Security Incidents: Re: Lion Worm/crew.tgz

[Andreas Östling <andreaso () IT SU SE>]

On Fri, 23 Mar 2001, Michael H. Warfield wrote:
>       The "crew.tgz" egg that can be downloaded from coollion.51.net
> does not have the t0rn root kit.  However, I have had one individual
> provide me a copy of a "crew.tgz" egg which very definitely DID contain
> the t0rn root kit in a directory lib/lib.  What's on the URL
> http://coollion.51.net/crew.tgz seems to be roughly (some differences
> in a couple of the scripts, I believe) the contents of the lib/scan
> directory in the bigger egg (the one with t0rn included).
>
>       I've now got copies of both.
This is very confusing.
Since you have two different versions, could you make them both available
for download somewhere?

Here is the content of the http://coollion.51.net/crew.tgz version I
dowloaded Mar 22 09:09.

$ tar tzvf crew.tgz
drwxr-xr-x root/root         0 2001-02-26 00:31:51 lib/
drwxr-xr-x root/root         0 2001-02-26 01:46:52 lib/scan/
-rwxr-xr-x root/root       122 2001-02-26 01:46:39 lib/scan/1i0n.sh
-rwxr-xr-x root/root        85 2001-02-21 04:22:10 lib/scan/hack.sh
-rwxrwxr-x root/root     19033 2001-02-26 01:43:52 lib/scan/bind
-rwxr-xr-x root/root     12331 2001-01-12 05:34:33 lib/scan/randb
-rwxr-xr-x root/root        70 2001-02-21 04:22:44 lib/scan/scan.sh
-rwxr-xr-x root/root     15715 2001-02-18 20:35:29 lib/scan/pscan
-rwxr-xr-x root/root       114 2001-02-21 04:22:59 lib/scan/star.sh
-rwxr-xr-x root/root        40 2001-02-21 04:21:50 lib/scan/bindx.sh
-rw-rw-r-- root/root         0 2001-02-26 01:45:08 lib/scan/bindname.log
-rwxr-xr-x root/root        53 2001-02-25 22:30:17 lib/1i0n.sh
drwx------ root/root         0 2001-02-25 22:49:27 lib/lib/
-rwxr-xr-x root/root     53364 2000-02-27 18:44:41 lib/lib/netstat
drwxr-xr-x root/root         0 2001-02-20 19:43:41 lib/lib/dev/
-rw-r--r-- xd_zhao/xd_zhao  75 2001-02-25 22:23:51 lib/lib/dev/.1addr
-rw-r--r-- xd_zhao/xd_zhao  34 2001-02-21 02:21:10 lib/lib/dev/.1logz
-rw-r--r-- xd_zhao/xd_zhao 158 2001-02-25 22:26:55 lib/lib/dev/.1proc
-rw-r--r-- xd_zhao/xd_zhao 117 2001-02-25 22:25:08 lib/lib/dev/.1file
-rwxr-xr-x root/root      6948 2000-02-27 18:44:41 lib/lib/t0rns
-rwxr-xr-x root/root     22460 2000-02-27 18:44:41 lib/lib/du
-rwxr-xr-x root/root     39484 2000-02-27 18:44:41 lib/lib/ls
-rwxr-xr-x root/root      1345 2000-02-27 18:44:41 lib/lib/t0rnsb
-rwxr-xr-x root/root     31336 2000-02-27 18:44:41 lib/lib/ps
-rwxr-xr-x root/root      7578 2000-02-27 18:44:41 lib/lib/t0rnp
-rwxr-xr-x root/root     57452 2000-02-27 18:44:41 lib/lib/find
-rwxr-xr-x root/root     32728 2000-02-27 18:44:41 lib/lib/ifconfig
-rwxr-xr-x root/root      4568 2000-02-27 18:44:41 lib/lib/pg
-rw-r--r-- root/root    100424 2000-02-27 18:44:41 lib/lib/ssh.tgz
-rwxr-xr-x root/root    266140 2000-02-27 18:44:41 lib/lib/top
-rwxr-xr-x root/root      1382 2000-02-27 18:44:41 lib/lib/sz
-rwxr-xr-x root/root      3964 2000-02-27 18:44:41 lib/lib/login
-rwxr-xr-x root/root      6408 2000-02-27 18:44:41 lib/lib/in.fingerd
-rwxr-xr-x root/root      8445 2001-02-25 23:12:08 lib/lib/1i0n.sh
-rwxr-xr-x root/root     13184 2000-02-27 18:44:41 lib/lib/pstree
-rwxr-xr-x root/root     35100 2000-02-27 18:44:41 lib/lib/in.telnetd
-rwxr-xr-x root/root     16634 2000-02-27 18:44:41 lib/lib/mjy
-rwsr-xr-x root/root     11934 2000-02-27 18:44:41 lib/lib/sush
-rwxr-xr-x root/root     33820 2000-02-27 18:44:41 lib/lib/tfn
-rwxr-xr-x root/root     19085 2000-02-27 18:44:41 lib/lib/name
-rwxr-xr-x root/root       886 2001-02-25 22:48:32 lib/lib/getip.sh


Regards,
Andreas Östling