BIND worm

ME dugan at passwall.com
Fri Mar 23 20:02:51 PST 2001


This never made it to the mailing list. It is being re-sent.

On Fri, 23 Mar 2001, ME wrote:

> Date: Fri, 23 Mar 2001 15:02:25 -0800 (PST)
> From: ME <dugan at passwall.com>
> To: nblug-talk at lists.sonic.net
> Subject: Re: BIND worm
> 
> Without much more information, this would be related to that tsig bug that
> was supposed to be fixed in 8.2.3(final) that I forwarded from BUGTRAQ for
> BIND users in January(?) to this nblug list. 
> ( http://www.isc.org/products/BIND/bind-security.html )
> 
> Colin's e-mail message of this is good to restate  the need for fellow admins that
> don't know about BUGTRAQ to subscribe to it and other security mailing
> lists. (I subscribe to others, but BUGTRAQ seems to have pretty good
> signal to noise ratios.)
> 
> Archives etc for BUGTRAQ can be found at http://www.securityfocus.com/
> 
> Also, if you run BIND on Linux check into running it in a chroot-ed
> environment. Though they have been a bit controversial, Solar Designer's
> non-executable stack patches for your kernel are also a good idea given
> the history of BIND. (Opinion.)
> 
> http://www.openwall.com/linux/
> 
> (When named is running chrooted, named sees the chrooted /etc/passwd as
> the real passwd file. This may have helped with this latest issue if you
> did not upgrade bind back in January. Of course, your DNS would probably
> be dead as a result of the attack if you did not upgrade, but at least
> your real passwd file would not have been sent out.)
> 
> Enjoy,
> -ME
> 
> 
> On 23 Mar 2001, Colin Marquardt wrote:
> > Speaking of ISC, here is an alert for those who didn't hear about it
> > yet:
> > 
> > ,----
> > | March 23, 2001 7:00 AM
> > | 
> > | Late last night, the SANS Institute (through its Global Incident
> > | Analysis Center) uncovered a dangerous new worm that appears to be
> > | spreading rapidly across the Internet.  It scans the Internet looking
> > | for Linux computers with a known vulnerability. It infects the
> > | vulnerable machines, steals the password file  (sending it to a
> > | China.com site), installs other hacking tools, and forces the newly
> > | infected machine to begin scanning the Internet looking for other
> > | victims.
> > | 
> > | Several experts from the security community worked through the night to
> > | decompose the worm's code and engineer a utility to help you discover
> > | if the Lion worm has affected your organization.
> > | 
> > | Updates to this announcement will be posted at the SANS web site,
> > | http://www.sans.org
> > | 
> > | 
> > | DESCRIPTION
> > | 
> > | The Lion worm is similar to the Ramen worm. However, this worm is
> > | significantly more dangerous and should be taken very seriously.  It
> > | infects Linux machines running the BIND DNS server.  It is known to
> > | infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
> > | 8.2.3-betas. The specific vulnerability used by the worm to exploit
> > | machines is the TSIG vulnerability that was reported on January 29,
> > | 2001.
> > | [...]
> > `----
> > 
> > Colin
> > 
> 
> 
> 




More information about the talk mailing list