Full Disclosure mailing list archives
Re: update on the linux worm
From: "Stephen J. Smoogen" <smooge () gmail com>
Date: Mon, 20 Feb 2006 13:17:29 -0700
On 2/18/06, Gadi Evron <ge () linuxbox org> wrote:
A quick digest of some updates from the last few hours on this issue: 1. The worm is based on 'kaiten', which has been going around in different variants for a long time now. 2. This worm is new. 3. The first part exploits PHP applications, like these variants normally do. 4. The second part spreads to other systems. 5. The worm connects to a botnet C&C based on two Fast-flux DNS RR's which are not there anymore, and as they change, are taken down. As always, more updates if necessary on: http://blog.securiteam.com
Looking at items on blog.securiteam.com, the ip address the worm was being downloaded from in the beginning showed up around Feb 14, 2005 in all the logs I have. I am not sure if this was a precursor to the newer worm though. -- Stephen J Smoogen. CSIRT/Linux System Administrator _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- update on the linux worm Gadi Evron (Feb 18)
- Re: update on the linux worm Micheal Turner (Feb 19)
- Re: update on the linux worm Filbert (Feb 19)
- Re: update on the linux worm Boris Filipov (Feb 19)
- Re: update on the linux worm Filbert (Feb 19)
- Re: update on the linux worm Stephen J. Smoogen (Feb 20)
- <Possible follow-ups>
- Re: update on the linux worm Juha-Matti Laurio (Feb 19)
- Re: update on the linux worm Juha-Matti Laurio (Feb 19)
- Re: update on the linux worm Byron Copeland (Feb 22)
- Re: update on the linux worm Micheal Turner (Feb 19)