Security Incidents mailing list archives
Re: BIND worm.
From: "Carl A. Adams" <carlalex () RECOURSE COM>
Date: Fri, 23 Mar 2001 16:10:37 -0800
Andreas Östling wrote:
On Thursday 22 March 2001 12:19, Scott A. McIntyre wrote:I'm wondering how many others have seen sign of what appears to be a BIND based worm attack that's been passing through here lately.I've seen it. After the actual BIND exploit, here is what it sends (to port 53/TCP):
[ . . . ]
You can grab the kit from the URL above if you want to analyse it further. I have a local copy of it if it isn't available there anymore. Regards, Andreas Östling
It still seems to be up there despite this exploit now having gained /. fame; Apparently it's being mated with t0rnkit, but that's not in the crew.tgz, nor is it redially apparent from anything in the crew file where it gets it from. I have binary copies of both t0rn and 1i0n, but was wondering if anyone has seen src code floating around for either of these for analysis? Sincerely, --- Carl -- Carl A. Adams Munitions Engineer, Recourse Technologies Inc. carlalex () recourse com 650.381.8099
Current thread:
- BIND worm. Scott A. McIntyre (Mar 22)
- Re: BIND worm. Neil Davey (Mar 23)
- Re: BIND worm. Andreas Östling (Mar 23)
- Re: BIND worm. Carl A. Adams (Mar 23)
- <Possible follow-ups>
- Re: BIND worm. Booth, David CWT-MSP (Mar 23)