[CLUE-Tech] Lionfind script output

Kevin Cullis kevincu at orci.com
Fri Mar 23 16:43:17 MST 2001 

OK folks, here is what I got when I ran the script and what it echoed:

Institute for Security Technology Studies
(http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind.htm),
and SANS (http://www.sans.org/y2k/lion.htm).
Locate Lion related files and directories...
None of the following suspicious files or directories were found:
/bin/in.telnetd 
/bin/mjy 
/usr/man/man1/man1/lib/.lib/mjy 
/usr/man/man1/man1/lib/.lib/in.telnetd 
/usr/man/man1/man1/lib/.lib/.x 
/dev/.lib/lib/scan/1i0n.sh 
/dev/.lib/lib/scan/hack.sh 
/dev/.lib/lib/scan/bind 
/dev/.lib/lib/scan/randb 
/dev/.lib/lib/scan/scan.sh 
/dev/.lib/lib/scan/pscan 
/dev/.lib/lib/scan/star.sh 
/dev/.lib/lib/scan/bindx.sh 
/dev/.lib/lib/scan/bindname.log 
/dev/.lib/lib/1i0n.sh 
/dev/.lib/lib/lib/netstat 
/dev/.lib/lib/lib/dev/.1addr 
/dev/.lib/lib/lib/dev/.1logz 
/dev/.lib/lib/lib/dev/.1proc 
/dev/.lib/lib/lib/dev/.1file 
/dev/.lib/lib/lib/t0rns 
/dev/.lib/lib/lib/du 
/dev/.lib/lib/lib/ls 
/dev/.lib/lib/lib/t0rnsb 
/dev/.lib/lib/lib/ps 
/dev/.lib/lib/lib/t0rnp 
/dev/.lib/lib/lib/find 
/dev/.lib/lib/lib/ifconfig 
/dev/.lib/lib/lib/pg 
/dev/.lib/lib/lib/ssh.tgz 
/dev/.lib/lib/lib/top 
/dev/.lib/lib/lib/sz 
/dev/.lib/lib/lib/login 
/dev/.lib/lib/lib/in.fingerd 
/dev/.lib/lib/lib/1i0n.sh 
/dev/.lib/lib/lib/pstree 
/dev/.lib/lib/lib/in.telnetd 
/dev/.lib/lib/lib/mjy 
/dev/.lib/lib/lib/sush 
/dev/.lib/lib/lib/tfn 
/dev/.lib/lib/lib/name 
/dev/.lib/lib/lib/getip.sh 
/usr/info/.torn/sh* 
/usr/src/.puta/.1addr 
/usr/src/.puta/.1file 
/usr/src/.puta/.1proc 
/usr/src/.puta/.1logz 
/dev/.lib/ 
/dev/.lib/lib/ 
/dev/.lib/lib/lib/ 
/dev/.lib/lib/lib/dev/ 
/dev/.lib/lib/scan/ 
/usr/src/.puta/ 
/usr/man/man1/man1/ 
/usr/man/man1/man1/lib/ 
/usr/man/man1/man1/lib/.lib/ 
/usr/man/man1/man1/lib/.lib/.backup/ 
/usr/src/.puta/ 
/usr/info/.t0rn/

To the best of my knowledge, the Lion worm is NOT on this filesystem.
----------------------

I installed port sentry in my system a while back and the SANS doc
stated that it had deleted my hosts.deny file, which it hadn't and had
done what it said it would, post the IP address in the hosts.deny file. 
But I ran the script anyway and it would seem that I"ve NOT been
hacked.  But I STILL want to learn more.

Kevin

More information about the clue-tech mailing list