Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.136 -- CIAC Bulletin L-067 Linux worm Adore 6 April 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Operating System: Linux Impact: Root Compromise Access Required: Remote Ref: ESB-2001.029 AL-2001.05 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_ / \___ __|__ / \___ __________________________________________________________ INFORMATION BULLETIN Linux worm Adore April 4, 2001 22:00 GMT Number L-067 ______________________________________________________________________________ PROBLEM: A new worm variant, Adore, of the Linux worms Ramen & Lion has been discovered by SANS. This is the continued evolution of the Ramen & Lion worm capabilities PLATFORM: Linux x86 systems which are not patched with the latest releases of/patches for LPRng, rpc-statd, wu-ftpd, and BIND. DAMAGE: The new worm scans systems for exploitable holes in LPRng, rpc-statd, wu-ftpd and BIND. This exploit gains root access and installs a backdoor on a system. The worm also mails system information to specific e-mail addresses and compromises some system files. SOLUTION: All systems should be patched to the latest releases/patches. If a system has been infected, use the SANS utility named 'adorefind' to search an infected system for Adore installed files. Keep in mind that as the worm mutates in the future, the utility may not find all changed files/directories. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. These vulnerabilities targeted by Adore are ASSESSMENT: being actively exploited. However, CIAC has received one report of the worm itself. ______________________________________________________________________________ [****** Begin SANS Bulletin ******] http://www.ciac.org/ciac/bulletins/l-067.shtml [****** End SANS Bulletin ******] - -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBOszpcLnzJzdsy3QZAQFmxgQA6G4xxW6pFNgjVLBfX7lbfWr4+lmMisMJ kphPcK8pAVN6p9ytg/jZ8PLsbofXOPvs1ytnlm0iy+gLAjp2g7rScDpHBGb/g1gL PlcjeQDgjC4F/DFryNda8BWWiVj/dQShfw5OcaVC49HHDr4QOfdqqNU7nfA7hgm8 R/p0pltjuJ0= =a2nz - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBOs3G0Sh9+71yA2DNAQHzaAP+IGW4ktAuSowW30d4jLJZvcvxV0UeOaJr zXIXUx5vEP4FWKDCxLX0oMA5m9g4IFJVMcny86JIP002oYheMSihyNu3mJwQU060 ACJG9RJkp4PKJS3i6cYpgho+87W5wVRI7eGOuCMpXTzeDXwb6IyTn90A0OwSXotK yKQ1K61YgSc= =tnQE -----END PGP SIGNATURE-----