[ale] Lion worm and Linux

Armsby John-G16665 John.Armsby at motorola.com
Tue Mar 27 10:30:43 EST 2001 

My group has an apache server running on Unix.  Our IT organization did not know if it was a Linux server or what and sent this note to me.  As it turns out my server is probably not affected (HP).  Is this data old news?  I thought I would throw it out...  I have read that "older" versions of BIND had problems but don't recall which latest version is "safe".....


BIND VULNERABIILTY INFORMATION:
=============================

- http://www.cert.org/advisories/CA-2001-02.html


SANS BULLETIN on THE "LION" WORM
==============================

DESCRIPTION

The Lion worm is similar to the Ramen worm. However, this worm is
significantly more dangerous and should be taken very seriously.  It
infects Linux machines running the BIND DNS server.  It is known to
infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas. The specific vulnerability used by the worm to exploit
machines is the TSIG vulnerability that was reported on January 29,
2001.

The Lion worm spreads via an application called "randb".  Randb scans
random class B networks probing TCP port 53. Once it hits a system, it
checks to see if it is vulnerable. If so, Lion exploits the system using
an exploit called "name".  It then installs the t0rn rootkit.

Once Lion has compromised a system, it:

- - Sends the contents of /etc/passwd, /etc/shadow, as well as some
network settings to an address in the china.com domain.
- - Deletes /etc/hosts.deny, eliminating the host-based perimeter
protection afforded by tcp wrappers.
- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
inetd, see /etc/inetd.conf)
- - Installs a trojaned version of ssh that listens on 33568/tcp
- - Kills Syslogd , so the logging on the system can't be trusted
- - Installs a trojaned version of login
- - Looks for a hashed password in /etc/ttyhash
- - /usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned version of ssh.

The t0rn rootkit replaces several binaries on the system in order to
stealth itself. Here are the binaries that it replaces:

du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
ps, pstree, top

- - "Mjy" is a utility for cleaning out log entries, and is placed in /bin
and /usr/man/man1/man1/lib/.lib/.
- - in.telnetd is also placed in these directories; its use is not known
at this time.  
- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x

DETECTION AND REMOVAL

We have developed a utility called Lionfind that will detect the Lion
files on an infected system.  Simply download it, uncompress it, and
run lionfind.  This utility will list which of the suspect files is on
the system.

At this time, Lionfind is not able to remove the virus from the system.
If and when an updated version becomes available (and we expect to
provide one), an announcement will be made at this site.

Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz



John 
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list