|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 05/20/2002 1:35 PM |
|
| Note - Due to my inexperience with the LINUX, much of the following notice is paraphrased or quoted from the SANS notice. Please refer to the sans site at www.sans.org for complete information on this worm. This worm only affects LINUX machines - users with Microsoft based operating systems may ignore this warning.
Late last night, the SANS Institute (through its Global Incident Analysis Center) uncovered a dangerous new worm that appears to be spreading rapidly across the Internet. It scans the Internet looking for Linux computers with a known vulnerability. It infects the vulnerable machines, steals the password file (sending it to a China.com site), installs other hacking tools, and forces the newly infected machine to begin scanning the Internet looking for other victims.
How It Works
Infects Linux machines attached to the internet.
From the SANS alert:
The Lion worm is similar to the Ramen worm. However, this worm is significantly more dangerous and should be taken very seriously. It infects Linux machines running the BIND DNS server. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas. The specific vulnerability used by the worm to exploit machines is the TSIG vulnerability that was reported on January 29, 2001.
The Lion worm spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it hits a system, it checks to see if it is vulnerable. If so, Lion exploits the system using an exploit called "name". It then installs the t0rn rootkit. Once Lion has compromised a system, it:
Sends the contents of /etc/passwd, /etc/shadow, as well as some network settings to an address in the china.com domain.
Deletes /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers.
Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via inetd, see /etc/inetd.conf)
Installs a trojaned version of ssh that listens on 33568/tcp
Kills Syslogd , so the logging on the system can't be trusted
Installs a trojaned version of login
Looks for a hashed password in /etc/ttyhash
/usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten with a trojaned version of ssh.
The t0rn rootkit replaces several binaries on the system in order to stealth itself. Here are the binaries that it replaces:
du
find
ifconfig
in.telnetd is also placed in these directories; its use is not known
in.fingerd
login
ls
mjy is a utility for cleaning out log entries, and is placed in /bin and /usr/man/man1/man1/lib/.lib/.
netstat
ps
pstree
top
A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
How to Protect Yourself
SANS has created a detector for this worm:
SANS has developed a utility called Lionfind that will detect the Lion files on an infected system. Simply download it, uncompress it, and run lionfind. This utility will list which of the suspect files is on the system. At this time, Lionfind is not able to remove the virus from the system. If and when an updated version becomes available (and we expect to provide one), an announcement will be made at this site. Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
Further Details
For those who are interested, you can read further about this worm at any of the following locations:
SANS: http://www.sans.org/current.htm
CERT: http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02, Multiple Vulnerabilities in BIND http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code
SANS (t0rn Info): http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
BIND FIX INFO:
The following vendor update pages may help you in fixing the original BIND vulnerability:
Redhat Linux RHSA-2001:007-03 - Bind remote exploit http://www.redhat.com/support/errata/RHSA-2001-007.html
Debian GNU/Linux DSA-026-1 BIND http://www.debian.org/security/2001/dsa-026
SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise. http://www.suse.com/de/support/security/2001_003_bind8_txt.txt
Caldera Linux CSSA-2001-008.0 Bind buffer overflow http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
Summary
Be sure your version of BIND on Linux is adequately patched to be immune to this exploit.
Download and run the LION utility on some schedule to ensure you're not infected in the future.
This concludes this VirusWarn notice.
Lee Drake, Moderator |
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|