[Snort-users] a new worm 4 linux - Adore

Miller, Toby ToMiller at ...1131...
Thu Apr 5 10:01:51 EDT 2001


All,
Speaking of the adore LKM, if any one is interested in the LKM, I have
information on how to detect it along with what it does. It changes 7 items
in your sys_call_table. I have all of that info in case anyone wants it. 

								Toby 


I wrote signatures for the attacks it uses back when the exploits came
out:

<http://whitehats.com/info/IDS457> LPRng-redhat7-overflow-security.is
<http://whitehats.com/info/IDS442> rpc-statdx-exploit
<http://whitehats.com/info/IDS482> named-exploit-infoleak-lsd
<http://whitehats.com/info/IDS489> named-exploit-tsig-lsd
<http://whitehats.com/info/IDS453> ftp-6350wu-formatstring-check

A few quick words about the "Adore" worm (aka red worm) - it has nothing
to do with the adore kernel module by the same name. I see this
misinformation popping up in the media already...

Max

On Thu, 5 Apr 2001, andreas wrote:
> have someone a rule for this ?
>
> MfG
> Andreas


_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
<http://lists.sourceforge.net/lists/listinfo/snort-users>
Snort-users list archive:
<http://www.geocrawler.com/redir-sf.php3?list=snort-users>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010405/0301bd45/attachment.html>


More information about the Snort-users mailing list