[linux-elitists] BIND does it again

Dan Wilder dan@ssc.com
Fri Mar 23 09:51:54 PST 2001


Well not really again.  New exploit, old bug.  But BIND does it.  
There's a major worm on the loose:

>Date: Fri, 23 Mar 2001  9:18:30 -0700 (MST) 
>From: The SANS Institute <securityalert@sans.org>
>Subject: ALERT -  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET

[ ... ]

> Once Lion has compromised a system, it:

> - - Sends the contents of /etc/passwd, /etc/shadow, as well as some
> network settings to an address in the china.com domain.
> - - Deletes /etc/hosts.deny, eliminating the host-based perimeter
> protection afforded by tcp wrappers.
> - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
> inetd, see /etc/inetd.conf)
> - - Installs a trojaned version of ssh that listens on 33568/tcp
> - - Kills Syslogd , so the logging on the system can't be trusted
> - - Installs a trojaned version of login
> - - Looks for a hashed password in /etc/ttyhash
> - - /usr/sbin/nscd (the optional Name Service Caching daemon) is
> overwritten with a trojaned version of ssh.

http://www.sans.org/current.htm

-- 
-----------------------------------------------------------------
 Dan Wilder <dan@ssc.com>     Technical Manager & Correspondent
 SSC, Inc. P.O. Box 55549     Phone:  206-782-7733 x123
 Seattle, WA  98155-0549      URL    http://www.linuxjournal.com/
-----------------------------------------------------------------



More information about the linux-elitists mailing list