![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
Date: Wed, 4 Apr 2001 17:25:40 -0600
From: Alfred Huger <ah@SECURITYFOCUS.COM>
Subject: Adore Worm a little more....
To: INCIDENTS@SECURITYFOCUS.COM
This post details much of what has already been discussed around the Adore
worm with a few more details courtesy of the ARIS Analyzer service.
For more information on ARIS, please visit http://aris.securityfocus.com
This new worm called Adore (also known as the Red worm) was initially
discovered in the wild via the Incidents mailing list by users reporting a
high number of lpd scans. It was later detailed by SANS in conjunction
with further posts to the Incidents list. It is similiar to the recent
rash of linux worms that we have seen proliferate over the internet, Ramen
and more recently, Lion.
Adore scans for the following known vulnerabilities:
Multiple Vendor LPRng User-Supplied Format String Vulnerability
http://www.securityfocus.com/bid/1712
Wu-Ftpd Remote Format String Stack Overwrite Vulnerability
http://www.securityfocus.com/bid/1387
ISC Bind 8 Transaction Signatures Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/2302
Multiple Linux Vendor rpc.statd Remote Format String Vulnerability
http://www.securityfocus.com/bid/1480
If you have been noticing a large number of scans for port 515, it is
recommended you take the necessary steps to patch the above
vulnerabilities.
In addition to the vulnerability scanning (which is automated with a
script that replaces /etc/cron.daily/0anacron), Adore will replace 'ps'
with a backdoored version and send system information and copies of the
scan logs to the email addresses {adore9000,adore9001}@sina.com and
{adore9000,adore9001}@21cn.com.
For more information regarding the Adore/Red Worm, please see the
following links:
'lpd vulnerability?' Incidents Mailing List Thread
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2001-04-07&start=2001-04-01&fromthread=0&tid=173923&list=75&;
'New Linux Worm' Incidents Mailing List Thread
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2001-04-07&start=2001-04-01&fromthread=0&tid=173925&list=75&;
Adore Worm
http://www.sans.org/y2k/adore.htm
The ARIS Analyzer has generated a number of interesting lpd statistics
related to the Adore worm. The following information has been projected
from ARIS analyzer log data supplied by the user community directed at
port 515 (both scans and actual attacks). This data is not a complete dump
of the current database in terms of this attack but should help illustrate
the point that worm is making some pretty serious headway.
The particular log data we chose in this case originates from users across
9 different countries implementing the following IDSs; Snort, NetworkICE
BlackICE Defender,ICEpac, Cisco Secure IDS (Netranger) and ISS RealSecure.
The countries from which this data was reported from:
Victim Country Incident Counts
United States 1798
France 874
Austria 671
Mexico 131
Canada 20
United Kingdom 120
Philippines 19
Romania 16
Brazil 11
The following IP's a sample of the attacking IP's, all of which we looked
at are Linux machines running standard default configurations.
Attacks on Port 515 from Mar 31 2001 to Apr 4 2001
Offending IP Count Last Incident Date Time
213.153.150.254 1296 2001-04-03 15:23:58.000
148.247.2.1 506 2001-04-01 12:46:01.337
202.66.169.66 437 2001-04-03 11:55:00.000
211.170.81.163 437 2001-04-03 17:46:51.000
209.84.175.41 175 2001-04-03 21:54:05.997
130.65.150.53 165 2001-04-03 13:32:42.353
