Atenção, senhores, mais um virus que ataca o Linux.
FAÇAM LOGOUT IMEDITO DO ROOT.
------- Forwarded message follows -------
From: Sophos Alert System <[EMAIL PROTECTED]>
To: Undisclosed recipients: ;
Send reply to: [EMAIL PROTECTED]
Subject: Sophos Anti-Virus IDE alert: Linux/Adore
Date sent: Thu, 5 Apr 2001 16:04:25 +0100 (BST)
Name: Linux/Adore
Aliases: Linux/Red
Type: Linux worm
Date: 5 April 2001
Will be detected by Sophos Anti-Virus May 2001 (3.45) or later.
A virus identity (IDE) file is available for earlier versions.
At the time of writing Sophos has not received any reports of
infections from customers but has issued this alert due to media
interest.
Description:
Linux/Adore is an internet worm for Linux operating system. The
worm is very similar to Linux/Ramen and Linux/Lion worms. It
uses four known vulnerabilities in wu-ftpd, bind, lpd and
RPC.statd, which allow the attacker to gain root access and run
malicious code.
When the worm runs, it attempts to send confidential information
such as IP configuration and information about running processes
together with the files /etc/hosts and /etc/shadow to four email
addresses which appear to be based in China.
The worm also copies a script "0anacron" into the
/etc/cron.daily directory so that it runs when the daily cron
jobs are scheduled (by default at 4:02 a.m.). This script
removes the worm from the infected host.
The worm spreads by scanning for randomly generated class B IP
addresses and probing them for machine vulnerabilities. If a
vulnerability is found, the worm exploits it so that the
attacked host runs code (with superuser privileges) to download
the worm archive file, unpack it, install it into the directory
/usr/lib/lib and run it.
The Linux system program /bin/ps is replaced with a trojanised
version, which will prevent all worm processes to be displayed
in the list of the running processes when the ps command is run.
The worm also runs a program called icmp, which listens and sets
the rootshell to accept connection on port 65535, acting as a
backdoor, if the received packet length is equal to the one
specified in the sourcefile.
Sophos recommends Linux users apply security patches to their
systems to avoid this and other Linux worms exploiting
vulnerabilities.
Download the IDE file from
http://www.sophos.com/downloads/ide/adore.ide
Read the analysis at
http://www.sophos.com/virusinfo/analyses/linuxadore.html
Download a ZIP file containing all the IDE files available for
the current version of Sophos Anti-Virus from
http://www.sophos.com/downloads/ide/ides.zip
Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html
To unsubscribe from this service please visit
http://www.sophos.com/virusinfo/notifications
------- End of forwarded message -------
Edival de Paula Ronqui
Capital Cobrança S/C Ltda
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Assinantes em 05/04/2001: 2182
Mensagens recebidas desde 07/01/1999: 107881
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista:
mailto:[EMAIL PROTECTED]
