[linux-elitists] BIND does it again

Marc MERLIN marc_news@valinux.com
Fri Mar 23 11:46:57 PST 2001


On Fri, Mar 23, 2001 at 09:51:54AM -0800, Dan Wilder wrote:
> Well not really again.  New exploit, old bug.  But BIND does it.  
> There's a major worm on the loose:
> 
> >Date: Fri, 23 Mar 2001  9:18:30 -0700 (MST) 
> >From: The SANS Institute <securityalert@sans.org>
> >Subject: ALERT -  A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET
> 
> [ ... ]
> 
> > Once Lion has compromised a system, it:
> 
> > - - Sends the contents of /etc/passwd, /etc/shadow, as well as some
> > network settings to an address in the china.com domain.
> > - - Deletes /etc/hosts.deny, eliminating the host-based perimeter
> > protection afforded by tcp wrappers.

Nice try, but you can deny things in /etc/hosts.allow :-)

> > - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
> > inetd, see /etc/inetd.conf)
> > - - Installs a trojaned version of ssh that listens on 33568/tcp
> > - - Kills Syslogd , so the logging on the system can't be trusted
> > - - Installs a trojaned version of login
> > - - Looks for a hashed password in /etc/ttyhash
> > - - /usr/sbin/nscd (the optional Name Service Caching daemon) is
> > overwritten with a trojaned version of ssh.

Anyway, this sucks, but that will hopefully teach people to keep on top of
security patches.

Marc
-- 
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
  
Home page: http://marc.merlins.org/   |   Finger marc_f@merlins.org for PGP key



More information about the linux-elitists mailing list