[SuSE Linux] Worm for Linux x86 found in wild
FYI to all: "Worm for Linux x86 found in wild Mar 25th, 23:35:59 "The worm is particularly amusing in that when run, along with portscanning, wiping logs, and all the other usual things you'd expect a worm to do, it also hunts for files with a .html suffix and inserts the contents of the "SAY" variable (above) into them, over-writing whatever isthere. Other infection symptoms include a ".w0rm0r/" subdir and suid root copy of /bin/sh named ".w0rm" in /tmp, and possibly a "w0rm::2666:777:ADM Inet w0rm:/:/bin/sh" entry in your passwd file. As far as I can tell, the worm is capable of detecting several well-known vunerabilities. The logs the Russian company sent us, and the logs that the worm itself kept, would seem to indicate it's scanning IMAP ports. It also seems to be scanning POP, rsh/rlogin, telnet and FTP ports, finger, gopher, etc... Once it's into your system, the worm presumably begins to scan and look for vunerable machines again. How it picks the IP addresses to scan is not presently known to me. Presumably, the "gimmieip" binary takes care of that. Someone with more time can dissect it and post the results. Here is a file I found on the infected machine called "/tmp/outro" - it appears to be a log that the worm kept as it probed some system." The entire article is here: <<A HREF="http://linuxtoday.com/stories/4408.html"><A HREF="http://linuxtoday.com/stories/4408.html</A">http://linuxtoday.com/stories/4408.html</A</A>>> Bill Parker, <bparker@dc.net> The HURD. 'Hurd' stands for `Hird of Unix-Replacing Daemons'. And, then, `Hird' stands for `Hurd of Interfaces Representing Depth'. -- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e Check out the SuSE-FAQ at <A HREF="http://www.suse.com/Support/Doku/FAQ/"><A HREF="http://www.suse.com/Support/Doku/FAQ/</A">http://www.suse.com/Support/Doku/FAQ/</A</A>> and the archive at <A HREF="http://www.suse.com/Mailinglists/suse-linux-e/index.html"><A HREF="http://www.suse.com/Mailinglists/suse-linux-e/index.html</A">http://www.suse.com/Mailinglists/suse-linux-e/index.html</A</A>>
The ADM worm in not new. You can get the source code on any hacker site. One of the responders to that article even posted the url to the ADM source code. Bill Parker wrote:
FYI to all:
"Worm for Linux x86 found in wild Mar 25th, 23:35:59
"The worm is particularly amusing in that when run, along with portscanning, wiping logs, and all the other usual things you'd expect a worm to do, it also hunts for files with a .html suffix and inserts the contents of the "SAY" variable (above) into them, over-writing whatever isthere. Other infection symptoms include a ".w0rm0r/" subdir and suid root copy of /bin/sh named ".w0rm" in /tmp, and possibly a "w0rm::2666:777:ADM Inet w0rm:/:/bin/sh" entry in your passwd file. As far as I can tell, the worm is capable of detecting several well-known vunerabilities. The logs the Russian company sent us, and the logs that the worm itself kept, would seem to indicate it's scanning IMAP ports. It also seems to be scanning POP, rsh/rlogin, telnet and FTP ports, finger, gopher, etc... Once it's into your system, the worm presumably begins to scan and look for vunerable machines again. How it picks the IP addresses to scan is not presently known to me. Presumably, the "gimmieip" binary takes care of that. Someone with more time can dissect it and post the results. Here is a file I found on the infected machine called "/tmp/outro" - it appears to be a log that the worm kept as it probed some system."
The entire article is here:
<<A HREF="http://linuxtoday.com/stories/4408.html"><A HREF="http://linuxtoday.com/stories/4408.html</A">http://linuxtoday.com/stories/4408.html</A</A>>>
Bill Parker, <bparker@dc.net>
The HURD. 'Hurd' stands for `Hird of Unix-Replacing Daemons'. And, then, `Hird' stands for `Hurd of Interfaces Representing Depth'.
-- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e Check out the SuSE-FAQ at <A HREF="http://www.suse.com/Support/Doku/FAQ/"><A HREF="http://www.suse.com/Support/Doku/FAQ/</A">http://www.suse.com/Support/Doku/FAQ/</A</A>> and the archive at <A HREF="http://www.suse.com/Mailinglists/suse-linux-e/index.html"><A HREF="http://www.suse.com/Mailinglists/suse-linux-e/index.html</A">http://www.suse.com/Mailinglists/suse-linux-e/index.html</A</A>>
-- To get out of this list, please send email to majordomo@suse.com with this text in its body: unsubscribe suse-linux-e Check out the SuSE-FAQ at <A HREF="http://www.suse.com/Support/Doku/FAQ/"><A HREF="http://www.suse.com/Support/Doku/FAQ/</A">http://www.suse.com/Support/Doku/FAQ/</A</A>> and the archive at <A HREF="http://www.suse.com/Mailinglists/suse-linux-e/index.html"><A HREF="http://www.suse.com/Mailinglists/suse-linux-e/index.html</A">http://www.suse.com/Mailinglists/suse-linux-e/index.html</A</A>>
participants (2)
-
bparker@dc.net -
jlkreps@navix.net