Thank you! I saw something about it, but didn't realize I needed to do something about it until now. 8.2.3-0 would be OK right? That's the latest one from http://security.debian.org On Fri, Mar 23, 2001 at 12:25:52PM -0700, Rusty Carruth wrote: > > In case nobody has posted this yet: > > If you've not updated your bind/dns - do so NOW. > > Also, if you run bsd there is a chance the problem is there also. > > >Date: Fri, 23 Mar 2001 9:40:03 -0700 (MST) > >From: The SANS Institute > >Subject: ALERT - A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET > >Sender: sans@sans.org > >To: John Driggers (SD512389) > >X-LDAP-Alias: V 1.0rc5. Sent to driggers@slb.com resolving to > >driggers@austin.apc.slb.com > > > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >ALERT! A DANGEROUS NEW WORM IS SPREADING ON THE INTERNET > > > >March 23, 2001 7:00 AM > > > >Late last night, the SANS Institute (through its Global Incident > >Analysis Center) uncovered a dangerous new worm that appears to be > >spreading rapidly across the Internet. It scans the Internet looking > >for Linux computers with a known vulnerability. It infects the > >vulnerable machines, steals the password file (sending it to a > >China.com site), installs other hacking tools, and forces the newly > >infected machine to begin scanning the Internet looking for other > >victims. > > > >Several experts from the security community worked through the night to > >decompose the worm's code and engineer a utility to help you discover > >if the Lion worm has affected your organization. > > > >Updates to this announcement will be posted at the SANS web site, > >http://www.sans.org > > > > > >DESCRIPTION > > > >The Lion worm is similar to the Ramen worm. However, this worm is > >significantly more dangerous and should be taken very seriously. It > >infects Linux machines running the BIND DNS server. It is known to > >infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all > >8.2.3-betas. The specific vulnerability used by the worm to exploit > >machines is the TSIG vulnerability that was reported on January 29, > >2001. > > > >The Lion worm spreads via an application called "randb". Randb scans > >random class B networks probing TCP port 53. Once it hits a system, it > >checks to see if it is vulnerable. If so, Lion exploits the system using > >an exploit called "name". It then installs the t0rn rootkit. > > > >Once Lion has compromised a system, it: > > > >- - Sends the contents of /etc/passwd, /etc/shadow, as well as some > >network settings to an address in the china.com domain. > >- - Deletes /etc/hosts.deny, eliminating the host-based perimeter > >protection afforded by tcp wrappers. > >- - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via > >inetd, see /etc/inetd.conf) > >- - Installs a trojaned version of ssh that listens on 33568/tcp > >- - Kills Syslogd , so the logging on the system can't be trusted > >- - Installs a trojaned version of login > >- - Looks for a hashed password in /etc/ttyhash > >- - /usr/sbin/nscd (the optional Name Service Caching daemon) is > >overwritten with a trojaned version of ssh. > > > >The t0rn rootkit replaces several binaries on the system in order to > >stealth itself. Here are the binaries that it replaces: > > > >du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, > >ps, pstree, top > > > >- - "Mjy" is a utility for cleaning out log entries, and is placed in /bin > >and /usr/man/man1/man1/lib/.lib/. > >- - in.telnetd is also placed in these directories; its use is not known > >at this time. > >- - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x > > > >DETECTION AND REMOVAL > > > >We have developed a utility called Lionfind that will detect the Lion > >files on an infected system. Simply download it, uncompress it, and > >run lionfind. This utility will list which of the suspect files is on > >the system. > > > >At this time, Lionfind is not able to remove the virus from the system. > >If and when an updated version becomes available (and we expect to > >provide one), an announcement will be made at this site. > > > >Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz > > > > > >REFERENCES > > > >Further information can be found at: > > > >http://www.sans.org/current.htm > >http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02, > >Multiple Vulnerabilities in BIND > >http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow > >in transaction signature (TSIG) handling code > >http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit. > >The following vendor update pages may help you in fixing the original BIND > >vulnerability: > > > >Redhat Linux RHSA-2001:007-03 - Bind remote exploit > >http://www.redhat.com/support/errata/RHSA-2001-007.html > >Debian GNU/Linux DSA-026-1 BIND > >http://www.debian.org/security/2001/dsa-026 > >SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise. > >http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt > >Caldera Linux CSSA-2001-008.0 Bind buffer overflow > >http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt > >http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt > > > >This security advisory was prepared by Matt Fearnow of the SANS > >Institute and William Stearns of the Dartmouth Institute for Security > >Technology Studies. > > > >The Lionfind utility was written by William Stearns. William is an > >Open-Source developer, enthusiast, and advocate from Vermont, USA. His > >day job at the Institute for Security Technology Studies at Dartmouth > >College pays him to work on network security and Linux projects. > > > >Also contributing efforts go to Dave Dittrich from the University of > >Washington, and Greg Shipley of Neohapsis > > > >Matt Fearnow > >SANS GIAC Incident Handler > > > >If you have additional data on this worm or a critical quetsion please > >email lionworm@sans.org > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.0.4 (BSD/OS) > >Comment: For info see http://www.gnupg.org > > > >iD8DBQE6u17n+LUG5KFpTkYRAgn9AJ0ffubakBA47teAe9lF92lrS2H+TwCgh3T/ > >ek+YCliAS832nnMIzP28ezM= > >=E1SG > >-----END PGP SIGNATURE----- > > > Rusty Carruth Email: rcarruth@Tempe.tt.slb.com or rcarruth@slb.com > Voice: (480) 345-3621 SnailMail: Schlumberger ATE > FAX: (480) 345-8793 7855 S. River Parkway, Suite 116 > Ham: N7IKQ @ 146.82+,pl 162.2 Tempe, AZ 85284-1825 > ICBM: 33 20' 44"N 111 53' 47"W > > > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > Plug-discuss mailing list - Plug-discuss@lists.PLUG.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss -- _______ Shawn T. Rutledge / KB7PWD ecloud@bigfoot.com (_ | |_) http://www.bigfoot.com/~ecloud kb7pwd@kb7pwd.ampr.org __) | | \________________________________________________________________ Free long distance at http://www.bigredwire.com/me/RefTrack?id=USA063420