[linux-elitists] BIND does it again
Fri Mar 23 11:46:57 PST 2001
On Fri, Mar 23, 2001 at 09:51:54AM -0800, Dan Wilder wrote:
> Well not really again. New exploit, old bug. But BIND does it.
> There's a major worm on the loose:
> >Date: Fri, 23 Mar 2001 9:18:30 -0700 (MST)
> >From: The SANS Institute <firstname.lastname@example.org>
> >Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> [ ... ]
> > Once Lion has compromised a system, it:
> > - - Sends the contents of /etc/passwd, /etc/shadow, as well as some
> > network settings to an address in the china.com domain.
> > - - Deletes /etc/hosts.deny, eliminating the host-based perimeter
> > protection afforded by tcp wrappers.
Nice try, but you can deny things in /etc/hosts.allow :-)
> > - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
> > inetd, see /etc/inetd.conf)
> > - - Installs a trojaned version of ssh that listens on 33568/tcp
> > - - Kills Syslogd , so the logging on the system can't be trusted
> > - - Installs a trojaned version of login
> > - - Looks for a hashed password in /etc/ttyhash
> > - - /usr/sbin/nscd (the optional Name Service Caching daemon) is
> > overwritten with a trojaned version of ssh.
Anyway, this sucks, but that will hopefully teach people to keep on top of
Microsoft is to operating systems & security ....
.... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/ | Finger email@example.com for PGP key
More information about the linux-elitists