| VID |
24015 |
| Severity |
40 |
| Port |
60008,33567 |
| Protocol |
TCP |
| Class |
BackDoor |
| Detailed Description |
The host appears to be infected by lion worm. The Lion worm is an Internet worm that targets Linux systems using certain versions of the BIND software for DNS servers. If the Lion worm infects a system, it sends out an email including sensitive system information, installs other hacking tools (t0rn rootkit), and forces the newly infected machine to begin scanning the Internet looking for other victims. Infected hosts can be used in large scale distributed denial of service (DDOS) attacks.
Once Lion has compromised a system, it:
- Sends the contents of /etc/passwd, /etc/shadow, as well as some network settings to an address in the china.com domain.
- Deletes /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers.
- Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via inetd, see /etc/inetd.conf)
- Installs a trojaned version of ssh that listens on 33568/tcp
- Kills Syslogd, so the logging on the system can't be trusted
- Installs a trojaned version of login
- Looks for a hashed password in /etc/ttyhash
- /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten with a trojaned version of ssh.
The t0rn rootkit replaces several binaries on the system in order to stealth itself. Here are the binaries that it replaces:
du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, top
- "Mjy" is a utility for cleaning out log entries, and is placed in /bin and /usr/man/man1/man1/lib/.lib/.
- in.telnetd is also placed in these directories; its use is not known at this time.
- A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
* References:
http://www.iss.net/security_center/static/6679.php
http://www.securiteam.com/unixfocus/5EP0O0U3PS.html
http://www.sans.org/y2k/lion.htm |
| Recommendation |
SANS have developed a utility called Lionfind that will detect the Lion files on an infected system. Simply download it, uncompress it, and run lionfind. This utility will list which of the suspect files is on the system.
At this time, Lionfind is not able to remove the virus from the system. If and when an updated version becomes available (and we expect to provide one), an announcement will be made at this site.
Download Lionfind at: http://www.sans.org/y2k/lionfind-0.1.tar.gz |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
