Re: Lion Worm/crew.tgz

["Michael H. Warfield" <mhw () WITTSEND COM>]

On Fri, Mar 23, 2001 at 10:24:02AM -0700, Alfred Huger wrote:
> Neil Long <neil.long () computing-services oxford ac uk> mailed me and
> mentioned that it might be worth pointing out that the SANS GIAC analysis
> is not valid for the crew.tgz version that was sent to Incidents by
> Andreas stling <andreaso () IT SU SE>

> There is no t0rn rootkit involved and the root shell is on  1008 so their
> Lionfind may be misleading.

        The "crew.tgz" egg that can be downloaded from coollion.51.net
does not have the t0rn root kit.  However, I have had one individual
provide me a copy of a "crew.tgz" egg which very definitely DID contain
the t0rn root kit in a directory lib/lib.  What's on the URL
http://coollion.51.net/crew.tgz seems to be roughly (some differences
in a couple of the scripts, I believe) the contents of the lib/scan
directory in the bigger egg (the one with t0rn included).

        I've now got copies of both.

> Of course, they could be half a dozen variants on the loose by this stage.

        The nasty one appears to be the bigger one.  What its exact
point of origin and how is it propagating is open to analysis.
The worm doesn't appear to be erecting an egg server, unless it's buried
in that ssh trojan that it's firing up.

> VP Engineering
> SecurityFocus.com
> "Vae Victis"

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!