Security Incidents mailing list archives

Re: BIND worm.

From: "Carl A. Adams" <carlalex () RECOURSE COM>
Date: Fri, 23 Mar 2001 16:10:37 -0800

Andreas Östling wrote:


On Thursday 22 March 2001 12:19,  Scott A. McIntyre wrote:

I'm wondering how many others have seen sign of what appears to be a
BIND based worm attack that's been passing through here lately.


I've seen it.
After the actual BIND exploit, here is what it sends (to port 53/TCP):


[ . . . ]

You can grab the kit from the URL above if you want to analyse it further.
I have a local copy of it if it isn't available there anymore.

Regards,
Andreas Östling




It still seems to be up there despite this exploit now having gained /.
fame; Apparently it's being mated with t0rnkit, but that's not in the
crew.tgz, nor is it redially apparent from anything in the crew file
where it gets it from.   I have binary copies of both t0rn and 1i0n, but
was wondering if anyone has seen src code floating around for either of
these for analysis?

Sincerely,


   --- Carl




--
Carl A. Adams
Munitions Engineer, Recourse Technologies Inc.
carlalex () recourse com
650.381.8099

Current thread:

BIND worm. Scott A. McIntyre (Mar 22)
- Re: BIND worm. Neil Davey (Mar 23)
- Re: BIND worm. Andreas Östling (Mar 23)
  - Re: BIND worm. Carl A. Adams (Mar 23)
- <Possible follow-ups>
- Re: BIND worm. Booth, David CWT-MSP (Mar 23)