CERT® Incident Note IN-2001-05The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community.
The "cheese" WormDate: Thursday, May 17, 2001
OverviewThe CERT/CC has observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. We have obtained an artifact called the 'cheese worm' which may contribute to the pattern.
The 'cheese worm' is a worm designed to remove all inetd services referencing '/bin/sh' from systems with root shells listening on TCP port 10008. In reality, the 'cheese worm' will attempt to execute a series of shell commands on any host which accepts TCP connections on TCP port 10008.
The 'cheese worm' perpetuates its attack cycle across multiple hosts by copying itself from attacking host to victim host and self-initiating another attack cycle. Thus, no human intervention is required to perpetuate the cycle once the worm has begun to propagate.
In examples we have seen, the contents of the 'cheese worm' are installed in '/tmp/.cheese' and that directory is the working directory as commands are executed.
The attack sequence is initiated with the execution of the shell script 'go' on the attacking host. 'go' simply executes the perl script 'cheese':
The 'cheese' script does the following:
On hosts responding to a probe on TCP port 10008, the worm
A host running an active instance of the 'cheese worm' will
A victim host being compromised by the 'cheese worm' will
The following files may be found on a system impacted by the 'cheese worm':
The following files may be modified:
The following services may be restarted:
The 'cheese worm' relies on an exposed, unauthenticated, privileged shell listening on TCP port 10008 to alter a system and perpetuate its attack cycle. As such, the presence of the 'cheese worm' on a system implies an insecure system configuration or a previous system compromise.
The CERT/CC encourages sites to review hosts infected with the 'cheese worm' for other signs of intrusion and take appropriate steps to insure the security of impacted systems.
In particular, certain versions of the BIND TSIG exploit discussed in
create a backdoor root shell on TCP port 10008. Such an exploit was bundled into at least one version of the '1i0n' worm. A detailed analysis of the '1i0n' worm was published by Max Vision and is available at
The Korea Computer Emergency Response Team Coordination Center (CERTCC-KR) has published CERTCC-KR-IN-01-007 discussing the 'cheese' worm in Korean.
If you believe a host under your control has been compromised, you may wish to refer to
AcknowledgementThe CERT/CC thanks CERTCC-KR for their contributions to this Incident Note.
Author: Kevin Houle
This document is available from: http://www.cert.org/incident_notes/IN-2001-05.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2001 Carnegie Mellon University.