Re: Lion Worm

To: Shawn Yarbrough <shawn@nailstorm.com>
Cc: debian-user@lists.debian.org
Subject: Re: Lion Worm
From: Bob Nielsen <nielsen@oz.net>
Date: Fri, 23 Mar 2001 18:37:13 -0800
Message-id: <[🔎] 20010323183713.A3043@oz.net>
In-reply-to: <[🔎] 3ABC0566.1D56BEA3@nailstorm.com>; from shawn@nailstorm.com on Fri, Mar 23, 2001 at 08:24:38PM -0600
References: <E14gd36-0000jW-00@master.debian.org> <20010324014107.10906.qmail@murphy.debian.org> <3ABBFD16.E5B4690D@nailstorm.com> <20010324014341.12150.qmail@murphy.debian.org> <[🔎] 3ABC0566.1D56BEA3@nailstorm.com>

If you check the "bind worm" thread, you will see that an updated
version of bind is at security.debian.org.  There other important
security fixes there as well. IMHO, all potato users should add the
following to there /etc/apt/sources.list:

deb http://security.debian.org/ potato/updates main contrib non-free

if you check the pages at http://security.debian.org, you will find
more information about this and other security alerts.

Bob

On Fri, Mar 23, 2001 at 08:24:38PM -0600, Shawn Yarbrough wrote:
> I'm using Debian stable (Debian 2.2 upgraded with current upgrades using
> dselect over apt-get).
> 
> This new "Lion Worm" is spreading rapidly over the internet and appears
> to successfully attack all Linux systems running certain versions of
> BIND, both old and relatively new.  BIND 8.2.2, (the Debian stable
> version of BIND?), is listed as one of the affected versions in this
> security advisory:
>     http://www.sans.org/y2k/lion.htm
> 
> Can anybody tell me if Debian's BIND is in danger from the Lion Worm?
> 
> The exact BIND version listed in dselect is 8.2.2p7-1.  This package is
> described here:
>     http://packages.debian.org/stable/net/bind.html
> 
> What little BIND security info I found on the Debian website is here:
>     http://lists.debian.org/debian-security-announce-01/msg00019.html
>     http://lists.debian.org/debian-user-0101/msg05121.html
> 
> I'm attaching a copy of the security advisory below.
> 
> Shawn Yarbrough
> shawn@nailstorm.com
> 
> 
> 
> 
>     http://www.sans.org/y2k/lion.htm
> 
> Description
>  Please note that this is a preliminary, and currently
>  incomplete, characterization of the Lion worm. We are making this
> version available to
>  provide at least some notice about the worm. Please check back over the
> next few days as the
>  information is made more complete.
> 
>  Lion is a new worm, that is very similar to the Ramen worm. However,
> this worm is much more
>  dangerous and should be taken seriously. It infects Linux machines with
> the BIND DNS server
>  running. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1,
> 8.2.2-Px, and all 8.2.3-betas. The
>  bind vulnerability is the TSIG vulnerability that was reported back on
> January 29, 2001. 
> 
>  The Lion worm spread via an application called randb. randb scans
> random class B networks
>  probing TCP port 53. Once it hits a system, it then checks to see if
> that system is vulnerable. If
>  so it then exploits the system using the exploit called name. It then
> installs the t0rn rootkit. 
> 
>  Once it has entered the system, it sends off the contents of
> /etc/passwd, /etc/shadow, and some
>  network settings to an address in the china.com domain. It deleted
> /etc/hosts.deny, lowering
>  some of the built-in protection afforded by tcp wrappers. Ports
> 60008/tcp and 33567/tcp get a
>  backdoor root shell (via inetd, see /etc/inetd.conf), and a trojaned
> version of ssh gets placed on
>  33568/tcp. Syslogd is killed, so the logging on the system can't be
> trusted. 
> 
>  A trojaned version of login is installed. It looks for a hashed
> password in /etc/ttyhash.
>  /usr/sbin/nscd (the optional Name Service Caching daemon) is
> overwritten with a trojaned
>  version of ssh. 
> 
>  The t0rn rootkit replaces several binaries on the system in order to
> hide itself. Here are the
>  binaries that it replaces:
>  du
>  find
>  ifconfig
>  in.telnetd
>  in.fingerd
>  login
>  ls
>  mjy
>  netstat
>  ps
>  pstree
>  top
> 
>  Mjy, a utility for cleaning out log entries, is placed in /bin and
> /usr/man/man1/man1/lib/.lib/.
>  in.telnetd is also placed in these directories; its use is not known at
> this time. A setuid shell is
>  placed in /usr/man/man1/man1/lib/.lib/.x 
> 
>  Detection
>  We have developed a utility called Lionfind that will detect the Lion
> files on an infected system.
>  Simply download it, uncompress it, and run lionfind. it will list which
> of the suspect files is on the
>  system.
> 
>  Snort rule to detect lion:
>  activate udp any any -> any 53 (msg:"Bind Tsig Overflow Attempt";
> content: 
>  "|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh"; tag: host, 300,
> seconds, 
>  src;)
> 
>  Removal
>  At this time, Lionfind is not able to remove the virus from the system.
> If and when an updated
>  version becomes available (and we expect to provide one), an
> announcement will be made at
>  this site.
> 
>  Download Lionfind Here! 
> 
>  References
>  Further information can be found at:
>  http://www.sans.org/current.htm
>  http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
> CA-2001-02, Multiple
>  Vulnerabilities in BIND
>  http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
> overflow in transaction
>  signature (TSIG) handling code
>  http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit. 
>  The following vendor update pages may help you in fixing the original
> BIND vulnerability:
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
Bob Nielsen, N7XY                          nielsen@oz.net
Bainbridge Island, WA                      http://www.oz.net/~nielsen
IOTA NA-065, USI WA-028S

Reply to:

References:
- Lion Worm
  - From: Shawn Yarbrough <shawn@nailstorm.com>

Prev by Date: Re: Lion Worm
Next by Date: Re: Lion Worm
Previous by thread: Re: Lion Worm
Next by thread: Can't get remote X clients to display on Debian machine
Index(es):
- Date
- Thread