BIND worm (was: DHCP Servers)

Colin Marquardt colin.marquardt at
Fri Mar 23 14:27:48 PST 2001

Brad Cox <brad at> writes:

> I am curious if anyone as used a dhcp server other than the one from ISC

Speaking of ISC, here is an alert for those who didn't hear about it

| March 23, 2001 7:00 AM
| Late last night, the SANS Institute (through its Global Incident
| Analysis Center) uncovered a dangerous new worm that appears to be
| spreading rapidly across the Internet.  It scans the Internet looking
| for Linux computers with a known vulnerability. It infects the
| vulnerable machines, steals the password file  (sending it to a
| site), installs other hacking tools, and forces the newly
| infected machine to begin scanning the Internet looking for other
| victims.
| Several experts from the security community worked through the night to
| decompose the worm's code and engineer a utility to help you discover
| if the Lion worm has affected your organization.
| Updates to this announcement will be posted at the SANS web site,
| The Lion worm is similar to the Ramen worm. However, this worm is
| significantly more dangerous and should be taken very seriously.  It
| infects Linux machines running the BIND DNS server.  It is known to
| infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all
| 8.2.3-betas. The specific vulnerability used by the worm to exploit
| machines is the TSIG vulnerability that was reported on January 29,
| 2001.
| [...]


More information about the talk mailing list