Security Incidents mailing list archives
Re: Lion Worm/crew.tgz
From: Andreas Östling <andreaso () IT SU SE>
Date: Fri, 23 Mar 2001 22:23:01 +0100
On Fri, 23 Mar 2001, Alfred Huger wrote:
Neil Long <neil.long () computing-services oxford ac uk> mailed me and mentioned that it might be worth pointing out that the SANS GIAC analysis is not valid for the crew.tgz version that was sent to Incidents by Andreas stling <andreaso () IT SU SE> There is no t0rn rootkit involved and the root shell is on 1008 so their Lionfind may be misleading. Of course, they could be half a dozen variants on the loose by this stage.
The packet I posted where it opens up the root shell on 1008 is just one part of the worm. The rest of it is in crew.tgz (the t0rnkit is in there among other things). So the SANS GIAC analysis is valid for crew.tgz (the http://coollion.51.net/crew.tgz version). FYI I just installed this version on an offline machine, and Lionfind found it. Regards, Andreas Östling
Current thread:
- Lion Worm/crew.tgz Alfred Huger (Mar 23)
- Re: Lion Worm/crew.tgz David Brumley (Mar 23)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 23)
- Re: Lion Worm/crew.tgz Joshua Krage (Mar 23)
- Re: Lion Worm/crew.tgz Neil Long (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Dave Dittrich (Mar 26)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Daniel Martin (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)