Security Incidents mailing list archives
Re: Lion Worm/crew.tgz
From: Joshua Krage <jkrage () BUSER NET>
Date: Fri, 23 Mar 2001 17:40:51 -0500
On Fri, Mar 23, 2001 at 10:24:02AM -0700, Alfred Huger wrote:
There is no t0rn rootkit involved and the root shell is on 1008 so their Lionfind may be misleading.
The initial exploit installs an inetd-based backdoor on 1008/tcp, as posted earlier. Once the rootkit is downloaded, however, additional backdoors are installed on the sytem. These are on 60008/tcp and 33567/tcp. The SSH backdoor runs on 33568/tcp. The SANS advisory just doesn't cover (yet) the initial attack sequence, just the analysis of the downloaded crew.tgz (aka 1i0n.tgz). Whats also interesting about the exploit is that it uses a 53/udp DNS query packet to seed a /bin/sh, then push through the attack payload (Bash shell commands as previously posted) on an open 53/tcp session. Pretty interesting. I've been tracking the worm since late February when it attacked a client (unsuccessfully). So far, no variations have been noted the 12+ unique sources that have launched it against my client. Activity has definitely increased over the past week. I'll see if I can get permission to post the sanitized TCPdump log, but that will take a few business days.
Current thread:
- Lion Worm/crew.tgz Alfred Huger (Mar 23)
- Re: Lion Worm/crew.tgz David Brumley (Mar 23)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 23)
- Re: Lion Worm/crew.tgz Joshua Krage (Mar 23)
- Re: Lion Worm/crew.tgz Neil Long (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
- Re: Lion Worm/crew.tgz Dave Dittrich (Mar 26)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
- Re: Lion Worm/crew.tgz Daniel Martin (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)
- Re: Lion Worm/crew.tgz Cooper (Mar 26)