[linux-security] Re: [Security - intern] *ALERT*: ADM Worm. Wormfor Linux x86 found in wild.

[Sergio Ballestrero <s ballestrero c-sistemi it>]

On Fri, 26 Mar 1999, Jan-Philip Velders wrote:

> On Fri, 26 Mar 1999, Thomas Biege wrote:
> 
> > Date: Fri, 26 Mar 1999 09:34:10 +0100 (MET)
> > From: Thomas Biege <thomas suse de>
> > To: Jan-Philip Velders <jpv jvelders tn tudelft nl>
> > Cc: linux-security redhat com
> > Subject: Re: [Security - intern] [linux-security] *ALERT*: ADM Worm. Worm for
>     Linux x86 found in wild.
> 
> > The worm just exploits old security holes, so if you keep update with your
> > daemons you haven't fear about that worm.
> 
> Eh, the guy who reported it on BugTraq said it was a RedHat 5.2 box.
> AFAIK 5.2 is fairly recent, and could only contain 'newer' holes, like the
> stuff with wu-ftpd...
> 
> >      Thomas
> 
> Greetings,
> Jan-Philip Velders

 I downloaded the worm, and i'm playing a bit with it, on two RH5.2 boxes.

As far as i understand from the logging by iplogd
(www.linuxvalley.org/~lserni) and from netstat, it only scans, and tries
to attack, named. And on my RH 5.2, with bind-8.1.2-5, it doesn't succeed.

The "network" part is made of:

gimmeRAND,   that generates random IPs (apparently from time, since it's
             the same if i call it consecutively)
incremental  that generates a sequence of IPs starting from the random one

scanco       that checks for the existance of a name service on the ip

test         that test some vulnerability in named - i haven't seen which
             one, possibly a buffer overflow.
             
Hnamed       is the actual exploit of the named vulnerability, that does
             some kind of "remote shell"

Al the damaging actions described (deleting logs, removing hosts.deny,
substituting all the index.html, creating a passwordless account) are done
in the script "w0rm".

 The "outro" log file doesn't seem to be generated by ADMw0rm; i suppose
it's something made by some other tool, runned by hand by the intruder.

 Also, the tgz available via ftp doesn't contain the "remotecmd"
executable that seems necessary for the spreading of the worm:

echo "lets hack"
./Hnamed $VICTIM /bin/sh -c "echo >> /etc/passwd; echo
\"w0rm::2666:777:ADM Inet w0rm:/:/bin/sh\" >> /etc/passwd; /bin/cp /bin/sh
/tmp/.w0rm; /bin/chmod 4777 /tmp/.w0rm; /bin/rm -f /etc/hosts.deny"
nohup ./remotecmd $VICTIM cmd 3000000  &



A signature of the attack is

Mar 26 13:56:59 pcsash named[5349]: stream_getlen([127.0.0.1].4256): Broken pipe

but it is not always seen (i haven't understood why)

 just to be clear, let me repeat:

bind-8.1.2-5, distributed with RedHat 5.2, is _NOT_ vulnerable - at least 
not to the version of ADMw0rm that was available via ftp.

 Regards,
  Sergio

--------------------------------------------------------------------------
   ballestr fi infn it      <- Physics            Sergio Ballestrero
   sergio ctt it            <- Business            V. Marini 18
   S Ballestrero iname com  <- Personal            59100 Prato ITALY


[mod: Ti Legget agrees:  -- REW]

If I'm not mistaken this is a really old (but very hazardous) exploit of
the bind utilities. Turn off bind services, or if you need them upgrade to
the newest packages.

Ti Leggett
legget mcs anl gov
tlegget mailhost tcs tulane edu