LINUX SECURITY --- March 27, 2001
Published by ITworld.com -- changing the way you view IT
http://www.itworld.com/newsletters
__________________________________________________________________________
______
HIGHLIGHTS
* Lion, the latest worm prowling the Internet for BIND vulnerabilities.
__________________________________________________________________________
____
The Roar of the Lion
By Rick Johnson
The latest buzz in the computing world is the dreaded and dangerous new
worm called the Lion. Similar to the Ramen worm, the Lion worm scans
the Internet looking for Linux computers with BIND vulnerabilities --
more than 20% of servers on the Internet. The Lion worm infects the
vulnerable machines, steals the password file and sends it to a site in
China, installs a few more goodies, scans the Internet looking for
other victims, and then tries to replicate itself. Unfortunately, this
worm is far more dangerous than Ramen and should be taken very
seriously.
Lion infects Linux machines running BIND versions 8.2, 8.2-P1, 8.2.1,
8.2.2-Px, and all 8.2.3-betas through the TSIG vulnerability we all
know and love. The Lion worm spreads via an application called "randb",
which scans random class B networks probing TCP port 53. Once it hits a
system, Lion checks for vulnerabilities. Once found, Lion exploits the
system using an exploit called "name" and then installs the t0rn
rootkit.
Here is a fairly complete list of what is affected (according the SANS
Institute):
* Sends the contents of /etc/passwd, /etc/shadow, and some network
settings to an address in the china.com domain;
* Deletes /etc/hosts.deny, eliminating the host-based perimeter
protection afforded by tcp wrappers;
* Installs backdoor root shells on ports 60008/tcp and 33567/tcp
(via inetd, see /etc/inetd.conf);
* Installs a Trojan version of ssh that listens on 33568/tcp;
* Kills Syslogd, so the logging on the system can't be trusted;
* Installs a Trojan version of login;
* Looks for a hashed password in /etc/ttyhash;
* /usr/sbin/nscd is overwritten with a Trojan version of ssh;
* The t0rn rootkit replaces several system binaries in order to
stealth itself including: du, find, ifconfig, in.telnetd,
in.fingerd, login, ls, mjy, netstat, ps, pstree and top;
* "Mjy", a utility for cleaning out log entries, is placed in /bin
and /usr/man/man1/man1/lib/.lib/;
* in.telnetd is also placed in these directories, but its use is
not known at this time;
* A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x.
Thankfully, SANS has developed a utility called Lionfind that will
detect the infected system. This utility lists files on the system are
suspect; however, it is not able to remove the virus at this time.
Download Lionfind at: http://www.sans.org/y2k/lionfind-0.1.tar.gz
About the author(s)
-------------------
Rick Johnson is currently the Manager of Security Services for
FusionStorm, a remote managed services company. When not writing, he
heads the development team for PMFirewall, an Ipchains Firewall and
Masquerading Configuration Utility for Linux. Rick can be contacted via
email at rick@pointman.org or on the web at http://www.pointman.org.
__________________________________________________________________________
______
ADDITIONAL RESOURCES
Understanding stealth scans: Forewarned is forearmed
Learn the 'secret handshakes' of TCP/IP that crackers exploit
http://www.itworld.com/jlw/linsec_nl/lw-2001-03/lw-03-vcontrol_3.html
New 'Injustice' virus spreads political message
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/3832/itwnws_3-19
-01_injustice/
SANS Institute warns against 'Lion' Linux worm
Computer worm mails system passwords to China.com
http://www.itworld.com/jump/linsec_nl/www.itworld.com/News/2001/3/itw01323
worm/
Update: Behind the Lion worm
The "Lion" worm uses infected servers to randomly scan for TCP port-53
connections
http://www.itworld.com/jump/linsec_nl/www.itworld.com/News/2001/3/itwnews0
1323worm2/
__________________________________________________________________________
______
<<attachment: winmail.dat>>