I'm annoyed when persons post virus alerts to unrelated lists but this
is a serious threat. If your offended flame away.
Bob
March 23, 2001 7:00 AM
Late last night, the SANS Institute (through its Global Incident
Analysis Center) uncovered a dangerous new worm that appears to be
spreading rapidly across the Internet. It scans the Internet looking
for Linux computers with a known vulnerability. It infects the
vulnerable machines, steals the password file (sending it to a
China.com site), installs other hacking tools, and forces the newly
infected machine to begin scanning the Internet looking for other
victims.
Several experts from the security community worked through the night to
decompose the worm's code and engineer a utility to help you discover
if the Lion worm has affected your organization.
Updates to this announcement will be posted at the SANS web site,
http://www.sans.org
DESCRIPTION
The Lion worm is similar to the Ramen worm. However, this worm is
significantly more dangerous and should be taken very seriously. It
infects Linux machines running the BIND DNS server. It is known to
infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
8.2.3-betas. The specific vulnerability used by the worm to exploit
machines is the TSIG vulnerability that was reported on January 29,
2001.
The Lion worm spreads via an application called "randb". Randb scans
random class B networks probing TCP port 53. Once it hits a system, it
checks to see if it is vulnerable. If so, Lion exploits the system using
an exploit called "name". It then installs the t0rn rootkit.
Once Lion has compromised a system, it:
- Sends the contents of /etc/passwd, /etc/shadow, as well as some
network settings to an address in the china.com domain.
- Deletes /etc/hosts.deny, eliminating the host-based perimeter
protection afforded by tcp wrappers.
- Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via
inetd, see /etc/inetd.conf)
- Installs a trojaned version of ssh that listens on 33568/tcp
- Kills Syslogd , so the logging on the system can't be trusted
- Installs a trojaned version of login
- Looks for a hashed password in /etc/ttyhash
- /usr/sbin/nscd (the optional Name Service Caching daemon) is
overwritten with a trojaned version of ssh.
The t0rn rootkit replaces several binaries on the system in order to
stealth itself. Here are the binaries that it replaces:
du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
ps, pstree, top
- "Mjy" is a utility for cleaning out log entries, and is placed in /bin
and /usr/man/man1/man1/lib/.lib/.
- in.telnetd is also placed in these directories; its use is not known
at this time.
- A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
DETECTION AND REMOVAL
We have developed a utility called Lionfind that will detect the Lion
files on an infected system. Simply download it, uncompress it, and
run lionfind. This utility will list which of the suspect files is on
the system.
At this time, Lionfind is not able to remove the virus from the system.
If and when an updated version becomes available (and we expect to
provide one), an announcement will be made at this site.
Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz
REFERENCES
Further information can be found at:
http://www.sans.org/current.htm
http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02,
Multiple Vulnerabilities in BIND
http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow
in transaction signature (TSIG) handling code
http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit.
The following vendor update pages may help you in fixing the original BIND
vulnerability:
Redhat Linux RHSA-2001:007-03 - Bind remote exploit
http://www.redhat.com/support/errata/RHSA-2001-007.html
Debian GNU/Linux DSA-026-1 BIND
http://www.debian.org/security/2001/dsa-026
SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise.
http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
Caldera Linux CSSA-2001-008.0 Bind buffer overflow
http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt
http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt
This security advisory was prepared by Matt Fearnow of the SANS
Institute and William Stearns of the Dartmouth Institute for Security
Technology Studies.
The Lionfind utility was written by William Stearns. William is an
Open-Source developer, enthusiast, and advocate from Vermont, USA. His
day job at the Institute for Security Technology Studies at Dartmouth
College pays him to work on network security and Linux projects.
Also contributing efforts go to Dave Dittrich from the University of
Washington, and Greg Shipley of Neohapsis
Matt Fearnow
SANS GIAC Incident Handler
If you have additional data on this worm or a critical quetsion please
email [email protected]
------------ Output from pgp ------------
Signature by unknown keyid: 0xA1694E46
On Fri, 23 Mar 2001, Bob Lorenzini wrote:
> I'm annoyed when persons post virus alerts to unrelated lists but this
> is a serious threat. If your offended flame away.
This should be a wake up call... distributions need to stop using product
with consistently bad security records.
Gerhard
--
Gerhard Mack
[email protected]
<>< As a computer I find your faith in technology amusing.
>I'm annoyed when persons post virus alerts to unrelated lists but this
>is a serious threat. If your offended flame away.
