Re: Virusbeskyttelse

From: none@lists--gielstrup.dk.lh.bsd-dk.dk
Date: Sat 24 Aug 2002 - 05:50:26 CEST

Next message: Laust S. Jespersen: "RE: Virusbeskyttelse"
Previous message: Mikkel C. Simonsen: "Re: Virusbeskyttelse"
In reply to: Mikkel C. Simonsen: "Re: Virusbeskyttelse"
Next in thread: Laust S. Jespersen: "RE: Virusbeskyttelse"
Reply: Laust S. Jespersen: "RE: Virusbeskyttelse"
Reply: Morten Liebach: "Re: Virusbeskyttelse"
Reply: Jesper Monsted: "Re: Virusbeskyttelse"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Date: Sat, 24 Aug 2002 05:50:26 +0200 (CEST)
Subject: Re: Virusbeskyttelse
From: <none@lists--gielstrup.dk.lh.bsd-dk.dk>
To: <none@bsd-dk--bsd-dk.dk.lh.bsd-dk.dk>

Bare lige en lille note, omkring den desværre meget generelle
misforståelse, at der "ikke er nogen vira at beskytte sig imod"?!.
Der skal laves ikke mange ændringer i f.eks adore koden, for at anvende
andre kendte exploits på hver eneste unix platform jeg kan komme i tanke
om.
F.eks openssl's multiple buffer overflow exploit? Mon der stadigvæk er
nogen der kører en ikke patched version af openssl på FreeBSD (til og med
4.6.1-RELEASE-p9)

Mvh,

Christian

--- Adore is a worm, that spreads in Linux systems using four diffrent, known vulnerabilities already used by Ramen and Lion worms. These vulnerabilities concern BIND named, wu-ftpd, rpc.statd and lpd services.

When Adore is running, it scans for vulnerable hosts from random Class B subnets on the network. If vulnerable host is found, attempts to download the main worm part from a web server located in China, in a similar way that Lion worm does.

After the worm has been downloaded to the victim machine, it is stored in to "/usr/local/bin/lib/" directory and "start.sh" is executed launching the worm.

At the start, "start.sh" replaces "/bin/ps" with trojanized version that does not show processes that are part of the worm. The original "/bin/ps" command is copied "/usr/bin/anacron".

The script also replaces "/sbin/klogd" with a version that has a backdoor. The backdoor activates when it receives a ping packet with correct size, and opens a shell in the port 65535. Orginal "klogd" will be saved to "/usr/lib/klogd.o".

The worm sends sensitive system data, including contents of the "/etc/shadow" file to four different email addresses.

Adore also creates a script file "/etc/cron.daily/0anacron". This file will be executed by the cron daemon with the next daily run. At this time, the worm will remove itself from the system and restore the original "/bin/ps". All worm related processes except the backdoor will be shut down, and the system will be restarted if "/sbin/shutdown" exists. The backdoor will start after the system has been restarted as the "/sbin/klogd" still contains the backdoor.

> Nicolai Stok wrote: >> >> Jeg tror du misforstår problemet, PBS forlanger der er virus >> beskyttelse på serveren, hvis den skal bruges til e-handel > > Jeg forstår udmærket problemet - det er PBS der har misforstået noget > ;-) > > Hvad skal man med virusbeskyttelse, når der ikke er nogen vira at > beskytte imod? > > Men hvis de kræver at du kører et eller andet, kunne du så ikke køre at > antivirusprogram til Linux - der findes vist et par stykker. > > Venlig hilsen > > Mikkel C. Simonsen

Next message: Laust S. Jespersen: "RE: Virusbeskyttelse"
Previous message: Mikkel C. Simonsen: "Re: Virusbeskyttelse"
In reply to: Mikkel C. Simonsen: "Re: Virusbeskyttelse"
Next in thread: Laust S. Jespersen: "RE: Virusbeskyttelse"
Reply: Laust S. Jespersen: "RE: Virusbeskyttelse"
Reply: Morten Liebach: "Re: Virusbeskyttelse"
Reply: Jesper Monsted: "Re: Virusbeskyttelse"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:21 CET