[Snort-users] New Worm Virus is in the wild

Kevin.Brown at ...1022... Kevin.Brown at ...1022...
Fri Mar 23 13:04:12 EST 2001


So there is already a signature for this?  I knew there was a Ramen sig, does
this show up the same?

> 	I don't know about the rest of you guys, but we are being HAMMERED
> with scans from this thing.  Very annoying.  I've been busy notifying sites
> all day.

> > Alert from SANS, the LION worm (similar to Ramen) is now in the wild.
> > 
> > http://www.sans.org/newlook/home.htm
> > http://www.sans.org/current.htm
> > 
> > http://www.redhat.com/support/errata/RHSA-2001-007.html
> > 
> > It uses vulnerable versions of BIND (8.2, 8.2-P1, 8.2.1, 
> > 8.2.2-Px and all
> > 8.2.3-beta versions).  It installs the t0rn rootkit on a 
> > system and then scans
> > a random class B subnet trying to find more vulnerable 
> > systems to infect.
> > 
> > 
> > 
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > 
> 





More information about the Snort-users mailing list