FYI: Linux - vulnerability



> -----Original Message----- > From: The SANS Institute [] > Sent: Friday, March 23, 2001 9:50 AM > To: Parker, Joe > Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET > > March 23, 2001 7:00 AM > > Late last night, the SANS Institute (through its Global Incident > Analysis Center) uncovered a dangerous new worm that appears to be > spreading rapidly across the Internet. It scans the Internet looking > for Linux computers with a known vulnerability. It infects the > vulnerable machines, steals the password file (sending it to a > site), installs other hacking tools, and forces the newly > infected machine to begin scanning the Internet looking for other > victims. > > Several experts from the security community worked through the night to > decompose the worm's code and engineer a utility to help you discover > if the Lion worm has affected your organization. > > Updates to this announcement will be posted at the SANS web site, > > > > DESCRIPTION > > The Lion worm is similar to the Ramen worm. However, this worm is > significantly more dangerous and should be taken very seriously. It > infects Linux machines running the BIND DNS server. It is known to > infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all > 8.2.3-betas. The specific vulnerability used by the worm to exploit > machines is the TSIG vulnerability that was reported on January 29, > 2001. > > The Lion worm spreads via an application called "randb". Randb scans > random class B networks probing TCP port 53. Once it hits a system, it > checks to see if it is vulnerable. If so, Lion exploits the system using > an exploit called "name". It then installs the t0rn rootkit. > > Once Lion has compromised a system, it: > > - - Sends the contents of /etc/passwd, /etc/shadow, as well as some > network settings to an address in the domain. > - - Deletes /etc/hosts.deny, eliminating the host-based perimeter > protection afforded by tcp wrappers. > - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via > inetd, see /etc/inetd.conf) > - - Installs a trojaned version of ssh that listens on 33568/tcp > - - Kills Syslogd , so the logging on the system can't be trusted > - - Installs a trojaned version of login > - - Looks for a hashed password in /etc/ttyhash > - - /usr/sbin/nscd (the optional Name Service Caching daemon) is > overwritten with a trojaned version of ssh. > > The t0rn rootkit replaces several binaries on the system in order to > stealth itself. Here are the binaries that it replaces: > > du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, > ps, pstree, top > > - - "Mjy" is a utility for cleaning out log entries, and is placed in /bin > and /usr/man/man1/man1/lib/.lib/. > - - in.telnetd is also placed in these directories; its use is not known > at this time. > - - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x > > DETECTION AND REMOVAL > > We have developed a utility called Lionfind that will detect the Lion > files on an infected system. Simply download it, uncompress it, and > run lionfind. This utility will list which of the suspect files is on > the system. > > At this time, Lionfind is not able to remove the virus from the system. > If and when an updated version becomes available (and we expect to > provide one), an announcement will be made at this site. > > Download Lionfind at > > > REFERENCES > > Further information can be found at: > > >, CERT Advisory CA-2001-02, > Multiple Vulnerabilities in BIND > ISC BIND 8 contains buffer overflow > in transaction signature (TSIG) handling code > Information about the t0rn rootkit. > The following vendor update pages may help you in fixing the original BIND > vulnerability: > > Redhat Linux RHSA-2001:007-03 - Bind remote exploit > > Debian GNU/Linux DSA-026-1 BIND > > SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise. > txt.txt > Caldera Linux CSSA-2001-008.0 Bind buffer overflow > > > > This security advisory was prepared by Matt Fearnow of the SANS > Institute and William Stearns of the Dartmouth Institute for Security > Technology Studies. > > The Lionfind utility was written by William Stearns. William is an > Open-Source developer, enthusiast, and advocate from Vermont, USA. His > day job at the Institute for Security Technology Studies at Dartmouth > College pays him to work on network security and Linux projects. > > Also contributing efforts go to Dave Dittrich from the University of > Washington, and Greg Shipley of Neohapsis > > Matt Fearnow > SANS GIAC Incident Handler > > If you have additional data on this worm or a critical quetsion please > email > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (BSD/OS) > Comment: For info see > > iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/ > ek+YCliAS832nnMIzP28ezM= > =E1SG > -----END PGP SIGNATURE-----


Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.