---- Begin Original Message ----

From: "Thomas Beauchamp" <thomas@noproblem.net>
Sent: Sat, 28 Apr 2001 23:06:23 +0100
To: <suse-linux-e@suse.com>
Subject: [SLE] Linux DNS killer worm


http://neworder.box.sk/showme.php3?id=4293

A friend of mine has been hit on a Cobalt RaQ4 server (running a
'customised' version of Red Hat).
Anybody hit yet in the SuSE community?
Any hands-on experience would be appreciated.

Thomas Beauchamp
No Problem Net Ltd


--
To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com
For additional commands send e-mail to suse-linux-e-help@suse.com    
       
Also check the FAQ at http://www.suse.com/support/faq and the
archives at http://lists.suse.com    


---- End Original Message ----


Hi Thomas,

I work in a hosting center where we host about a hundred or so Cobalts
and about the same amount of "regular" Linux servers (mostly RedHat
i'm afraid). The last month the Cobalts have been hit regularly. The
RedHat servers are unaffected until now. Reason for this is, I think,
that we've updating the RedHat servers with the latest version of Bind
(remember Ramen?) and we didn't do this on the Cobalts because there
weren't any updated packages at that moment. We also found out that
most of the RedHat servers were allready updated by the customers
where Cobalts are not (I guess most Cobalt customers use them because
they're relatively cheap and easy to setup without having to know to
much about Linux).
I found out that removing this worm completely and with a 100%
certainty is almost impossible. There is a Perl script that removes
the t0rn rootkit but it doesn't remove the rest of the altered files.
If you're interested in this script I can send it to you. I'm afraid
the only fix is rebuilding the OS from scratch and restoring data only.
Here a link about the t0rn rootkit:
http://www.sans.org/y2k/t0rn.htm
Try searching for lion worm and t0rn and you'll find a lot of links.
Update your systems on a regular basis and use SSH, tripwire,
tcp-wrappers and/or a firewall (if you can) is the best advise I can
give you.

Mazzel, Marcel

Get your Free E-mail at http://thepenguin.zzn.com
____________________________________________________________
Get your own FREE Web and POP E-mail Service in 14 languages at http://www.zzn.com.