Since this worm exploits a BIND vulerability, it would be better placed on
the BIND mailing list than the kernel one. If it exploited a kernel bug,
then it would be more welcome here.
--------------------------------------------------------------
from: Jonathan "Chromatix" Morton
mail: [email protected] (not for attachments)
big-mail: [email protected]
uni-mail: [email protected]
The key to knowledge is not to rely on people to teach you it.
Get VNC Server for Macintosh from http://www.chromatix.uklinux.net/vnc/
-----BEGIN GEEK CODE BLOCK-----
Version 3.12
GCS$/E/S dpu(!) s:- a20 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$ V? PS
PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r++ y+(*)
-----END GEEK CODE BLOCK-----
Gerhard Mack <[email protected]> writes:
> On Fri, 23 Mar 2001, Bob Lorenzini wrote:
>
> > I'm annoyed when persons post virus alerts to unrelated lists but this
> > is a serious threat. If your offended flame away.
>
> This should be a wake up call... distributions need to stop using product
> with consistently bad security records.
Is there an alternative to BIND that's free software? Never seen
one.
-Doug (who doesn't think this is a Good Thing)
Gerhard Mack said once upon a time (Fri, 23 Mar 2001):
> On Fri, 23 Mar 2001, Bob Lorenzini wrote:
>
> > I'm annoyed when persons post virus alerts to unrelated lists but this
> > is a serious threat. If your offended flame away.
>
> This should be a wake up call... distributions need to stop using product
> with consistently bad security records.
This TSIG bug in BIND 8 that is being exploited was added to BIND 8 by the
same team who wrote BIND 9.
In fact the last two major remote root compromises (TSIG and NXT) for BIND
8 was in code added to BIND 8 by the BIND 9 developers.
Dax
Dax Kelson wrote:
> Gerhard Mack said once upon a time (Fri, 23 Mar 2001):
>
> > On Fri, 23 Mar 2001, Bob Lorenzini wrote:
> >
> > > I'm annoyed when persons post virus alerts to unrelated lists but this
> > > is a serious threat. If your offended flame away.
> >
> > This should be a wake up call... distributions need to stop using product
> > with consistently bad security records.
>
> This TSIG bug in BIND 8 that is being exploited was added to BIND 8 by the
> same team who wrote BIND 9.
>
> In fact the last two major remote root compromises (TSIG and NXT) for BIND
> 8 was in code added to BIND 8 by the BIND 9 developers.
You could say new code in general causes security holes... don't fix it
and you won't break it. There is the security principle of least privilege
though...
RH7 (and earlier I think) run bind drops root and runs as user named after
opening
a listening socket, so I don't think a bind
compromise could retrieve the /etc/shadow file and modify system binaries...
and RH7.1(beta) will use capabilities to furthur restrict privileges given to
bind(v9).
(not root ever)
On Fri, Mar 23, 2001 at 01:51:11PM -0500, Doug McNaught wrote:
> > > I'm annoyed when persons post virus alerts to unrelated lists but this
> > > is a serious threat. If your offended flame away.
> >
> > This should be a wake up call... distributions need to stop using product
> > with consistently bad security records.
>
> Is there an alternative to BIND that's free software? Never seen
> one.
Have a look at djbdns.
http://cr.yp.to/djbdns.html
The author claims that he will dole out $500 for every
security hole discovered in djbdns.
I've been thrilled with it ever since I installed it a few months ago.
--
Michael Bacarella <[email protected]>
Technical Staff / System Development,
New York Connect.Net, Ltd.
On Fri, Mar 23, 2001 at 10:31:49AM -0800, Gerhard Mack wrote:
> On Fri, 23 Mar 2001, Bob Lorenzini wrote:
> > I'm annoyed when persons post virus alerts to unrelated lists but this
> > is a serious threat. If your offended flame away.
> This should be a wake up call... distributions need to stop using product
> with consistently bad security records.
Bullshit.
This is a wake up call that admins need to keep installations up
to date. When a security hole is found, I DON'T CARE if it's in a package
with a good security record or a poor security record. It has to be
fixed and you can't put it off. Certainly not in the current climate
with script driven worms like Ramen and 1i0n.
Having a poor security record is a warning to the developers that
it's time to clean up their act and do better. Sendmail use to be the
bug of the month club. Hell! It use to be the bug of the week club. Last
couple of years, it's been pretty solid. If you only went on security
track record, we would all be using MMDF, which is still arguibly the most
secure mail transport around. MMDF has had what? One advisory in something
like 15 years of deployment? It was the default MTA in SCO Unix for
years and was mandated at military installations for a long time... Still,
when that one advisory comes out, you better update or you are toast.
