AusCERT - ESB-2001.136 -- CIAC Bulletin L-067 -- Linux worm Adore

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2001.136 -- CIAC Bulletin L-067 -- Linux worm Adore
Date: 06 April 2001
References: ESB-2001.029 ESB-2001.157

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                    ESB-2001.136 -- CIAC Bulletin L-067
                             Linux worm Adore
                               6 April 2001

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Operating System:       Linux
Impact:                 Root Compromise
Access Required:        Remote

Ref:                    ESB-2001.029
                        AL-2001.05

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_   /
                          \___  __|__  /     \___
             __________________________________________________________

                             INFORMATION BULLETIN

                                Linux worm Adore

April 4, 2001 22:00 GMT                                           Number L-067
______________________________________________________________________________
PROBLEM:       A new worm variant, Adore, of the Linux worms Ramen & