[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: ADM Worm. Worm for Linux x86 found in wild. (fwd)
- From: Jan-Philip Velders <jpv jvelders tn tudelft nl>
- To: linux-security redhat com
- Subject: Re: ADM Worm. Worm for Linux x86 found in wild. (fwd)
- Date: Mon, 29 Mar 1999 08:29:29 +0200 (CEST)
Hi,
some more info on the previous admw0rm alert.
Fwd'd from BugTraq
Greetings,
Jan-Philip Velders
---------- Forwarded message ----------
Date: Fri, 26 Mar 1999 21:17:40 +0100
From: Mixter <mixter HOME POPMAIL COM>
To: BUGTRAQ NETSPACE ORG
Subject: Re: ADM Worm. Worm for Linux x86 found in wild.
The "ADM w0rm" is public and can be found at:
http://adm.isp.at/ADM/ADMw0rm-v1.tar
The public version solely exploits the name server iquery bug,
although it is fairly easy to make it exploit ANY remote vulnerability.
(Put in BSD/Sun exploits and it wouldn't be too linux specific anymore. :&)
Ben Cantrick (Macky Stingray) wrote:
> How it picks the IP addresses to scan is not
> presently known to me. Presumably, the "gimmieip" binary takes care
> of that. Someone with more time can dissect it and post the results.
True, it will start with a random IP number, then scan sequentially
onwards, e.g. 1.1.1.1 1.1.1.2 etc. and re-start at 255.255.255.255.
The infection routine works like this (shell script):
./gimmeip | ./incremental | ./scanner | ./exploit
> As far as disinfection, I have not had time to work up a disinfection
> procedure. It could be as simple as rebooting to single-user and deleting
Yes, its simple. Remove the "w0rm" user from /etc/passwd and kill its
processes. The security risk is then eliminated (Remember to patch your
vulnerable daemon(s), of course). Also, since this worm swallows LOTS of
bandwidth by its permanent scanning, watch for "w0rm" scans that might
occur on your nets. Then try to telnet to the scanning host as user "w0rm"
with no password. If you succeed, simply kill -9 -1 and notify the admin.
However, the worm seems to be worked on as a private version as well, and
those could do other things and hide themselves elsewhere, so
there is no guarantee that cleaning or identification by typical
strings/files is reliable.
Mixter
----------------------
members.xoom.com/i0wnu
----------------------
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]