Date: Thursday, May 17, 2001
The CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the 'cheese worm' which may contribute to the pattern.
The 'cheese worm' is a worm designed to remove all inetd services referencing '/bin/sh' from systems with root shells listening on TCP port 10008. In reality, the 'cheese worm' will attempt to execute a series of shell commands on any host which
accepts TCP connections on TCP port 10008.
The 'cheese worm' perpetuates its attack cycle across multiple hosts by copying itself from attacking host to victim host and self-initiating another attack cycle. Thus, no human intervention is required to perpetuate the cycle once the worm has begun
MD5 Checksum Filesize Filename
c6a0feb1b1723493fe504148df4fc0af 2381 cheese
a87a2a8c31cfe38af309e173c2257158 47 go
0093fdcb12b6fb836495b7cd53d19ddb 15471 psm
In examples we have seen, the contents of the 'cheese worm' are installed in '/tmp/.cheese' and that directory is the working directory as commands are executed.
The attack sequence is initiated with the execution of the shell script 'go' on the attacking host. 'go' simply executes the perl script 'cheese':
nohup ./cheese $1 1>/dev/null 2>&1 &
The 'cheese' script does the following:
A host running an active instance of the 'cheese worm' will
- scan TCP port 10008 on remote /16 network blocks
- initiate TCP connections to TCP port 10008 on victim hosts
- receive a TCP connection on a TCP port number from 10000 through 15000 when the worm replicates to a victim host
A victim host being compromised by the 'cheese worm' will
- receive a probe to TCP port 10008 from the attacking host
- receive a TCP connection to port 10008 from the attacking host
- initiate a TCP connection to a TCP port number from 10000 to 15000 on the attacking host
- begin the attack cycle of an active 'cheese worm' host
The following files may be found on a system impacted by the 'cheese worm':
The following files may be modified:
The following services may be restarted:
The 'cheese worm' relies on an exposed, unauthenticated, privileged shell listening on TCP port 10008 to alter a system and perpetuate its attack cycle. As such, the presence of the 'cheese worm' on a system implies an insecure system configuration or
a previous system compromise.
The CERT/CC encourages sites to review hosts infected with the 'cheese worm' for other signs of intrusion and take appropriate steps to insure the security of impacted systems.
In particular, certain versions of the BIND TSIG exploit discussed in
- IN-2001-03, Exploitation of BIND Vulnerabilities
create a backdoor root shell on TCP port 10008. Such an exploit was bundled into at least one version of the '1i0n' worm. A detailed analysis of the '1i0n' worm was published by Max Vision and is available at
The Korea Computer Emergency Response Team Coordination Center (CERTCC-KR) has published CERTCC-KR-IN-01-007 discussing the 'cheese' worm
If you believe a host under your control has been compromised, you may wish to refer to
- Steps for Recovering From a Root Compromise
The CERT/CC thanks CERTCC-KR for their contributions to this Incident Note.
Author: Kevin Houle
Copyright 2001 Carnegie Mellon University.