You don't solely rely on packages that have "good security records"
never getting broken and then become complacent. Sites that do that are
what we call "Warez" sites. :-/
> Gerhard
> --
> Gerhard Mack
> [email protected]
> <>< As a computer I find your faith in technology amusing.
Mike
--
Michael H. Warfield | (770) 985-6132 | [email protected]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Michael Bacarella <[email protected]> wrote:
> On Fri, Mar 23, 2001 at 01:51:11PM -0500, Doug McNaught wrote:
>>
>> Is there an alternative to BIND that's free software? Never seen
>> one.
> Have a look at djbdns.
> http://cr.yp.to/djbdns.html
It is NOT free software.
--
Debian GNU/Linux 2.2 is out! ( http://www.debian.org/ )
Email: Herbert Xu ~{PmV>HI~} <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Fri, Mar 23, 2001 at 02:39:07PM -0500, Michael Bacarella wrote:
> On Fri, Mar 23, 2001 at 01:51:11PM -0500, Doug McNaught wrote:
> > Is there an alternative to BIND that's free software? Never seen
> > one.
>
> Have a look at djbdns.
I use djbdns myself and am very happy with it, but the original poster was
asking for free software. djbdns doesn't even meet the DFSG/OSD, let alone
the FSF definition of "free software". Please refer to the archives of the
[email protected] mailing list if you're interested in seeing all the old
arguments.
If you're looking for a GPL'd DNS server, there's Mindspring's DENTS
project, although it hasn't seen much development lately:
http://sourceforge.net/projects/dents/
That being said, none of this is on-topic for linux-kernel.
-esm (picking nits for fun and profit)
--
Edward S. Marshall <[email protected]> http://www.nyx.net/~emarshal/
-------------------------------------------------------------------------------
[ Felix qui potuit rerum cognoscere causas. ]
On Fri, 23 Mar 2001, Doug McNaught wrote:
>Gerhard Mack <[email protected]> writes:
>
>> On Fri, 23 Mar 2001, Bob Lorenzini wrote:
>>
>> > I'm annoyed when persons post virus alerts to unrelated lists but this
>> > is a serious threat. If your offended flame away.
>>
>> This should be a wake up call... distributions need to stop using product
>> with consistently bad security records.
>
>Is there an alternative to BIND that's free software? Never seen
>one.
Not one that is Open Source....
Bind itself has been proven over many years. This is the first major
problem found. If you want a fix, get bind v9. Besides handling IP version
4, it also handles version 6.
The only current limitation is the inability to control sort order of
hosts with multiple interfaces. I think this is due to the new IP v 6
resource handling.
Bind 9 works well (see ISC web page http://www.isc.org/products/BIND/)
>
>-Doug (who doesn't think this is a Good Thing)
It really isn't, but the new bind may be. There is even an update
to bind 8 that contains a fix for the problem.
-------------------------------------------------------------------------
Jesse I Pollard, II
Email: [email protected]
Any opinions expressed are solely my own.
On Sat, Mar 24, 2001 at 11:11:50AM -0600, Jesse Pollard wrote:
> Bind itself has been proven over many years. This is the first major
> problem found.
This is so blatantly incorrect as to be laughable. BIND 4 and 8 had a
long and glorious history of serious security flaws; a quick search of
the http://www.securityfocus.com vulnerability archives for "BIND" returns a
ton of results, ranging from root compromises to denial of service
attacks to cache poisoning problems.
> If you want a fix, get bind v9. Besides handling IP version
> 4, it also handles version 6.
I'll believe in BIND 9's safety after it's been widely deployed; with few
OS vendors actually bundling BIND 9 at this point, it's received very
little real-world attention.
> It really isn't, but the new bind may be. There is even an update
> to bind 8 that contains a fix for the problem.
Until the next design flaw produces yet-another-vulnerability?
While other packages might not be free software, I don't have the luxury
of following principles in lieu of security.
Last post from me on the subject, because this has next to nothing to do
with the Linux kernel.
--
Edward S. Marshall <[email protected]> http://www.nyx.net/~emarshal/
-------------------------------------------------------------------------------
[ Felix qui potuit rerum cognoscere causas. ]
Jesse Pollard wrote:
> >Is there an alternative to BIND that's free software? Never seen
> >one.
>
> Not one that is Open Source....
Australia's RMIT and Ercisson have an Open Source load-balancing distributed
web server, including a DNS server to do the balancing.
The link I have, http://www.eddieware.org and http://www.rmit.edu.au both currently appear
to be down.
On Fri, 23 Mar 2001, Gerhard Mack wrote:
> On Fri, 23 Mar 2001, Bob Lorenzini wrote:
>
> > I'm annoyed when persons post virus alerts to unrelated lists but this
> > is a serious threat. If your offended flame away.
>
> This should be a wake up call... distributions need to stop using product
> with consistently bad security records.
>
> Gerhard
>
The immediate affect of specifically targeting Linux is to cause
"security administrators" to deny network access to all Linux
machines.
I have just received notice that my machines will no longer be
provided access to "The Internet".
"Effective on or before 16:00:00 local time, the only personal
computers that will be allowed Internet access are those administered
by a Microsoft Certified Network Administrator. This means that
no Unix or Linux machines will be provided access beyond the local
area network. If you require Internet access, the company will
provide a PC which runs a secure operating system such as Microsoft
Windows, or Windows/NT. Insecure operating systems like Linux must
be removed from company owned computers before the end of this week....."
Cheers,
Dick Johnson
Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips).
"Memory is like gasoline. You use it up when you are running. Of
course you get it all back when you reboot..."; Actual explanation
obtained from the Micro$oft help desk.
On Mon, Mar 26, 2001 at 10:07:22AM -0500, Richard B. Johnson wrote:
[snip]
> I have just received notice that my machines will no longer be
> provided access to "The Internet".
>
> "Effective on or before 16:00:00 local time, the only personal
> computers that will be allowed Internet access are those administered
> by a Microsoft Certified Network Administrator. This means that
> no Unix or Linux machines will be provided access beyond the local
> area network. If you require Internet access, the company will
> provide a PC which runs a secure operating system such as Microsoft
> Windows, or Windows/NT. Insecure operating systems like Linux must
> be removed from company owned computers before the end of this week....."
You've demonstrated over and over again that you work for a constantly
stupid company.
Please find someplace else to work, your issues have become more depressing
then amusing. :)
It's sad that people like the one who sent out messages like that can stay
employed. In the last year there have been several Windows love-bug type
worms each causing damaged estimated in the billions. One or two Linux worms
that go after a long fixed problem with no published accounts of significant
damage and you get that sort of email..
On Mon, Mar 26, 2001 at 10:07:22AM -0500, Richard B. Johnson wrote:
> On Fri, 23 Mar 2001, Gerhard Mack wrote:
>
> > On Fri, 23 Mar 2001, Bob Lorenzini wrote:
> >
> > > I'm annoyed when persons post virus alerts to unrelated lists but this
> > > is a serious threat. If your offended flame away.
> >
> > This should be a wake up call... distributions need to stop using product
> > with consistently bad security records.
> >
> > Gerhard
> >
>
> The immediate affect of specifically targeting Linux is to cause
> "security administrators" to deny network access to all Linux
> machines.
>
> I have just received notice that my machines will no longer be
> provided access to "The Internet".
>
> "Effective on or before 16:00:00 local time, the only personal
> computers that will be allowed Internet access are those administered
> by a Microsoft Certified Network Administrator. This means that
> no Unix or Linux machines will be provided access beyond the local
> area network. If you require Internet access, the company will
> provide a PC which runs a secure operating system such as Microsoft
> Windows, or Windows/NT. Insecure operating systems like Linux must
> be removed from company owned computers before the end of this week....."
Ohhhh. I especially like the "secure operating systems such as Microsoft
Windows" part. I'm impressed with their clear perception.
/David
_ _
// David Weinehall <[email protected]> /> Northern lights wander \\
// Project MCA Linux hacker // Dance across the winter sky //
\> http://www.acc.umu.se/~tao/ </ Full colour fire </
Gregory Maxwell wrote:
> On Mon, Mar 26, 2001 at 10:07:22AM -0500, Richard B. Johnson wrote:
> [snip]
> > I have just received notice that my machines will no longer be
> > provided access to "The Internet".
>
> It's sad that people like the one who sent out messages like that can stay
> employed.
So let's quit covering for 'em. Let's have the name(s) behind that
idiotic policy letter, because I would not knowingly allow any company
I work for to hire such people.
Problem Remedy
------- ------
hangnail amputate
headache amputate
(etc.)
Sheesh...
--Bob Tracy
[email protected]
On Mon, 26 Mar 2001, Bob_Tracy wrote:
> So let's quit covering for 'em. Let's have the name(s) behind that
> idiotic policy letter, because I would not knowingly allow any company
> I work for to hire such people.
