[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Lion info
- Subject: [cobalt-users] Lion info
- From: Douglas Spooner <Doug@xxxxxxxxxxxxxx>
- Date: Fri Apr 6 14:29:46 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
This just poppped in my mailbox thought it might be of use to maybe someone
out there
----------
Linux/Adore is an internet worm for Linux operating system. The
worm is very similar to Linux/Ramen and Linux/Lion worms. It
uses four known vulnerabilities in wu-ftpd, bind, lpd and
RPC.statd, which allow the attacker to gain root access and run
malicious code.
When the worm runs, it attempts to send confidential information
such as IP configuration and information about running processes
together with the files /etc/hosts and /etc/shadow to four email
addresses which appear to be based in China.
The worm also copies a script "0anacron" into the
/etc/cron.daily directory so that it runs when the daily cron
jobs are scheduled (by default at 4:02 a.m.). This script
removes the worm from the infected host.
The worm spreads by scanning for randomly generated class B IP
addresses and probing them for machine vulnerabilities. If a
vulnerability is found, the worm exploits it so that the
attacked host runs code (with superuser privileges) to download
the worm archive file, unpack it, install it into the directory
/usr/lib/lib and run it.
The Linux system program /bin/ps is replaced with a trojanised
version, which will prevent all worm processes to be displayed
in the list of the running processes when the ps command is run.
The worm also runs a program called icmp, which listens and sets
the rootshell to accept connection on port 65535, acting as a
backdoor, if the received packet length is equal to the one
specified in the sourcefile.