James Raftery posted about this earlier -- here's more info.
Lion is a new worm, that is very similar to the Ramen worm. However, this worm
is much more dangerous and should be taken seriously. It infects Linux machines
with the BIND DNS server running. It is known to infect BIND version(s) 8.2,
8.2-P1, 8.2.1, 8.2.2-Px. BIND 8.2.3-REL has been reported as not being
vulnerable. The BIND vulnerability is the TSIG vulnerability that was reported
back on January 29, 2001.
There have been reports, of another attack wave that started back in late
February. The log files we have recieve do indicate that there was indeed a
limited attack back then. Thanks to your help, this latest attack wave was
reported and we were able to act on your reports.
The Lion worm spread via an application called randb. randb scans random class
B networks probing TCP port 53. Once it hits a system, it then checks to see if
that system is vulnerable. If so it then exploits the system using the exploit
called name. It then installs the t0rn rootkit.
Once it has entered the system, it sends off the contents of /etc/passwd,
/etc/shadow, and some network settings to an address in the china.com domain.
It deleted /etc/hosts.deny, lowering some of the built-in protection afforded
by tcp wrappers. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via
inetd, see /etc/inetd.conf), and a trojaned version of ssh gets placed on
33568/tcp. Syslogd is killed, so the logging on the system can't be trusted.
A trojaned version of login is installed. It looks for a hashed password in
/etc/ttyhash. /usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned version of ssh.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!