Security Incidents mailing list archives
BIND worm.
From: "Scott A. McIntyre" <scott () XS4ALL NL>
Date: Thu, 22 Mar 2001 12:19:40 +0100
Hi, I'm wondering how many others have seen sign of what appears to be a BIND based worm attack that's been passing through here lately. The kit includes a version of t0rnkit as well as pscan and randb (which generates semi-random pairs of octets for pscan /16 scanning), a few shell scripts, and some pre-built linux binaries for doing the BIND compromise. It's targetted primarily at: bind 8.2 8.2.1 8.2.2 8.2.2-PX TribalFlood is also included, as are some generic footprint clearing utilities. Once the pscan obtains a list of valid targets from a given address range, the BIND exploit is used to perform a series of tasks, including: o Insertion of a root shell on port 1008 o Email the /etc/shadow, /etc/passwd and interface details to a specific email address o Download a copy of the kit via lynx -dump o Untar the kit and run an initialization script That initialization script does the following: o Removes /etc/hosts.deny o Enters a line in rc.sysinit to ensure the scanning script starts automatically. o Fires off the script that starts the scan (and thus the process all over again). For lack of a better name, I've been referring to this as "Lion" as the name of the initialization script is 3l33tly spelled "1i0n.sh". It appears that the exploit that is targetted is the Transaction Signature bug, so popular of late. I know of a few countries who have been hit by this so far, just wondering how pervasive it is generally. Regards, Scott A. McIntyre XS4ALL Internet B.V.
Current thread:
- BIND worm. Scott A. McIntyre (Mar 22)
- Re: BIND worm. Neil Davey (Mar 23)
- Re: BIND worm. Andreas Östling (Mar 23)
- Re: BIND worm. Carl A. Adams (Mar 23)
- <Possible follow-ups>
- Re: BIND worm. Booth, David CWT-MSP (Mar 23)