[LUNI]/[DEB_SEC]lscan-worm sambal-worm

To: Linux Users Of Northern Illinois - Technical Discussion <luni@luni.org>, "debian-security@lists.debian.org" <debian-security@lists.debian.org>
Subject: [LUNI]/[DEB_SEC]lscan-worm sambal-worm
From: David Ehle <ehle@agni.phys.iit.edu>
Date: Tue, 3 Jun 2003 10:31:15 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.44.0306030935370.32523-100000@agni.phys.iit.edu>

Connecting to one of my machiens seemed slow, so I did a quick top

Sitting at the top of the list was a process called lscan-worm.
That made me nervous though it boggled my mind that anyone running a worm
would actually CALL it that..

A google search produced no hits, but a google groups search found me this
thread:
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=3EB0672F.7080702%40SPAMMERS.hotmail.com&rnum=1&prev=/groups%3Fq%3D%2522lscan-worm%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26selm%3D3EB0672F.7080702%2540SPAMMERS.hotmail.com%26rnum%3D1
Dated Apr30th

Code for the program lscan here:
http://www.dsinet.org/tools/network-scanners/lscan.c

locate worm
found /usr/lib/lscan-worm and /usr/lib/samba1-worm

I tried just killing lscan, and while it died, it respawned moments later.
I moved /usr/lib/lscan-worm and /usr/lib/samba1-worm to different names,
killed the process again and it seems to have stayed dead.

chkrootkit does not warn of anything except 2 processes hidden from ls in
/proc but that is so often a false positive I don't know how much credit
to give it.

I was running samba, but it is now purged (probably should have waited -oh
well)

The system is runing Sarge/Debian on a'86, with a couple unofficial
sources - merillat mostly. I'm running someones totally unofficial
MozillaFirebird.deb

So, has anyone seen this before or have any suggestions besides nuke and
re-install? (probably will but would like to do a bit of post-mortem first
and see if it is necessary)

Update: Looks like I was hacked by someone who used the username arpa
he/she/it stashed their crap in /tmp and was downloading porn and some
other exploit software there. Not sure where they first got in yet
though.

So I guess this is a warning that SOMETHING in sarge is insecure.

If I find out anymore I will post more.

My apologies to those who get this message twice in the Chicago area :(

--
David Ehle
Computing Systems Manager
CAPP CSRRI
rm 077
LS Bld. IIT Main Campus
Chicago IL 60614
ehle@iit.edu
312-567-3751

Reply to:

Prev by Date: Re: Advice Needed On Recent Rootings
Next by Date: Re: Advice Needed On Recent Rootings
Previous by thread: Re: Advice Needed On Recent Rootings
Next by thread: RE:
Index(es):
- Date
- Thread