[Snort-users] Suspicious DNS query, et al.
vision at ...4...
Wed Apr 4 05:48:44 EDT 2001
By the way, anyone have a copy of this yet?
I have a suspicion that it's actually lion.v4, as while writing my lion
paper (covering all three versions of the worm), I tracked and interviewed
Lion and he said this of his next version:
"i am add bind,rpc.statd,wuftp,LPD ..."
That combined with people calling it "Red" makes me think there is a
connection, but I'd have to look at the binaries.
On Wed, 4 Apr 2001, Meij Ewout EC CH wrote:
> > Ports attacked have been 53 ( DNS ), 111 ( rpcbind ), 515 ( line
> > printer ), 21 ( FTP ), and 3879 ( ??? ). The source machines appear
> > to have been located in Korea, China, Japan, the Phillippines, Hong
> > Kong, and Australia. In this country, Arizona State University
> > appears to have been a source.
> Smells like Adore Worm, see sans:
> >From the page:
> Adore is a worm that we originally called the Red Worm. It is similar to the
> Ramen and Lion worms. Adore scans the Internet checking Linux hosts to
> determine whether they are vulnerable to any of the following well-known
> exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default
> on Red Hat 7.0 systems. From the reports so far, Adore appears to have
> started its spread on April 1.
> Adore worm replaces only one system binary (ps), with a trojaned version and
> moves the original to /usr/bin/adore. It installs the files in /usr/lib/lib
> . It then sends an email to the following addresses: adore9000 at ...1737...,
> adore9000 at ...135..., adore9001 at ...1737..., adore9001 at ...135... Attempts have
> been made to get these addresses taken offline, but no response so far from
> the provider. It attempts to send the following information:
> ps -aux (using the original binary in /usr/bin/adore)
> Adore then runs a package called icmp. With the options provided with the
> tarball, it by default sets the port to listen too, and the packet length to
> watch for. When it sees this information it then sets a rootshell to allow
> connections. It also sets up a cronjob in cron daily (which runs at 04:02 am
> local time) to run and remove all traces of its existence and then reboots
> your system. However, it does not remove the backdoor.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users