Olha aí mais um virus para Linus.
VVamos ficar espertos. Os virus estão ficando cada vez mais inteligentes .
Pelo que notei, este esplora uma falha no Bind, a qual já foi corrigida e
até liberada para atualização.
------- Forwarded message follows -------
From: Sophos Alert System <[EMAIL PROTECTED]>
To: Undisclosed recipients: ;
Send reply to: [EMAIL PROTECTED]
Subject: Sophos Anti-Virus IDE alert: Linux/Lion
Date sent: Tue, 27 Mar 2001 14:21:12 +0100 (BST)
Name: Linux/Lion
Type: Linux worm.
Date: 27 March 2001
Will be detected by Sophos Anti-Virus May 2001 (3.45) or later.
A virus identity (IDE) file is available for earlier versions.
At the time of writing Sophos has not seen any infections but
has issued this alert due to media interest.
Description:
Linux/Lion is an internet worm written for the Linux operating
system. It is similar to Linux/Ramen (i.e. one of the worm files
is already detected as Linux/Ramen).
It spreads by scanning random class B IP networks for hosts
that are vulnerable to a remote exploit in the Bind name service
daemon. Once it has found a candidate for infection it attacks
the remote machine and, if successful, downloads and installs a
package from coollion.51.net. This package contains a copy of
the worm and also the t0rn rootkit. The rootkit is designed to
hide the presence of the worm by replacing many of the system
binaries with trojaned versions and cleaning the log files. In
particular, the following files may be created or changed:
/usr/sbin/nscd
/bin/in.telnetd
/bin/mjy
/usr/sbin/in.fingerd
/bin/ps
/sbin/ifconfig
/usr/bin/du
/bin/netstat
/usr/bin/top
/bin/ls
/usr/bin/find
The following directories may also be created:
/usr/man/man1/man1/lib/.lib
/usr/src/.p_u_t_a (Tive que incluir os _ para ser aceito na lista)
/usr/info/.t0rn
/dev/.lib
The worm keeps itself active during reboots by appending some
lines to /etc/rc.d/rc.sysinit disguised with the comment 'Name
Server Cache Daemon..'. It also deletes /etc/hosts.deny and
appends lines to /etc/inetd.conf to leave a root shell on port
1008. Finally, it emails the contents of /etc/passwd,
/etc/shadow and the output from ifconfig -a, to an address in
the china.com domain.
This IDE detects the worm as Linux/Lion and also the rootkit as
Troj/t0rn-kit.
Download the IDE file from
http://www.sophos.com/downloads/ide/both.ide
Read the analysis at
http://www.sophos.com/virusinfo/analyses/linuxlion.html
Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications
Edival de Paula Ronqui
Capital Cobrança S/C Ltda
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Assinantes em 27/03/2001: 2166
Mensagens recebidas desde 07/01/1999: 106732
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista:
mailto:[EMAIL PROTECTED]
