![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
Date: Wed, 04 Apr 2001 01:00:20 -0500 To: lwn@lwn.net, INCIDENTS@SECURITYFOCUS.COM, BUGTRAQ@SECURITYFOCUS.COM, From: Matt Fearnow <matt@sans.org> Subject: New Linux worm Adore -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUMMARY Yesterday, the SANS Institute (through its Global Incident Analysis Center) uncovered a new worm variant (Adore) of 2 existing Linux worms (Ramen and Lion). DETAILS Adore is a worm that we originally called the Red Worm. It is similar to the Ramen and Lion worms. Adore scans the Internet checking Linux hosts to determine whether they are vulnerable to any of the following well-known exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is installed by default on Red Hat 7.0 systems. From the reports so far, Adore appears to have started its spread on April 1. Adore worm replaces only one system binary (ps), with a trojaned version and moves the original to /usr/bin/adore. It installs the files in /usr/lib/lib . It then sends an email to the following addresses: adore9000@21cn.com, adore9000@sina.com, adore9001@21cn.com, adore9001@sina.com Attempts have been made to get these addresses taken offline, but no response so far from the provider. It attempts to send the following information: /etc/ftpusers ifconfig ps -aux (using the original binary in /usr/bin/adore) /root/.bash_history /etc/hosts /etc/shadow Adore then runs a package called icmp. With the options provided with the tarball, it by default sets the port to listen too, and the packet length to watch for. When it sees this information it then sets a rootshell to allow connections. It also sets up a cronjob in cron daily (which runs at 04:02 am local time) to run and remove all traces of its existence and then reboots your system. However, it does not remove the backdoor. Detection We have developed a utility called adorefind that will detect the adore files on an infected system. adorefind http://www.sans.org/y2k/adorefind-0.2.0.tar.gz Removal As adorefind runs, it will give you the option to stop the running worm jobs and remove the files from the filesystem. Further information can be found at: http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/adorefind.htm or http://www.sans.org/y2k/adore.htm http://www.sans.org/current.htm http://www.sans.org/y2k/ramen.htm http://www.sans.org/y2k/DDoS.htm This security advisory was prepared by <mailto:matt@sans.org> Matt Fearnow of the SANS Institute and William Stearns of the Dartmouth Institute for Security Technology Studies. The Adorefind utility was written by William Stearns. Matt Fearnow SANS GIAC Incident Handler matt@sans.org -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 iQA/AwUBOsq4c7cd+Xm4uHVxEQKhogCeI9XPtet+c6JqQ2imwdRvnMneM7EAn1Is NmUWaeaIuWjYh5zoya/M6Bwq =1JEk -----END PGP SIGNATURE-----