[Snort-users] Suspicious DNS query, et al.

Max Vision vision at ...4...
Wed Apr 4 05:48:44 EDT 2001


By the way, anyone have a copy of this yet?

I have a suspicion that it's actually lion.v4, as while writing my lion
paper (covering all three versions of the worm), I tracked and interviewed
Lion and he said this of his next version:
  "i am add bind,rpc.statd,wuftp,LPD ..."
That combined with people calling it "Red" makes me think there is a
connection, but I'd have to look at the binaries.

Max

On Wed, 4 Apr 2001, Meij Ewout EC CH wrote:

> [...]
> > Ports attacked have been 53 ( DNS ), 111 ( rpcbind ), 515 ( line
> > printer ), 21 ( FTP ), and 3879 ( ??? ).  The source machines appear
> > to have been located in Korea, China, Japan, the Phillippines, Hong
> > Kong, and Australia.  In this country, Arizona State University
> > appears to have been a source.
>
> Smells like Adore Worm, see sans:
>
> http://www.sans.org/y2k/adore.htm
>
>
> >From the page:
>
> Description
>
> Adore is a worm that we originally called the Red Worm. It is similar to the
> Ramen and Lion worms. Adore scans the Internet checking Linux hosts to
> determine whether they are vulnerable to any of the following well-known
> exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default
> on Red Hat 7.0 systems. From the reports so far, Adore appears to have
> started its spread on April 1.
>
> Adore worm replaces only one system binary (ps), with a trojaned version and
> moves the original to /usr/bin/adore. It installs the files in /usr/lib/lib
> . It then sends an email to the following addresses: adore9000 at ...1737...,
> adore9000 at ...135..., adore9001 at ...1737..., adore9001 at ...135... Attempts have
> been made to get these addresses taken offline, but no response so far from
> the provider. It attempts to send the following information:
>
>       /etc/ftpusers
>       ifconfig
>       ps -aux (using the original binary in /usr/bin/adore)
>       /root/.bash_history
>       /etc/hosts
>       /etc/shadow
>
> Adore then runs a package called icmp. With the options provided with the
> tarball, it by default sets the port to listen too, and the packet length to
> watch for. When it sees this information it then sets a rootshell to allow
> connections. It also sets up a cronjob in cron daily (which runs at 04:02 am
> local time) to run and remove all traces of its existence and then reboots
> your system. However, it does not remove the backdoor.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list