LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] new, serious Linux worm infecting BIND

[ILUG] new, serious Linux worm infecting BIND

Justin Mason jm at jmason.org
Mon Mar 26 16:29:50 IST 2001 

James Raftery posted about this earlier -- here's more info.

http://www.sans.org/y2k/lion.htm :

Lion is a new worm, that is very similar to the Ramen worm. However, this worm
is much more dangerous and should be taken seriously. It infects Linux machines
with the BIND DNS server running. It is known to infect BIND version(s) 8.2,
8.2-P1, 8.2.1, 8.2.2-Px. BIND 8.2.3-REL has been reported as not being
vulnerable. The BIND vulnerability is the TSIG vulnerability that was reported
back on January 29, 2001.

There have been reports, of another attack wave that started back in late
February. The log files we have recieve do indicate that there was indeed a
limited attack back then. Thanks to your help, this latest attack wave was
reported and we were able to act on your reports.

The Lion worm spread via an application called randb. randb scans random class
B networks probing TCP port 53. Once it hits a system, it then checks to see if
that system is vulnerable. If so it then exploits the system using the exploit
called name. It then installs the t0rn rootkit.

Once it has entered the system, it sends off the contents of /etc/passwd,
/etc/shadow, and some network settings to an address in the china.com domain.
It deleted /etc/hosts.deny, lowering some of the built-in protection afforded
by tcp wrappers. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via
inetd, see /etc/inetd.conf), and a trojaned version of ssh gets placed on
33568/tcp. Syslogd is killed, so the logging on the system can't be trusted.

A trojaned version of login is installed. It looks for a hashed password in
/etc/ttyhash. /usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned version of ssh.

[...]

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell