Re: Linux Worm (fwd)
Bob_Tracy writes: > So let's quit covering for 'em. Let's have the name(s) behind that > idiotic policy letter, because I would not knowingly allow any company > I work for to hire such people. > > ProblemRemedy > ----- > hangnail amputate > headache amputate > (etc.) you can add: cancer withdraw into complete denial -- Drew Bertola | Send a text message to my pager or cell ... | http://jpager.com/Drew - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
What company was it that you worked for? I'm sure we could convince them otherwise . . . . -b Gregory Maxwell wrote: > On Mon, Mar 26, 2001 at 10:07:22AM -0500, Richard B. Johnson wrote: > [snip] > >> I have just received notice that my machines will no longer be >> provided access to "The Internet". >> >> "Effective on or before 16:00:00 local time, the only personal >> computers that will be allowed Internet access are those administered >> by a Microsoft Certified Network Administrator. This means that >> no Unix or Linux machines will be provided access beyond the local >> area network. If you require Internet access, the company will >> provide a PC which runs a secure operating system such as Microsoft >> Windows, or Windows/NT. Insecure operating systems like Linux must >> be removed from company owned computers before the end of this week." > > > You've demonstrated over and over again that you work for a constantly > stupid company. > > Please find someplace else to work, your issues have become more depressing > then amusing. :) > > It's sad that people like the one who sent out messages like that can stay > employed. In the last year there have been several Windows love-bug type > worms each causing damaged estimated in the billions. One or two Linux worms > that go after a long fixed problem with no published accounts of significant > damage and you get that sort of email.. > > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
At 10:24 AM 3/26/01 -0500, you wrote: >It's sad that people like the one who sent out messages like that can stay >employed. In the last year there have been several Windows love-bug type >worms each causing damaged estimated in the billions. One or two Linux worms >that go after a long fixed problem with no published accounts of significant >damage and you get that sort of email.. What is even sadder is that, for loser companies like the one cited, there is a series of Linux certification programs (not distribution-dependent) under development at CompTIA (the Computing Technology Industry Association). Satch - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
On Mon, 26 Mar 2001, Richard B. Johnson wrote: > > "Effective on or before 16:00:00 local time, the only personal > computers that will be allowed Internet access are those administered > by a Microsoft Certified Network Administrator. This means that > no Unix or Linux machines will be provided access beyond the local > area network. If you require Internet access, the company will > provide a PC which runs a secure operating system such as Microsoft > Windows, or Windows/NT. Insecure operating systems like Linux must > be removed from company owned computers before the end of this week." You might point out that only linux machines running a older version of bind are at risk. Over one million credit card numbers were stolen from microsoft servers in the last year. I suspect none of your linux machines are even running bind. Bob - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
[EMAIL PROTECTED] (Richard B. Johnson) writes: >I have just received notice that my machines will no longer be >provided access to "The Internet". >"Effective on or before 16:00:00 local time, the only personal >computers that will be allowed Internet access are those administered >by a Microsoft Certified Network Administrator. This means that >no Unix or Linux machines will be provided access beyond the local >area network. If you require Internet access, the company will >provide a PC which runs a secure operating system such as Microsoft >Windows, or Windows/NT. Insecure operating systems like Linux must >be removed from company owned computers before the end of this week." This is a troll, right? I mean, you wouldn't work for a company that publishes such internal memos (and allows its employees to post in into a public mailing list), would you? If you're working for a company that considers one OS "more secure" than another, your "security administrator" should really get a clue. I mean, they all suck. Really, all of them. That's why they're OSes. ;-) Regards Henning -- Dipl.-Inf. (Univ.) Henning P. Schmiedehausen -- Geschaeftsfuehrer INTERMETA - Gesellschaft fuer Mehrwertdienste mbH [EMAIL PROTECTED] Am Schwabachgrund 22 Fon.: 09131 / 50654-0 [EMAIL PROTECTED] D-91054 Buckenhof Fax.: 09131 / 50654-20 - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
offtopic Re: Linux Worm (fwd)