164.77.200.218 121 2001-04-02 12:21:46.157
210.111.49.250 114 2001-04-03 20:33:22.927
211.57.211.3 101 2001-04-02 09:51:28.377
165.229.191.132 92 2001-04-02 11:05:21.247
212.98.67.199 62 2001-04-02 05:50:53.683
208.239.240.64 39 2001-04-02 08:37:49.110
208.37.127.247 33 2001-04-02 14:15:26.000
208.146.199.2 21 2001-04-02 17:20:03.467
130.206.169.76 16 2001-04-02 21:44:29.790
168.39.16.66 13 2001-04-01 14:36:23.830
210.154.19.138 12 2001-04-02 21:06:08.997
211.196.150.48 11 2001-04-02 05:47:16.230
129.8.100.200 10 2001-03-31 05:09:16.400
64.74.37.116 8 2001-03-31 14:19:02.487
213.105.142.33 7 2001-03-31 09:45:02.000
203.162.52.78 7 2001-04-02 19:27:51.320
209.16.106.20 5 2001-04-01 06:47:41.157
137.30.57.33 5 2001-04-03 01:41:03.367
63.207.59.234 4 2001-04-02 19:46:37.467
149.225.41.91 3 2001-04-03 08:59:54.007
194.192.187.215 3 2001-04-03 00:29:02.000
206.112.2.180 3 2001-03-31 23:13:16.997
206.20.112.216 3 2001-04-02 05:15:36.913
207.69.56.40 3 2001-04-02 15:03:46.500
206.170.15.185 2 2001-04-03 23:09:50.997
204.192.108.37 2 2001-04-02 21:39:19.997
202.178.252.36 2 2001-04-03 12:06:31.123
199.170.84.116 2 2001-04-03 08:42:17.997
209.27.248.70 2 2001-03-31 08:52:19.410
142.204.211.155 2 2001-04-03 02:05:03.000
130.126.104.161 2 2001-04-03 05:54:15.267
130.191.239.103 2 2001-04-03 15:07:53.000
64.7.24.44 2 2001-04-03 11:26:24.000
61.156.28.25 2 2001-04-03 09:51:27.000
212.82.240.199 2 2001-04-02 13:36:15.000
211.233.25.184 2 2001-04-01 22:27:39.000
24.152.10.90 2 2001-04-02 14:10:14.773
24.15.189.78 1 2001-04-01 06:53:37.813
24.112.153.186 1 2001-04-02 22:21:04.000
24.147.210.50 1 2001-04-02 20:58:41.000
213.69.94.141 1 2001-04-02 03:38:34.997
216.215.248.84 1 2001-04-03 09:15:50.997
216.27.145.44 1 2001-04-03 06:55:01.997
211.55.26.30 1 2001-04-02 18:46:33.997
212.65.209.200 1 2001-04-02 14:18:31.997
62.232.36.66 1 2001-04-03 09:20:14.000
24.24.30.37 1 2001-04-03 02:24:27.997
38.222.170.22 1 2001-04-02 23:23:44.537
64.23.60.243 1 2001-04-03 02:08:59.000
64.157.106.222 1 2001-04-02 17:53:27.997
64.84.42.48 1 2001-04-03 06:53:13.997
65.26.143.107 1 2001-04-02 17:41:52.383
65.8.207.61 1 2001-04-03 05:42:27.997
66.27.186.143 1 2001-04-01 10:30:01.920
131.158.186.124 1 2001-04-03 00:08:13.000
130.167.1.9 1 2001-04-02 18:24:52.997
129.100.21.45 1 2001-03-31 07:46:07.997
140.109.43.203 1 2001-04-02 18:46:55.997
146.6.133.33 1 2001-04-02 18:23:19.000
132.248.36.119 1 2001-04-02 19:41:51.797
137.48.142.161 1 2001-04-03 01:45:45.000
139.130.242.105 1 2001-04-02 19:39:19.790
193.230.220.6 1 2001-04-03 16:54:09.257
195.23.170.147 1 2001-03-31 23:26:41.000
199.170.23.91 1 2001-04-02 18:53:20.997
169.237.66.112 1 2001-04-02 15:41:37.040
192.192.246.245 1 2001-04-02 12:13:42.000
193.190.171.8 1 2001-04-02 07:34:54.000
193.224.51.24 1 2001-04-02 19:42:57.000
152.2.246.198 1 2001-04-02 19:45:19.223
158.108.5.4 1 2001-04-02 19:54:47.997
161.72.52.23 1 2001-04-02 19:50:54.997
164.47.144.9 1 2001-04-02 19:29:15.000
209.71.19.226 1 2001-04-03 06:57:53.000
210.237.88.247 1 2001-04-02 11:55:30.997
211.131.61.22 1 2001-04-02 15:23:16.997
209.134.99.20 1 2001-04-01 21:34:51.997
208.62.40.80 1 2001-04-01 09:32:24.997
209.111.128.35 1 2001-04-02 16:23:22.997
208.160.74.149 1 2001-04-01 18:26:28.000
200.45.85.69 1 2001-04-03 06:55:23.997
202.85.126.73 1 2001-04-02 03:19:06.997
203.229.150.132 1 2001-04-03 12:43:31.997
203.244.164.57 1 2001-04-02 16:54:45.997
205.134.190.117 1 2001-04-03 00:00:22.997
207.211.159.15 1 2001-03-31 18:53:42.000
206.246.132.202 1 2001-04-03 03:40:08.997