Security Incidents mailing list archives

Re: Lion Worm/crew.tgz

From: Andreas Östling <andreaso () IT SU SE>
Date: Fri, 23 Mar 2001 22:23:01 +0100

On Fri, 23 Mar 2001, Alfred Huger wrote:

Neil Long <neil.long () computing-services oxford ac uk> mailed me and
mentioned that it might be worth pointing out that the SANS GIAC analysis
is not valid for the crew.tgz version that was sent to Incidents by
Andreas stling <andreaso () IT SU SE>

There is no t0rn rootkit involved and the root shell is on  1008 so their
Lionfind may be misleading.

Of course, they could be half a dozen variants on the loose by this stage.


The packet I posted where it opens up the root shell on 1008 is just one
part of the worm. The rest of it is in crew.tgz (the t0rnkit is in there
among other things). So the SANS GIAC analysis is valid for crew.tgz
(the http://coollion.51.net/crew.tgz version).
FYI I just installed this version on an offline machine, and Lionfind found it.

Regards,
Andreas Östling

Current thread:

Lion Worm/crew.tgz Alfred Huger (Mar 23)
- Re: Lion Worm/crew.tgz David Brumley (Mar 23)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 23)
- Re: Lion Worm/crew.tgz Joshua Krage (Mar 23)
  - Re: Lion Worm/crew.tgz Neil Long (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
  - Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
    - Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
    - Re: Lion Worm/crew.tgz Dave Dittrich (Mar 26)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
  - Re: Lion Worm/crew.tgz Cooper (Mar 26)
    - Re: Lion Worm/crew.tgz John Jasen (Mar 26)
    - Re: Lion Worm/crew.tgz Daniel Martin (Mar 26)

(Thread continues...)