Re: Lion Worm/crew.tgz

[Joshua Krage <jkrage () BUSER NET>]

On Fri, Mar 23, 2001 at 10:24:02AM -0700, Alfred Huger wrote:
> There is no t0rn rootkit involved and the root shell is on  1008 so their
> Lionfind may be misleading.

The initial exploit installs an inetd-based backdoor on 1008/tcp, as
posted earlier.

Once the rootkit is downloaded, however, additional backdoors are installed
on the sytem.  These are on 60008/tcp and 33567/tcp.

The SSH backdoor runs on 33568/tcp.

The SANS advisory just doesn't cover (yet) the initial attack sequence,
just the analysis of the downloaded crew.tgz (aka 1i0n.tgz).

Whats also interesting about the exploit is that it uses a 53/udp DNS
query packet to seed a /bin/sh, then push through the attack payload
(Bash shell commands as previously posted) on an open 53/tcp session.
Pretty interesting.

I've been tracking the worm since late February when it attacked a client
(unsuccessfully).  So far, no variations have been noted the 12+ unique
sources that have launched it against my client.  Activity has definitely
increased over the past week.

I'll see if I can get permission to post the sanitized TCPdump log, but
that will take a few business days.