|
Security Incidents
mailing list archives
Re: BIND worm.
From: "Carl A. Adams" <carlalex () RECOURSE COM>
Date: Fri, 23 Mar 2001 16:10:37 -0800
Andreas Östling wrote:
On Thursday 22 March 2001 12:19, Scott A. McIntyre wrote:
I'm wondering how many others have seen sign of what appears to be a
BIND based worm attack that's been passing through here lately.
I've seen it.
After the actual BIND exploit, here is what it sends (to port 53/TCP):
[ . . . ]
You can grab the kit from the URL above if you want to analyse it further.
I have a local copy of it if it isn't available there anymore.
Regards,
Andreas Östling
It still seems to be up there despite this exploit now having gained /.
fame; Apparently it's being mated with t0rnkit, but that's not in the
crew.tgz, nor is it redially apparent from anything in the crew file
where it gets it from. I have binary copies of both t0rn and 1i0n, but
was wondering if anyone has seen src code floating around for either of
these for analysis?
Sincerely,
--- Carl
--
Carl A. Adams
Munitions Engineer, Recourse Technologies Inc.
carlalex () recourse com
650.381.8099
 By Date 
By Thread
Current thread:
| 
Intro
