Is this forum limited to windows security or can we expand to linux??? [Archive] - SpeedGuide.net Broadband Community
PDA

View Full Version : Is this forum limited to windows security or can we expand to linux???

chimdogger
03-27-01, 11:56 AM
This message is for any admin that can comment. Linux Security is an interest to me and possible others... Any takers?
Scoot
03-27-01, 01:34 PM
LionWorm-very dangerous for Linux servers
The Lion worm uses infected servers to randomly scan for TCP port-53 connections, which mark a computer on the network and not a printer, fax machine, or other device, said Greg Shipley, director of security for Neohapsis, an information security consulting firm in Chicago.

When it penetrates a vulnerable system, the worm then steals user names and password files for all the accounts on the system, e-mailing them along with the computer's system-configuration data to an address at China.com. It rewrites several programs on the computer, transforming them into Trojan horses, or back-doors into the system. It launches more probes along the network. And it covers its tracks in system logs, figuratively wiping up the glass shards after punching out a window in the system.

"It turns your system into Swiss cheese. It really rips through you," said Shipley. "None of the stuff that the worm does is new. I've just never seen it packaged all together. I've seen all the components ... but I've never seen anything that kicks in your door, and eats all of your food, and squats on your rug, and steals all of your jewelry, and, and, and ..."

It looks for servers running Linux and the BIND DNS server program. Versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3 betas of Bind may have the vulnerability. The worm can penetrate the network of any company that has a vulnerable server connected to the Internet. Although the worm currently only affects Linux-based servers, it's very likely that it will be modified to attack Unix servers in general.

Even if a system administrator discovers the worm, upgrades the BIND version, and patches the secret back doors into the system, the hacker who received the passwords could still use them to invade the system again. For systems like those used by ISPs serving thousands of users, it could take a long time to issue new passwords and regain security.

System administrators may download detection tools from www.sans.org/y2k/lionfind-0.1.tar.gz. (http://www.sans.org/y2k/lionfind-0.1.tar.gz.)

More info here:
http://www.techweb.com/wire/story/TWB20010323S0010 http://www.theregister.co.uk/content/8/17864.html


Once it has entered the system, it sends off the contents of /etc/passwd, /etc/shadow, and some network settings to an address in the china.com domain. It deleted /etc/hosts.deny, lowering some of the built-in protection afforded by tcp wrappers. Ports 60008/tcp and 33567/tcp get a backdoor root shell (via inetd, see /etc/inetd.conf), and a trojaned version of ssh gets placed on 33568/tcp. Syslogd is killed, so the logging on the system can't be trusted.

A trojaned version of login is installed. It looks for a hashed password in /etc/ttyhash. /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten with a trojaned version of ssh.

The t0rn rootkit replaces several binaries on the system in order to hide itself. Here are the binaries that it replaces:
du
find
ifconfig
in.telnetd
in.fingerd
login
ls
mjy
netstat
ps
pstree
top

Adds in the following binaries:
t0rn
tfn

Mjy, a utility for cleaning out log entries, is placed in /bin and /usr/man/man1/man1/lib/.lib/. in.telnetd is also placed in these directories; its use is not known at this time. A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
http://www.sans.org/y2k/lion.htm


:)
Hope this is of some use for ya!
By the way I am not an administrator nor do I use Linux.
Here is another helpful related link :)
locally checks for signs of a rootkit (http://www.chkrootkit.org/)

[ 03-27-2001: Message edited by: Scoot ]