On Fri, 11 May 2001, Yap Kung Leng wrote:
> Recently my server is attached by Lion Worm.
> We have try to update the bind to 8.2.3.
Hopefully you've been successful. Hopefully you've also updated FTP,
LPR and whatever else hasn't been updated and is remotely accessable.
Also, hopefully you've changed all the passwords on that box and any
others that share the same passwords.
> And also check the files that is modified by the worm.
> One of the file that being modified by the worm is login.
That's odd- that's not listed as one of the 9 files trojaned or replaced
by t0rn in lion, but is by t0rn normally- when I get in to the office,
I'll see if du, login, pg and sz are in my sample.
I have the following lists at home:
--------------------------------
lion:
/bin/in.telnetd
/usr/sbin/in.fingerd
/bin/ps
/sbin/ifconfig
/usr/bin/du
/bin/netstat
/usr/bin/top
/bin/ls
/usr/bin/find
torn:
du
find
ifconfig
in.fingerd
login
ls
netstat
pg
ps
pstree
sz
top
----------------
Do you happen to have all the original worm's files saved anywhere?
> We seem have difficulty to replace this file with the unaffected one.
> Since we log into linux using this process, it didnot allow us to
> just overwrite the file.
> Is there any way to replace it with the unaffected one ?
Boot in single user mode?
You're significantly better off reinstalling a compromised system,
applying patches then putting it back on the 'Net.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