In this case, the person(s) making the policy seem to be short on clue,
and long on agenda.
However, I can understand and agree with, from a security perspective, a
company deciding to ditch OSes that they have little to no idea about how
to handle.
I've been in the position to suggest that very action to companies, as
their $VENDOR-OS box sits in the corner and decays quietly, because
everyone either ignores it while its working, or kicks it into
'submission' when something goes wrong ...
Yeah, the _solution_ is to have IT people with lots of clue, but, well ...
*cough* ...
--
-- John E. Jasen ([email protected])
-- In theory, theory and practise are the same. In practise, they aren't.
On Mon, 26 Mar 2001, Richard B. Johnson wrote:
>
> "Effective on or before 16:00:00 local time, the only personal
> computers that will be allowed Internet access are those administered
> by a Microsoft Certified Network Administrator. This means that
> no Unix or Linux machines will be provided access beyond the local
> area network. If you require Internet access, the company will
> provide a PC which runs a secure operating system such as Microsoft
> Windows, or Windows/NT. Insecure operating systems like Linux must
> be removed from company owned computers before the end of this week....."
You might point out that only linux machines running a older version of
bind are at risk. Over one million credit card numbers were stolen from
microsoft servers in the last year. I suspect none of your linux machines
are even running bind.
Bob
[email protected] (Richard B. Johnson) writes:
>I have just received notice that my machines will no longer be
>provided access to "The Internet".
>"Effective on or before 16:00:00 local time, the only personal
>computers that will be allowed Internet access are those administered
>by a Microsoft Certified Network Administrator. This means that
>no Unix or Linux machines will be provided access beyond the local
>area network. If you require Internet access, the company will
>provide a PC which runs a secure operating system such as Microsoft
>Windows, or Windows/NT. Insecure operating systems like Linux must
>be removed from company owned computers before the end of this week....."
This is a troll, right? I mean, you wouldn't work for a company that
publishes such internal memos (and allows its employees to post in
into a public mailing list), would you?
If you're working for a company that considers one OS "more secure"
than another, your "security administrator" should really get a clue.
I mean, they all suck. Really, all of them. That's why they're OSes. ;-)
Regards
Henning
--
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH [email protected]
Am Schwabachgrund 22 Fon.: 09131 / 50654-0 [email protected]
D-91054 Buckenhof Fax.: 09131 / 50654-20
At 10:24 AM 3/26/01 -0500, you wrote:
>It's sad that people like the one who sent out messages like that can stay
>employed. In the last year there have been several Windows love-bug type
>worms each causing damaged estimated in the billions. One or two Linux worms
>that go after a long fixed problem with no published accounts of significant
>damage and you get that sort of email..
What is even sadder is that, for loser companies like the one cited, there
is a series of Linux certification programs (not distribution-dependent)
under development at CompTIA (the Computing Technology Industry Association).
Satch
What company was it that you worked for? I'm sure we could convince
them otherwise . . . .
-b
Gregory Maxwell wrote:
> On Mon, Mar 26, 2001 at 10:07:22AM -0500, Richard B. Johnson wrote:
> [snip]
>
>> I have just received notice that my machines will no longer be
>> provided access to "The Internet".
>>
>> "Effective on or before 16:00:00 local time, the only personal
>> computers that will be allowed Internet access are those administered
>> by a Microsoft Certified Network Administrator. This means that
>> no Unix or Linux machines will be provided access beyond the local
>> area network. If you require Internet access, the company will
>> provide a PC which runs a secure operating system such as Microsoft
>> Windows, or Windows/NT. Insecure operating systems like Linux must
>> be removed from company owned computers before the end of this week....."
>
>
> You've demonstrated over and over again that you work for a constantly
> stupid company.
>
> Please find someplace else to work, your issues have become more depressing
> then amusing. :)
>
> It's sad that people like the one who sent out messages like that can stay
> employed. In the last year there have been several Windows love-bug type
> worms each causing damaged estimated in the billions. One or two Linux worms
> that go after a long fixed problem with no published accounts of significant
> damage and you get that sort of email..
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
Bob_Tracy writes:
> So let's quit covering for 'em. Let's have the name(s) behind that
> idiotic policy letter, because I would not knowingly allow any company
> I work for to hire such people.
>
> Problem Remedy
> ------- ------
> hangnail amputate
> headache amputate
> (etc.)
you can add:
cancer withdraw into complete denial
--
Drew Bertola | Send a text message to my pager or cell ...
| http://jpager.com/Drew