[glux] Info circa lion.worm

Andrea aerdan@inventati.org
Mer 8 Feb 2006 00:55:26 CET 

Tempo fa ho avuto da scaned un avviso, questo:

/etc/cron.daily/chkrootkit:
INFECTED (PORTS:  1008)

da chkrootkit, come si evince.

Al momento ho controllato subito con un nmap -sS 127.0.0.1 la situazione e il
risultato fu:

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2005-12-17 01:15 CET
Initiating SYN Stealth Scan against localhost.localdomain (127.0.0.1) [1663 ports] at 01:15
Discovered open port 1008/tcp on 127.0.0.1
The SYN Stealth Scan took 0.21s to scan 1663 total ports.
Host localhost.localdomain (127.0.0.1) appears to be up ... good.
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1654 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
1008/tcp open  ufsd

Nmap finished: 1 IP address (1 host up) scanned in 0.334 seconds
               Raw packets sent: 1665 (66.6KB) | Rcvd: 3337 (133KB)

Poi da netstat ottenni:


Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode     
tcp        0      0 *:1008                  *:*                     LISTEN     root       6658       

Mentre da ps, data la mia ignoranza delle opzioni avanzate, non ricavai nessuna
info.

Ieri sera inviando una mail in lista ho ricevuto un messaggio di ritorno:

<glux@lists.linux.it>: host lists.linux.it[213.254.12.146] said: 554 Service
    unavailable; Client host [62.94.33.54] blocked using combined.njabl.org;
    Dynamic/Residential IP range listed by NJABL dynablock -
    http://njabl.org/dynablock.html (in reply to RCPT TO command)
    
Al che ho controllato il sito http://njabl.org e ho scoperto che il range di IP
62.94.x.x è incluso in almeno 2 dns black list.

Il secondo dnsbls dice:

Database of vulnerable/hacked servers
Address and Port:       62.94.66.233
Record Created: Thu Sep 29 07:47:41 2005 GMT
Record Updated: Tue Oct 18 00:33:28 2005 GMT
Additional Information: Likely Trojaned Machine, host running Korgo trojan
Currently active and flagged to be published in DNS
If you wish to request a delisting please do so through the Support System.

Dynamic IP Space (LAN, Cable, DSL & Dial Ups)
Netblock:       62.94.66.0/23 (62.94.66.0-62.94.67.255)
Record Created: Mon Nov 24 12:59:13 2003 GMT
Record Updated: Mon Nov 24 12:59:13 2003 GMT
Additional Information: [Dynablock] Dynamic IP address, use your ISPs mail
server
Currently active and flagged to be published in DNS
If you wish to request a delisting please do so through the Support System.

(Cambia l'IP perchè mi sono ricollegato in un secondo momento)

Ieri sera ho pensato che il problema riguardasse il mio ISP, che fosse
lui ad aver problemi in quanto le dnsbls riguardano gli indirizzi IP o meglio
range interi di IP e che avendo configurato exim4 per inviare posta tramite uno
smarthost e per riceverla via SMTP o fetchmail non avessi nessun problema.

Questa mattina ho rivisto tutto l'ambaradan e quel :

Additional Information: Likely Trojaned Machine, host running Korgo trojan

mi ha incuriosito così ho googleggiato e, con grandissima incazzatura ho trovato
questo:

Linux.Lion is a dangerous Linux worm that infects computers running Linux. This
worm is similar to Linux.Ramen and does not execute on systems running Microsoft
Windows.

The worm appears to spread using a known TSIG vulnerability discovered early in
2001 to spread.

	The worm will create multiple backdoors on the system by replacing some
	critical files. The worm also exports password and other critical
	information to the hacker, which allows them to utilize the backdoors.

http://www.symantec.com/avcenter/venc/data/linux.lion.worm.html per tutti i
dettagli e pure http://www.securityspace.com/smysecure/catid.html?id=10646 dove
tra le altre cose dice:

Solution : re-install this system from scratch

e inoltre al link http://www.seifried.org/security/ports/1000/1008.html si dice

Port number: 1008

Common name(s):
ufsd ufsd

Common service(s):

Service description(s):
ufsd UFSaware server | lion worm backdoor ufsd UFSaware server 

Cercando ancora ho trovato su
http://www.sophos.com/virusinfo/analyses/linuxlion.html:

Linux/Lion is an internet worm written for the Linux operating system. It is
similar to Linux/Ramen (i.e. one of the worm files is already detected as
Linux/Ramen).

It spreads by scanning random class B IP networks for hosts that are vulnerable
to a remote exploit in the Bind name service daemon. Once it has found a
candidate for infection it attacks the remote machine and, if successful,
downloads and installs a package from coollion.51.net. This package contains a
copy of the worm and also the t0rn rootkit. The rootkit is designed to hide the
presence of the worm by replacing many of the system binaries with trojaned
versions and cleaning the log files. In particular, the following files may be
created or changed:

/usr/sbin/nscd
/bin/in.telnetd
/bin/mjy
/usr/sbin/in.fingerd
/bin/ps
/sbin/ifconfig
/usr/bin/du
/bin/netstat
/usr/bin/top
/bin/ls
/usr/bin/find

The following directories may also be created:

/usr/man/man1/man1/lib/.lib
/usr/src/.puta
/usr/info/.t0rn
/dev/.lib

The worm keeps itself active during reboots by appending some lines to
/etc/rc.d/rc.sysinit disguised with the comment 'Name Server Cache Daemon..'. It
also deletes /etc/hosts.deny and appends lines to /etc/inetd.conf to leave a
root shell on port 1008. Finally, it emails the contents of /etc/passwd,
/etc/shadow and the output from ifconfig -a, to an address in the china.com
domain.

Non ho trovato nessun file o directory .lib .puta .t0rn ma mi pare che ciò non
rappresenti nessuna sicurezza e, beata ignoranza, non ho idea se sia possibile
verificare con MD5 o qualcosa del genere i file tipo nscd, telnet, mjy, ecc.

Se qualcuno potesse darmi un suggerimento oltre a quello di piallare tutto, che
farò appena ho la possibilità, per cercare di verificare la effettiva presenza
del worm e soprattutto del trojan gliene sarò molto grato. Nel frattempo
continuo a cercare.

La morale è che agli spammer del caxxo non interessa molto che tu sia collegato
in dialup... triste considerazione.

E non è da dire che non mi fossi paraculato con un firewall, seppur lokkit ma è
installato e settato su high!

Ciao a tutti

a
-- 
ð Gli uomini sono fratelli fra loro. Cessano di esserlo quando
¶ la terra viene divisa da steccati e confini.
ñ
²			Heinmot-Tayala-Ket, Nez Percé
€
¯ KeyID:   5AF81406   2005-01-03   [scadenza: 2015-01-01]
3 KeyFpr:  A4E2 7C7C CFC7 1B1E E405  6443 9E07 AF95 5AF8 1406

Maggiori informazioni sulla lista glux