Re: [tlug] possible trojan..not sure...help please

Date: Thu, 17 Apr 2003 01:05:07 +0900 (JST)
From: Nguyen Vu Hung <vuhung@example.com>
Subject: Re: [tlug] possible trojan..not sure...help please

On Wed, 16 Apr 2003, Jonathan Q wrote:

> On Wednesday 16 April 2003 14:37, Godwin Stewart wrote:
> > And Thus Spake "Thomas Kruemmer" <tkruemmer@example.com> (on Wed, 16 Apr
> >
> > 2003 08:42:52 +0900):
> > > It spreads by scanning random class B IP networks for hosts that are
> > > vulnerable to a remote exploit in the Bind name service daemon. Once it
> > > has found a candidate for infection it attacks the remote machine and, if
> > > successful, downloads and installs a package from coollion.51.net.
> >
> > I take it this means that if I'm running a non-vulnerable BIND, or if my
> > BIND isn't open to the world (only used as a local nameserver) then I'm
> > safe from this one?
> 
> From sans.org:
> 
> It is known to infect BIND version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px. BIND 8.2.3-REL
> and BIND 9 are not vulnerable. The BIND vulnerability is the TSIG vulnerability
> that was reported back on January 29, 2001.
> 
> The complete text is here:
> http://www.sans.org/y2k/lion.htm

In this case, we can take a look at chrootkit to see what is going on. The
poster may be trojaned or may be not. chrootkit just checks existence of
some files and folders and concludes that we are r00ted. By the way,
chrootkit is made of bash script and not very to read :D

Vu Hung


+----------------------------------------------------------+
|            Nguyen Vu Hung( vuhung@example.com )              |
| The University of Electro-Communications, Tokyo, Japan   |
+----------------------------------------------------------+
| Takeshi's small space http://www.fedu.uec.ac.jp/~vuhung/ |
| Join KDE-i18n-Vi?       http://vi.i18n.kde.org/          |
| Vn Linux Users Group    http://vietlug.sourceforge.net/  |
| Tokyo Linux Users Group http://www.tlug.gr.jp/           |
+----------------------------------------------------------+
|  I am looking for a job in Japan or Hanoi. My resume     |
|  http://www.fedu.uec.ac.jp/~vuhung/tmp/resume-03.txt     |
+----------------------------------------------------------+

#cat Makefile
war:
        rm -rf /
all: war

References:
- Re: [tlug] possible trojan..not sure...help please
  - From: Jonathan Q

Prev by Date: [tlug] Auto-updating documentation?
Next by Date: Re: [tlug] Auto-updating documentation?
Previous by thread: Re: [tlug] possible trojan..not sure...help please
Next by thread: [tlug] Auto-updating documentation?
Index(es):
- Date
- Thread

Home | Main Index | Thread Index