The worm's source can be seen at
<http://lists.jammed.com/ISN/2001/04/0087.html>, and it's clear that the
worm only listens on 666, and not 666[0-9].
I tightened up the regex as suggested above and can report no false
positives with bitlebee 1.0.1-1 on this Etch box. Here's a patch
against chkrootkit version 0.46a-2:
*** chkrootkit 2005-11-26 02:33:38.000000000 -0500
--- /home/james/chkrootkit 2006-02-04 11:06:08.631741440 -0500
***************
*** 722,728 ****
printn "Searching for LPD Worm files and dirs... "; fi
if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \
! ${egrep} "^666" ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;
then
echo "Possible LPD worm installed"
elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \
--- 722,728 ----
printn "Searching for LPD Worm files and dirs... "; fi
if ${egrep} "^kork" ${ROOTDIR}etc/passwd > /dev/null 2>&1 || \
! ${egrep} "^666\s" ${ROOTDIR}etc/inetd.conf > /dev/null 2>&1 ;
then
echo "Possible LPD worm installed"
elif [ -d ${ROOTDIR}dev/.kork -o -f ${ROOTDIR}bin/.ps -o \
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
