Re: Lion Worm/crew.tgz

["Michael H. Warfield" <mhw () WITTSEND COM>]

On Sat, Mar 24, 2001 at 11:16:40AM +0100, Andreas Östling wrote:
> On Fri, 23 Mar 2001, Michael H. Warfield wrote:
> >     The "crew.tgz" egg that can be downloaded from coollion.51.net
> > does not have the t0rn root kit.  However, I have had one individual
> > provide me a copy of a "crew.tgz" egg which very definitely DID contain
> > the t0rn root kit in a directory lib/lib.  What's on the URL
> > http://coollion.51.net/crew.tgz seems to be roughly (some differences
> > in a couple of the scripts, I believe) the contents of the lib/scan
> > directory in the bigger egg (the one with t0rn included).

> >     I've now got copies of both.

> This is very confusing.
> Since you have two different versions, could you make them both available
> for download somewhere?

> Here is the content of the http://coollion.51.net/crew.tgz version I
> dowloaded Mar 22 09:09.

> $ tar tzvf crew.tgz
> drwxr-xr-x root/root         0 2001-02-26 00:31:51 lib/
> drwxr-xr-x root/root         0 2001-02-26 01:46:52 lib/scan/
> -rwxr-xr-x root/root       122 2001-02-26 01:46:39 lib/scan/1i0n.sh
> -rwxr-xr-x root/root        85 2001-02-21 04:22:10 lib/scan/hack.sh
> -rwxrwxr-x root/root     19033 2001-02-26 01:43:52 lib/scan/bind
> -rwxr-xr-x root/root     12331 2001-01-12 05:34:33 lib/scan/randb
> -rwxr-xr-x root/root        70 2001-02-21 04:22:44 lib/scan/scan.sh
> -rwxr-xr-x root/root     15715 2001-02-18 20:35:29 lib/scan/pscan
> -rwxr-xr-x root/root       114 2001-02-21 04:22:59 lib/scan/star.sh
> -rwxr-xr-x root/root        40 2001-02-21 04:21:50 lib/scan/bindx.sh
> -rw-rw-r-- root/root         0 2001-02-26 01:45:08 lib/scan/bindname.log
> -rwxr-xr-x root/root        53 2001-02-25 22:30:17 lib/1i0n.sh
> drwx------ root/root         0 2001-02-25 22:49:27 lib/lib/
> -rwxr-xr-x root/root     53364 2000-02-27 18:44:41 lib/lib/netstat
> drwxr-xr-x root/root         0 2001-02-20 19:43:41 lib/lib/dev/
> -rw-r--r-- xd_zhao/xd_zhao  75 2001-02-25 22:23:51 lib/lib/dev/.1addr
> -rw-r--r-- xd_zhao/xd_zhao  34 2001-02-21 02:21:10 lib/lib/dev/.1logz
> -rw-r--r-- xd_zhao/xd_zhao 158 2001-02-25 22:26:55 lib/lib/dev/.1proc
> -rw-r--r-- xd_zhao/xd_zhao 117 2001-02-25 22:25:08 lib/lib/dev/.1file
> -rwxr-xr-x root/root      6948 2000-02-27 18:44:41 lib/lib/t0rns
> -rwxr-xr-x root/root     22460 2000-02-27 18:44:41 lib/lib/du
> -rwxr-xr-x root/root     39484 2000-02-27 18:44:41 lib/lib/ls
> -rwxr-xr-x root/root      1345 2000-02-27 18:44:41 lib/lib/t0rnsb
> -rwxr-xr-x root/root     31336 2000-02-27 18:44:41 lib/lib/ps
> -rwxr-xr-x root/root      7578 2000-02-27 18:44:41 lib/lib/t0rnp
> -rwxr-xr-x root/root     57452 2000-02-27 18:44:41 lib/lib/find
> -rwxr-xr-x root/root     32728 2000-02-27 18:44:41 lib/lib/ifconfig
> -rwxr-xr-x root/root      4568 2000-02-27 18:44:41 lib/lib/pg
> -rw-r--r-- root/root    100424 2000-02-27 18:44:41 lib/lib/ssh.tgz
> -rwxr-xr-x root/root    266140 2000-02-27 18:44:41 lib/lib/top
> -rwxr-xr-x root/root      1382 2000-02-27 18:44:41 lib/lib/sz
> -rwxr-xr-x root/root      3964 2000-02-27 18:44:41 lib/lib/login
> -rwxr-xr-x root/root      6408 2000-02-27 18:44:41 lib/lib/in.fingerd
> -rwxr-xr-x root/root      8445 2001-02-25 23:12:08 lib/lib/1i0n.sh
> -rwxr-xr-x root/root     13184 2000-02-27 18:44:41 lib/lib/pstree
> -rwxr-xr-x root/root     35100 2000-02-27 18:44:41 lib/lib/in.telnetd
> -rwxr-xr-x root/root     16634 2000-02-27 18:44:41 lib/lib/mjy
> -rwsr-xr-x root/root     11934 2000-02-27 18:44:41 lib/lib/sush
> -rwxr-xr-x root/root     33820 2000-02-27 18:44:41 lib/lib/tfn
> -rwxr-xr-x root/root     19085 2000-02-27 18:44:41 lib/lib/name
> -rwxr-xr-x root/root       886 2001-02-25 22:48:32 lib/lib/getip.sh


        Ok...  I think this explains my mystery then.  The egg on
coollion.51.net has obviously been changed or delivered differently
and resulted in different people getting different eggs.  I learned of
the smaller egg from another researcher at ICSA.  We traded eggs and he
told me that HE got HIS from coollion.51.net.  I then downloaded the
same thing and got what he got.  I got the SMALL egg from coollion.51.net
which only comprised what's in the "/lib/scan/" directory in your listing
above and was identical to what he downloaded.  You've apparently downloaded
the big egg from coollion.51.net.  You downloaded yours on March 22 while
we each downloaded ours on March 23.  I received the big egg on the night
of March 22.  Looks like maybe someone jerked the egg with the t0rn rootkit
off line and replaced it with the smaller one.

        What's interesting is that if you examine the three "1i0n.sh"
scripts in the big one you realize it's a "piggy back".  You always
execute the 1i0n.sh script.  If it's the small egg, that's all it is.
If it's the big egg, it's the same name, just a different script and it
then executes the same name in each of the two subdirectories.  So the
"bind" exploit doesn't change but both eggs work and the small egg is
just a simple subset of the big egg.

        I wonder why the big one got pulled...

> Regards,
> Andreas Östling

        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!