[Snort-users] a new worm 4 linux - Adore

Miller, Toby ToMiller at ...1131...
Thu Apr 5 10:01:51 EDT 2001

Speaking of the adore LKM, if any one is interested in the LKM, I have
information on how to detect it along with what it does. It changes 7 items
in your sys_call_table. I have all of that info in case anyone wants it. 


I wrote signatures for the attacks it uses back when the exploits came

<http://whitehats.com/info/IDS457> LPRng-redhat7-overflow-security.is
<http://whitehats.com/info/IDS442> rpc-statdx-exploit
<http://whitehats.com/info/IDS482> named-exploit-infoleak-lsd
<http://whitehats.com/info/IDS489> named-exploit-tsig-lsd
<http://whitehats.com/info/IDS453> ftp-6350wu-formatstring-check

A few quick words about the "Adore" worm (aka red worm) - it has nothing
to do with the adore kernel module by the same name. I see this
misinformation popping up in the media already...


On Thu, 5 Apr 2001, andreas wrote:
> have someone a rule for this ?
> MfG
> Andreas

Snort-users mailing list
Snort-users at lists.sourceforge.net <mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010405/0301bd45/attachment.html>

More information about the Snort-users mailing list