On Mon, 26 Mar 2001, Bob_Tracy wrote: > So let's quit covering for 'em. Let's have the name(s) behind that > idiotic policy letter, because I would not knowingly allow any company > I work for to hire such people. In this case, the person(s) making the policy seem to be short on clue, and long on agenda. However, I can understand and agree with, from a security perspective, a company deciding to ditch OSes that they have little to no idea about how to handle. I've been in the position to suggest that very action to companies, as their $VENDOR-OS box sits in the corner and decays quietly, because everyone either ignores it while its working, or kicks it into 'submission' when something goes wrong ... Yeah, the _solution_ is to have IT people with lots of clue, but, well ... *cough* ... -- -- John E. Jasen ([EMAIL PROTECTED]) -- In theory, theory and practise are the same. In practise, they aren't. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
Gregory Maxwell wrote: > On Mon, Mar 26, 2001 at 10:07:22AM -0500, Richard B. Johnson wrote: > [snip] > > I have just received notice that my machines will no longer be > > provided access to "The Internet". > > It's sad that people like the one who sent out messages like that can stay > employed. So let's quit covering for 'em. Let's have the name(s) behind that idiotic policy letter, because I would not knowingly allow any company I work for to hire such people. ProblemRemedy ----- hangnail amputate headache amputate (etc.) Sheesh... --Bob Tracy [EMAIL PROTECTED] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
On Mon, Mar 26, 2001 at 10:07:22AM -0500, Richard B. Johnson wrote: > On Fri, 23 Mar 2001, Gerhard Mack wrote: > > > On Fri, 23 Mar 2001, Bob Lorenzini wrote: > > > > > I'm annoyed when persons post virus alerts to unrelated lists but this > > > is a serious threat. If your offended flame away. > > > > This should be a wake up call... distributions need to stop using product > > with consistently bad security records. > > > > Gerhard > > > > The immediate affect of specifically targeting Linux is to cause > "security administrators" to deny network access to all Linux > machines. > > I have just received notice that my machines will no longer be > provided access to "The Internet". > > "Effective on or before 16:00:00 local time, the only personal > computers that will be allowed Internet access are those administered > by a Microsoft Certified Network Administrator. This means that > no Unix or Linux machines will be provided access beyond the local > area network. If you require Internet access, the company will > provide a PC which runs a secure operating system such as Microsoft > Windows, or Windows/NT. Insecure operating systems like Linux must > be removed from company owned computers before the end of this week." O. I especially like the "secure operating systems such as Microsoft Windows" part. I'm impressed with their clear perception. /David _ _ // David Weinehall <[EMAIL PROTECTED]> /> Northern lights wander \\ // Project MCA Linux hacker// Dance across the winter sky // \> http://www.acc.umu.se/~tao/http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
On Mon, Mar 26, 2001 at 10:07:22AM -0500, Richard B. Johnson wrote: [snip] > I have just received notice that my machines will no longer be > provided access to "The Internet". > > "Effective on or before 16:00:00 local time, the only personal > computers that will be allowed Internet access are those administered > by a Microsoft Certified Network Administrator. This means that > no Unix or Linux machines will be provided access beyond the local > area network. If you require Internet access, the company will > provide a PC which runs a secure operating system such as Microsoft > Windows, or Windows/NT. Insecure operating systems like Linux must > be removed from company owned computers before the end of this week." You've demonstrated over and over again that you work for a constantly stupid company. Please find someplace else to work, your issues have become more depressing then amusing. :) It's sad that people like the one who sent out messages like that can stay employed. In the last year there have been several Windows love-bug type worms each causing damaged estimated in the billions. One or two Linux worms that go after a long fixed problem with no published accounts of significant damage and you get that sort of email.. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
On Fri, 23 Mar 2001, Gerhard Mack wrote: > On Fri, 23 Mar 2001, Bob Lorenzini wrote: > > > I'm annoyed when persons post virus alerts to unrelated lists but this > > is a serious threat. If your offended flame away. > > This should be a wake up call... distributions need to stop using product > with consistently bad security records. > > Gerhard > The immediate affect of specifically targeting Linux is to cause "security administrators" to deny network access to all Linux machines. I have just received notice that my machines will no longer be provided access to "The Internet". "Effective on or before 16:00:00 local time, the only personal computers that will be allowed Internet access are those administered by a Microsoft Certified Network Administrator. This means that no Unix or Linux machines will be provided access beyond the local area network. If you require Internet access, the company will provide a PC which runs a secure operating system such as Microsoft Windows, or Windows/NT. Insecure operating systems like Linux must be removed from company owned computers before the end of this week." Cheers, Dick Johnson Penguin : Linux version 2.4.1 on an i686 machine (799.53 BogoMips). "Memory is like gasoline. You use it up when you are running. Of course you get it all back when you reboot..."; Actual explanation obtained from the Micro$oft help desk. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OT] Linux Worm (fwd)
Jesse Pollard wrote: > >Is there an alternative to BIND that's free software? Never seen > >one. > > Not one that is Open Source Australia's RMIT and Ercisson have an Open Source load-balancing distributed web server, including a DNS server to do the balancing. The link I have, www.eddieware.org and www.rmit.edu.au both currently appear to be down. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OT] Linux Worm (fwd)
On Sat, Mar 24, 2001 at 11:11:50AM -0600, Jesse Pollard wrote: > Bind itself has been proven over many years. This is the first major > problem found. This is so blatantly incorrect as to be laughable. BIND 4 and 8 had a long and glorious history of serious security flaws; a quick search of the www.securityfocus.com vulnerability archives for "BIND" returns a ton of results, ranging from root compromises to denial of service attacks to cache poisoning problems. > If you want a fix, get bind v9. Besides handling IP version > 4, it also handles version 6. I'll believe in BIND 9's safety after it's been widely deployed; with few OS vendors actually bundling BIND 9 at this point, it's received very little real-world attention. > It really isn't, but the new bind may be. There is even an update > to bind 8 that contains a fix for the problem. Until the next design flaw produces yet-another-vulnerability? While other packages might not be free software, I don't have the luxury of following principles in lieu of security. Last post from me on the subject, because this has next to nothing to do with the Linux kernel. -- Edward S. Marshall <[EMAIL PROTECTED]>http://www.nyx.net/~emarshal/ --- [ Felix qui potuit rerum cognoscere causas. ] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OT] Linux Worm (fwd)
On Fri, 23 Mar 2001, Doug McNaught wrote: >Gerhard Mack <[EMAIL PROTECTED]> writes: > >> On Fri, 23 Mar 2001, Bob Lorenzini wrote: >> >> > I'm annoyed when persons post virus alerts to unrelated lists but this >> > is a serious threat. If your offended flame away. >> >> This should be a wake up call... distributions need to stop using product >> with consistently bad security records. > >Is there an alternative to BIND that's free software? Never seen >one. Not one that is Open Source Bind itself has been proven over many years. This is the first major problem found. If you want a fix, get bind v9. Besides handling IP version 4, it also handles version 6. The only current limitation is the inability to control sort order of hosts with multiple interfaces. I think this is due to the new IP v 6 resource handling. Bind 9 works well (see ISC web page http://www.isc.org/products/BIND/) > >-Doug (who doesn't think this is a Good Thing) It really isn't, but the new bind may be. There is even an update to bind 8 that contains a fix for the problem. - Jesse I Pollard, II Email: [EMAIL PROTECTED] Any opinions expressed are solely my own. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OT] Linux Worm (fwd)
On Fri, Mar 23, 2001 at 02:39:07PM -0500, Michael Bacarella wrote: > On Fri, Mar 23, 2001 at 01:51:11PM -0500, Doug McNaught wrote: > > Is there an alternative to BIND that's free software? Never seen > > one. > > Have a look at djbdns. I use djbdns myself and am very happy with it, but the original poster was asking for free software. djbdns doesn't even meet the DFSG/OSD, let alone the FSF definition of "free software". Please refer to the archives of the [EMAIL PROTECTED] mailing list if you're interested in seeing all the old arguments. If you're looking for a GPL'd DNS server, there's Mindspring's DENTS project, although it hasn't seen much development lately: http://sourceforge.net/projects/dents/ That being said, none of this is on-topic for linux-kernel. -esm (picking nits for fun and profit) -- Edward S. Marshall <[EMAIL PROTECTED]>http://www.nyx.net/~emarshal/ --- [ Felix qui potuit rerum cognoscere causas. ] - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OT] Linux Worm (fwd)
Michael Bacarella <[EMAIL PROTECTED]> wrote: > On Fri, Mar 23, 2001 at 01:51:11PM -0500, Doug McNaught wrote: >> >> Is there an alternative to BIND that's free software? Never seen >> one. > Have a look at djbdns. > http://cr.yp.to/djbdns.html It is NOT free software. -- Debian GNU/Linux 2.2 is out! ( http://www.debian.org/ ) Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
On Fri, Mar 23, 2001 at 10:31:49AM -0800, Gerhard Mack wrote: > On Fri, 23 Mar 2001, Bob Lorenzini wrote: > > I'm annoyed when persons post virus alerts to unrelated lists but this > > is a serious threat. If your offended flame away. > This should be a wake up call... distributions need to stop using product > with consistently bad security records. Bullshit. This is a wake up call that admins need to keep installations up to date. When a security hole is found, I DON'T CARE if it's in a package with a good security record or a poor security record. It has to be fixed and you can't put it off. Certainly not in the current climate with script driven worms like Ramen and 1i0n. Having a poor security record is a warning to the developers that it's time to clean up their act and do better. Sendmail use to be the bug of the month club. Hell! It use to be the bug of the week club. Last couple of years, it's been pretty solid. If you only went on security track record, we would all be using MMDF, which is still arguibly the most secure mail transport around. MMDF has had what? One advisory in something like 15 years of deployment? It was the default MTA in SCO Unix for years and was mandated at military installations for a long time... Still, when that one advisory comes out, you better update or you are toast. You don't solely rely on packages that have "good security records" never getting broken and then become complacent. Sites that do that are what we call "Warez" sites. :-/ > Gerhard > -- > Gerhard Mack > [EMAIL PROTECTED] > <>< As a computer I find your faith in technology amusing. Mike -- Michael H. Warfield| (770) 985-6132 | [EMAIL PROTECTED] (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471| possible worlds. A pessimist is sure of it! - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OT] Linux Worm (fwd)
On Fri, Mar 23, 2001 at 01:51:11PM -0500, Doug McNaught wrote: > > > I'm annoyed when persons post virus alerts to unrelated lists but this > > > is a serious threat. If your offended flame away. > > > > This should be a wake up call... distributions need to stop using product > > with consistently bad security records. > > Is there an alternative to BIND that's free software? Never seen > one. Have a look at djbdns. http://cr.yp.to/djbdns.html The author claims that he will dole out $500 for every security hole discovered in djbdns. I've been thrilled with it ever since I installed it a few months ago. -- Michael Bacarella <[EMAIL PROTECTED]> Technical Staff / System Development, New York Connect.Net, Ltd. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
Dax Kelson wrote: > Gerhard Mack said once upon a time (Fri, 23 Mar 2001): > > > On Fri, 23 Mar 2001, Bob Lorenzini wrote: > > > > > I'm annoyed when persons post virus alerts to unrelated lists but this > > > is a serious threat. If your offended flame away. > > > > This should be a wake up call... distributions need to stop using product > > with consistently bad security records. > > This TSIG bug in BIND 8 that is being exploited was added to BIND 8 by the > same team who wrote BIND 9. > > In fact the last two major remote root compromises (TSIG and NXT) for BIND > 8 was in code added to BIND 8 by the BIND 9 developers. You could say new code in general causes security holes... don't fix it and you won't break it. There is the security principle of least privilege though... RH7 (and earlier I think) run bind drops root and runs as user named after opening a listening socket, so I don't think a bind compromise could retrieve the /etc/shadow file and modify system binaries... and RH7.1(beta) will use capabilities to furthur restrict privileges given to bind(v9). (not root ever) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
Gerhard Mack said once upon a time (Fri, 23 Mar 2001): > On Fri, 23 Mar 2001, Bob Lorenzini wrote: > > > I'm annoyed when persons post virus alerts to unrelated lists but this > > is a serious threat. If your offended flame away. > > This should be a wake up call... distributions need to stop using product > with consistently bad security records. This TSIG bug in BIND 8 that is being exploited was added to BIND 8 by the same team who wrote BIND 9. In fact the last two major remote root compromises (TSIG and NXT) for BIND 8 was in code added to BIND 8 by the BIND 9 developers. Dax - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OT] Linux Worm (fwd)
Gerhard Mack <[EMAIL PROTECTED]> writes: > On Fri, 23 Mar 2001, Bob Lorenzini wrote: > > > I'm annoyed when persons post virus alerts to unrelated lists but this > > is a serious threat. If your offended flame away. > > This should be a wake up call... distributions need to stop using product > with consistently bad security records. Is there an alternative to BIND that's free software? Never seen one. -Doug (who doesn't think this is a Good Thing) - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: Linux Worm (fwd)
On Fri, 23 Mar 2001, Bob Lorenzini wrote: > I'm annoyed when persons post virus alerts to unrelated lists but this > is a serious threat. If your offended flame away. This should be a wake up call... distributions need to stop using product with consistently bad security records. Gerhard -- Gerhard Mack [EMAIL PROTECTED] <>< As a computer I find your faith in technology amusing. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [OT] Linux Worm (fwd)
