BIND worm (was: DHCP Servers)
Colin Marquardt
colin.marquardt at usa.alcatel.com
Fri Mar 23 14:27:48 PST 2001
Brad Cox <brad at linuxbofh.com> writes:
> I am curious if anyone as used a dhcp server other than the one from ISC
Speaking of ISC, here is an alert for those who didn't hear about it
yet:
,----
| March 23, 2001 7:00 AM
|
| Late last night, the SANS Institute (through its Global Incident
| Analysis Center) uncovered a dangerous new worm that appears to be
| spreading rapidly across the Internet. It scans the Internet looking
| for Linux computers with a known vulnerability. It infects the
| vulnerable machines, steals the password file (sending it to a
| China.com site), installs other hacking tools, and forces the newly
| infected machine to begin scanning the Internet looking for other
| victims.
|
| Several experts from the security community worked through the night to
| decompose the worm's code and engineer a utility to help you discover
| if the Lion worm has affected your organization.
|
| Updates to this announcement will be posted at the SANS web site,
| http://www.sans.org
|
|
| DESCRIPTION
|
| The Lion worm is similar to the Ramen worm. However, this worm is
| significantly more dangerous and should be taken very seriously. It
| infects Linux machines running the BIND DNS server. It is known to
| infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
| 8.2.3-betas. The specific vulnerability used by the worm to exploit
| machines is the TSIG vulnerability that was reported on January 29,
| 2001.
| [...]
`----
Colin
More information about the talk
mailing list