Next message: Andrew Close: "[LUNI] scripting..."
>From: "Cruz, Phil (NYC)" <PCruz@ixl.com>
>To: !WW-Security <ww-security@ixl.com>
>Subject: FW: Linux/BIND exploit...
>Date: Fri, 23 Mar 2001 09:55:44 -0600
>
>
>-----Original Message-----
>From: The SANS Institute [mailto:securityalert@sans.org]
>Sent: Friday, March 23, 2001 10:05 AM
>To: Security Professional
>Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
>
>March 23, 2001 7:00 AM
>
>Late last night, the SANS Institute (through its Global Incident
>Analysis Center) uncovered a dangerous new worm that appears to be
>spreading rapidly across the Internet. It scans the Internet looking
>for Linux computers with a known vulnerability. It infects the
>vulnerable machines, steals the password file (sending it to a
>China.com site), installs other hacking tools, and forces the newly
>infected machine to begin scanning the Internet looking for other
>victims.
>
>Several experts from the security community worked through the night to
>decompose the worm's code and engineer a utility to help you discover
>if the Lion worm has affected your organization.
>
>Updates to this announcement will be posted at the SANS web site,
>http://www.sans.org
>
>
>DESCRIPTION
>
>The Lion worm is similar to the Ramen worm. However, this worm is
>significantly more dangerous and should be taken very seriously. It
>infects Linux machines running the BIND DNS server. It is known to
>infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
>8.2.3-betas. The specific vulnerability used by the worm to exploit
>machines is the TSIG vulnerability that was reported on January 29,
>2001.
>
>The Lion worm spreads via an application called "randb". Randb scans
>random class B networks probing TCP port 53. Once it hits a system, it
>checks to see if it is vulnerable. If so, Lion exploits the system using
>an exploit called "name". It then installs the t0rn rootkit.
>
>Once Lion has compromised a system, it:
>
>- - Sends the contents of /etc/passwd, /etc/shadow, as well as some
>network settings to an address in the china.com domain.
>- - Deletes /etc/hosts.deny, eliminating the host-based perimeter
>protection afforded by tcp wrappers.
>- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
>inetd, see /etc/inetd.conf)
>- - Installs a trojaned version of ssh that listens on 33568/tcp
>- - Kills Syslogd , so the logging on the system can't be trusted
>- - Installs a trojaned version of login
>- - Looks for a hashed password in /etc/ttyhash
>- - /usr/sbin/nscd (the optional Name Service Caching daemon) is
>overwritten with a trojaned version of ssh.
>
>The t0rn rootkit replaces several binaries on the system in order to
>stealth itself. Here are the binaries that it replaces:
>
>du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
>ps, pstree, top
>
>- - "Mjy" is a utility for cleaning out log entries, and is placed in
>/bin
>and /usr/man/man1/man1/lib/.lib/.
>- - in.telnetd is also placed in these directories; its use is not known
>at this time.
>- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
>
>DETECTION AND REMOVAL
>
>We have developed a utility called Lionfind that will detect the Lion
>files on an infected system. Simply download it, uncompress it, and
>run lionfind. This utility will list which of the suspect files is on
>the system.
>
>At this time, Lionfind is not able to remove the virus from the system.
>If and when an updated version becomes available (and we expect to
>provide one), an announcement will be made at this site.
>
>Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
>
>
>REFERENCES
>
>Further information can be found at:
>
>http://www.sans.org/current.htm
>http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
>CA-2001-02,
>Multiple Vulnerabilities in BIND
>http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
>overflow
>in transaction signature (TSIG) handling code
>http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
>The following vendor update pages may help you in fixing the original
>BIND
>vulnerability:
>
>Redhat Linux RHSA-2001:007-03 - Bind remote exploit
>http://www.redhat.com/support/errata/RHSA-2001-007.html
>Debian GNU/Linux DSA-026-1 BIND
>http://www.debian.org/security/2001/dsa-026
>SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
>http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
>Caldera Linux CSSA-2001-008.0 Bind buffer overflow
>http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
>http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
>
>This security advisory was prepared by Matt Fearnow of the SANS
>Institute and William Stearns of the Dartmouth Institute for Security
>Technology Studies.
>
>The Lionfind utility was written by William Stearns. William is an
>Open-Source developer, enthusiast, and advocate from Vermont, USA. His
>day job at the Institute for Security Technology Studies at Dartmouth
>College pays him to work on network security and Linux projects.
>
>Also contributing efforts go to Dave Dittrich from the University of
>Washington, and Greg Shipley of Neohapsis
>
>Matt Fearnow
>SANS GIAC Incident Handler
>
>If you have additional data on this worm or a critical quetsion please
>email lionworm@sans.org
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.4 (BSD/OS)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/
>ek+YCliAS832nnMIzP28ezM=
>=E1SG
>-----END PGP SIGNATURE-----
-=-
Linux Users Of Northern Illinois: General Discussion Mailing list.
For unsubscription, archives, and announcements only see http://luni.org
This archive was generated by hypermail 2b29
: Fri Mar 23 2001 - 10:12:19 CST