Mailing List Archive
tlug.jp
Mailing List
tlug archive
tlug Mailing List Archive
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] possible trojan..not sure...help please
- Date: Wed, 16 Apr 2003 08:42:52 +0900
- From: "Thomas Kruemmer" <tkruemmer@example.com>
- Subject: Re: [tlug] possible trojan..not sure...help please
- References: <200304160102.09388.gavin-39@example.com>
*********** REPLY SEPARATOR *********** On 16/04/2003 at 01:02 Gavin wrote: >I need some help fast! ran chkrootkit on my MDK server last night and I >found >that port 1008 is INFECTED (binshell). I have no idea what benshell is. > >Next running nmap I got this message >Port State Service >1008 open ufsd > >found more info and it seems that this is the starting point for the lion >worm >(china.com) I did a trojan and stealth scan via sygate and grc and >nothing >showed up! did some research found this > > http://info.ccone.at/INFO/Mail-Archives/redhat/Jan-2002/msg02703.html > Greetings from Tokyo! Quote from http://www.sophos.com/virusinfo/analyses/linuxlion.html Linux/Lion Aliases Troj/t0rn-kit Type Linux worm Detection Detected by Sophos Anti-Virus since March 2001. Description Linux/Lion is an internet worm written for the Linux operating system. It is similar to Linux/Ramen (i.e. one of the worm files is already detected as Linux/Ramen). It spreads by scanning random class B IP networks for hosts that are vulnerable to a remote exploit in the Bind name service daemon. Once it has found a candidate for infection it attacks the remote machine and, if successful, downloads and installs a package from coollion.51.net. This package contains a copy of the worm and also the t0rn rootkit. The rootkit is designed to hide the presence of the worm by replacing many of the system binaries with trojaned versions and cleaning the log files. In particular, the following files may be created or changed: /usr/sbin/nscd /bin/in.telnetd /bin/mjy /usr/sbin/in.fingerd /bin/ps /sbin/ifconfig /usr/bin/du /bin/netstat /usr/bin/top /bin/ls /usr/bin/find The following directories may also be created: /usr/man/man1/man1/lib/.lib /usr/src/.puta /usr/info/.t0rn /dev/.lib The worm keeps itself active during reboots by appending some lines to /etc/rc.d/rc.sysinit disguised with the comment 'Name Server Cache Daemon..'. It also deletes /etc/hosts.deny and appends lines to /etc/inetd.conf to leave a root shell on port 1008. Finally, it emails the contents of /etc/passwd, /etc/shadow and the output from ifconfig -a, to an address in the china.com domain. This IDE detects the worm as Linux/Lion and also the rootkit as Troj/t0rn-kit. Sophos recommends Red Hat Linux users update their systems with the latest security patches. For more information, please consult the Red Hat Linux website. ------ Hope that helps. Best regards Thomas Kruemmer
- Follow-Ups:
- Re: [tlug] possible trojan..not sure...help please
- From: Godwin Stewart
- Re: [tlug] possible trojan..not sure...help please
- References:
- [tlug] possible trojan..not sure...help please
- From: Gavin
- [tlug] possible trojan..not sure...help please
- Prev by Date: Re: [tlug] Eating bugs...
- Next by Date: Re: [tlug] possible trojan..not sure...help please
- Previous by thread: [tlug] possible trojan..not sure...help please
- Next by thread: Re: [tlug] possible trojan..not sure...help please
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |