Jan-Philip Velders
1999-Mar-26 10:35 UTC
Re: [Security - intern] [linux-security] *ALERT*: ADM Worm. Worm for Linux x86 found in wild.
On Fri, 26 Mar 1999, Thomas Biege wrote:> Date: Fri, 26 Mar 1999 09:34:10 +0100 (MET) > From: Thomas Biege <thomas@suse.de> > To: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl> > Cc: linux-security@redhat.com > Subject: Re: [Security - intern] [linux-security] *ALERT*: ADM Worm. Worm forLinux x86 found in wild.> The worm just exploits old security holes, so if you keep update with your > daemons you haven't fear about that worm.Eh, the guy who reported it on BugTraq said it was a RedHat 5.2 box. AFAIK 5.2 is fairly recent, and could only contain 'newer' holes, like the stuff with wu-ftpd...> ThomasGreetings, Jan-Philip Velders
Sergio Ballestrero
1999-Mar-26 14:05 UTC
[linux-security] Re: [Security - intern] *ALERT*: ADM Worm. Worm for Linux x86 found in wild.
On Fri, 26 Mar 1999, Jan-Philip Velders wrote:> On Fri, 26 Mar 1999, Thomas Biege wrote: > > > Date: Fri, 26 Mar 1999 09:34:10 +0100 (MET) > > From: Thomas Biege <thomas@suse.de> > > To: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl> > > Cc: linux-security@redhat.com > > Subject: Re: [Security - intern] [linux-security] *ALERT*: ADM Worm. Worm for > Linux x86 found in wild. > > > The worm just exploits old security holes, so if you keep update with your > > daemons you haven't fear about that worm. > > Eh, the guy who reported it on BugTraq said it was a RedHat 5.2 box. > AFAIK 5.2 is fairly recent, and could only contain 'newer' holes, like the > stuff with wu-ftpd... > > > Thomas > > Greetings, > Jan-Philip VeldersI downloaded the worm, and i'm playing a bit with it, on two RH5.2 boxes. As far as i understand from the logging by iplogd (www.linuxvalley.org/~lserni) and from netstat, it only scans, and tries to attack, named. And on my RH 5.2, with bind-8.1.2-5, it doesn't succeed. The "network" part is made of: gimmeRAND, that generates random IPs (apparently from time, since it's the same if i call it consecutively) incremental that generates a sequence of IPs starting from the random one scanco that checks for the existance of a name service on the ip test that test some vulnerability in named - i haven't seen which one, possibly a buffer overflow. Hnamed is the actual exploit of the named vulnerability, that does some kind of "remote shell" Al the damaging actions described (deleting logs, removing hosts.deny, substituting all the index.html, creating a passwordless account) are done in the script "w0rm". The "outro" log file doesn't seem to be generated by ADMw0rm; i suppose it's something made by some other tool, runned by hand by the intruder. Also, the tgz available via ftp doesn't contain the "remotecmd" executable that seems necessary for the spreading of the worm: echo "lets hack" ./Hnamed $VICTIM /bin/sh -c "echo >> /etc/passwd; echo \"w0rm::2666:777:ADM Inet w0rm:/:/bin/sh\" >> /etc/passwd; /bin/cp /bin/sh /tmp/.w0rm; /bin/chmod 4777 /tmp/.w0rm; /bin/rm -f /etc/hosts.deny" nohup ./remotecmd $VICTIM cmd 3000000 & A signature of the attack is Mar 26 13:56:59 pcsash named[5349]: stream_getlen([127.0.0.1].4256): Broken pipe but it is not always seen (i haven't understood why) just to be clear, let me repeat: bind-8.1.2-5, distributed with RedHat 5.2, is _NOT_ vulnerable - at least not to the version of ADMw0rm that was available via ftp. Regards, Sergio -------------------------------------------------------------------------- ballestr@fi.infn.it <- Physics Sergio Ballestrero sergio@ctt.it <- Business V. Marini 18 S.Ballestrero@iname.com <- Personal 59100 Prato ITALY [mod: Ti Legget agrees: -- REW] If I'm not mistaken this is a really old (but very hazardous) exploit of the bind utilities. Turn off bind services, or if you need them upgrade to the newest packages. Ti Leggett legget@mcs.anl.gov tlegget@mailhost.tcs.tulane.edu
Gerhard Franke
1999-Mar-26 14:18 UTC
Re: *ALERT*: ADM Worm. Wormfor Linux x86 found in wild.
On Fri, Mar 26, 1999 at 11:35:19AM +0100, Jan-Philip Velders wrote:> On Fri, 26 Mar 1999, Thomas Biege wrote:> > The worm just exploits old security holes, so if you keep update with your > > daemons you haven't fear about that worm.> Eh, the guy who reported it on BugTraq said it was a RedHat 5.2 box. > AFAIK 5.2 is fairly recent, and could only contain 'newer' holes, like the > stuff with wu-ftpd...The sourcecode can be found at http://www.rewted.org/files/exploits/ or ftp://ftp.hackzone.ru/pub/rewt/exploits/ as ADMw0rm-v1.tgz Gerhard