>I'm annoyed when persons post virus alerts to unrelated lists but this >is a serious threat. If your offended flame away. Since this worm exploits a BIND vulerability, it would be better placed on the BIND mailing list than the kernel one. If it exploited a kernel bug, then it would be more welcome here. -- from: Jonathan "Chromatix" Morton mail: [EMAIL PROTECTED] (not for attachments) big-mail: [EMAIL PROTECTED] uni-mail: [EMAIL PROTECTED] The key to knowledge is not to rely on people to teach you it. Get VNC Server for Macintosh from http://www.chromatix.uklinux.net/vnc/ -BEGIN GEEK CODE BLOCK- Version 3.12 GCS$/E/S dpu(!) s:- a20 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$ V? PS PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r++ y+(*) -END GEEK CODE BLOCK- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Linux Worm (fwd)
I'm annoyed when persons post virus alerts to unrelated lists but this is a serious threat. If your offended flame away. Bob March 23, 2001 7:00 AM Late last night, the SANS Institute (through its Global Incident Analysis Center) uncovered a dangerous new worm that appears to be spreading rapidly across the Internet. It scans the Internet looking for Linux computers with a known vulnerability. It infects the vulnerable machines, steals the password file (sending it to a China.com site), installs other hacking tools, and forces the newly infected machine to begin scanning the Internet looking for other victims. Several experts from the security community worked through the night to decompose the worm's code and engineer a utility to help you discover if the Lion worm has affected your organization. Updates to this announcement will be posted at the SANS web site, http://www.sans.org DESCRIPTION The Lion worm is similar to the Ramen worm. However, this worm is significantly more dangerous and should be taken very seriously. It infects Linux machines running the BIND DNS server. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas. The specific vulnerability used by the worm to exploit machines is the TSIG vulnerability that was reported on January 29, 2001. The Lion worm spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it hits a system, it checks to see if it is vulnerable. If so, Lion exploits the system using an exploit called "name". It then installs the t0rn rootkit. Once Lion has compromised a system, it: - Sends the contents of /etc/passwd, /etc/shadow, as well as some network settings to an address in the china.com domain. - Deletes /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers. - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via inetd, see /etc/inetd.conf) - Installs a trojaned version of ssh that listens on 33568/tcp - Kills Syslogd , so the logging on the system can't be trusted - Installs a trojaned version of login - Looks for a hashed password in /etc/ttyhash - /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten with a trojaned version of ssh. The t0rn rootkit replaces several binaries on the system in order to stealth itself. Here are the binaries that it replaces: du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, top - "Mjy" is a utility for cleaning out log entries, and is placed in /bin and /usr/man/man1/man1/lib/.lib/. - in.telnetd is also placed in these directories; its use is not known at this time. - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x DETECTION AND REMOVAL We have developed a utility called Lionfind that will detect the Lion files on an infected system. Simply download it, uncompress it, and run lionfind. This utility will list which of the suspect files is on the system. At this time, Lionfind is not able to remove the virus from the system. If and when an updated version becomes available (and we expect to provide one), an announcement will be made at this site. Download Lionfind at http://www.sans.org/y2k/lionfind-0.1.tar.gz REFERENCES Further information can be found at: http://www.sans.org/current.htm http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory CA-2001-02, Multiple Vulnerabilities in BIND http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer overflow in transaction signature (TSIG) handling code http://www.sans.org/y2k/t0rn.htm Information about the t0rn rootkit. The following vendor update pages may help you in fixing the original BIND vulnerability: Redhat Linux RHSA-2001:007-03 - Bind remote exploit http://www.redhat.com/support/errata/RHSA-2001-007.html Debian GNU/Linux DSA-026-1 BIND http://www.debian.org/security/2001/dsa-026 SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise. http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt Caldera Linux CSSA-2001-008.0 Bind buffer overflow http://www.caldera.com/support/security/advisories/CSSA-2001-008.0.txt http://www.caldera.com/support/security/advisories/CSSA-2001-008.1.txt This security advisory was prepared by Matt Fearnow of the SANS Institute and William Stearns of the Dartmouth Institute for Security Technology Studies. The Lionfind utility was written by William Stearns. William is an Open-Source developer, enthusiast, and advocate from Vermont, USA. His day job at the Institute for Security Technology Studies at Dartmouth College pays him to work on network security and Linux projects. Also contributing efforts go to Dave Dittrich from the University of Washington, and Greg Shipley of Neohapsis Matt Fearnow SANS GIAC Incident Handler If you have additional data on this worm or a critical quetsion please email [EMAIL PROTECTED] Output from pgp Signature by unknown keyid: 0xA1694E46 - To u