrich () cac washington edu             University Computing Services
http://staff.washington.edu/dittrich    University of Washington

PGP key      http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint  FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

The x.c worm niels . heinen (Sep 04)
- Re: The x.c worm Dave Dittrich (Sep 04)
  - Re: The x.c worm Dave Dittrich (Sep 04)
  - Re: The x.c worm Martin Roesch (Sep 05)