[Snort-users] New Worm Virus is in the wild

agetchel at ...1525... agetchel at ...1525...
Fri Mar 23 13:34:44 EST 2001


	Whoops. =)  I haven't seen or heard of one yet.  I'm getting the
info from the
portscan pre-processor.  I'll throw a sniffer on a wire and see if there's
any kind of uniqueness to this scan, then write a rule to catch it.  I'll
let you all know what I find.

Thanks,
Abe

Abe L. Getchell - Security Engineer
Division of System Support Services
Kentucky Department of Education
Voice   502-564-2020x225
E-mail  agetchel at ...1525...
Web     http://www.kde.state.ky.us/



> -----Original Message-----
> From: Kevin.Brown at ...1022... [mailto:Kevin.Brown at ...1022...]
> Sent: Friday, March 23, 2001 1:04 PM
> Cc: snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] New Worm Virus is in the wild
> 
> 
> So there is already a signature for this?  I knew there was a 
> Ramen sig, does
> this show up the same?
> 
> > 	I don't know about the rest of you guys, but we are 
> being HAMMERED
> > with scans from this thing.  Very annoying.  I've been busy 
> notifying sites
> > all day.
> 
> > > Alert from SANS, the LION worm (similar to Ramen) is now 
> in the wild.
> > > 
> > > http://www.sans.org/newlook/home.htm
> > > http://www.sans.org/current.htm
> > > 
> > > http://www.redhat.com/support/errata/RHSA-2001-007.html
> > > 
> > > It uses vulnerable versions of BIND (8.2, 8.2-P1, 8.2.1, 
> > > 8.2.2-Px and all
> > > 8.2.3-beta versions).  It installs the t0rn rootkit on a 
> > > system and then scans
> > > a random class B subnet trying to find more vulnerable 
> > > systems to infect.
> > > 
> > > 
> > > 
> > > _______________________________________________
> > > Snort-users mailing list
> > > Snort-users at lists.sourceforge.net
> > > Go to this URL to change user options or unsubscribe:
> > > http://lists.sourceforge.net/lists/listinfo/snort-users
> > > Snort-users list archive:
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > 
> > 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list