On Tue, 3 Apr 2001, Mitchell Henderson wrote:

> This worm is basicly a worm that exploits all the
> stuff we've seen in all the latest worms(lpd, statd,
> wu-ftp 2.6.0 and bind ). it does add some things to
> it. One of the main signs is that it backdoors
> /bin/ps and moves the old one to /usr/bin/adore. It
> all mv /etc/cron.daily/0anacron to 0anacron-bak and
> replaces it with a script to start the scanning for
> all 4 exploits, rm's it's self after a day, and emails
> a copy of the system's ip and the logs of the scans to
>
> adore9000sina.com
> and
> adore900021cn.com
>
> I haven't looked very much at it but if you've updated
> your machines since the last bind hole you should be
> fine.

Yes, I've seen it yesterday. Ipaudit showed that our network received
dual-port scans 111/tcp and 515/tcp from two remote hosts. One of these hosts
succeeded in breaking into a unpatched Red Hat 6.2 box via 111, and the
/usr/bin/adore and trojaned /bin/ps files were there. Also a lot of exploit
files in /usr/lib/lib.

Yesterday our network also received 10 other single-port scans from other
remote hosts. For us this is an unusual number of scan in one day. The ports
scanned were either 21, 53, 111 or 515. I'm wondering if these abundant
single-port scans are from the same worm.

Also noticed that for both single- and dual- port scan every 515/tcp scan was
accompanied by a scan to 3879/tcp. I don't know that port.

==============================================================================
# Jon Rifkin # 860-486-5530 # jon.rifkinuconn.edu
# Information Technology Services # University of Connecticut

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]