Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

possible bind worm?

From: roelof () SENSEPOST COM (Roelof Temmingh)
Date: Wed, 26 Apr 2000 00:21:34 +0200

I was getting a port 53 host scan from an IP today.

source: 209.31.226.26 (w026.z209031226.sjc-ca.dsl.cnc.net)
srcport: 53

dstport: 53
dst IP: all the hosts behind my firewall

I did some checking:

~> dig @209.31.226.26 version.bind chaos txt

; <<>> DiG 8.2 <<>> @209.31.226.26 version.bind chaos txt
--cut--
VERSION.BIND.           0S CHAOS TXT    "8.2.2-P3"
--cut---

and:

Trying 209.31.226.26...
Connected to w026.z209031226.sjc-ca.dsl.cnc.net.
Escape character is '^]'.

Red Hat Linux release 5.1 (Manhattan)
Kernel 2.0.35 on an i486

Now - with all the other incidents regarding an 8.2.2-P3 and P5 out there,
should we not start to think in terms of a worm? The 8.2 and 8.2.1
exploit was packaged in worm form by ADM:

~/hack/exploittools/bind/w0rm# more README
---cut--
the adm inet w0rm...
the w0rm is a linux/x86 spef he exploit the  bind/iquery vuln
--cut---

Maybe we have a 8.2.2-PX worm at work? Could those that receive this
message maybe have a quick look at those hosts doing host scans on port
53? Just check if they are running a 8.2.2-PX and Linux RH 5/6. It seems
that this is the right combination.

I could be totally wrong - but I think its worth while checking...
Feedback anyone?

Regards,
Roelof.

------------------------------------------------------
Roelof W Temmingh               SensePost IT security
roelof () sensepost com         +27 83 448 6996
                http://www.sensepost.com
Previous By Date Next
Previous By Thread Next

Current thread: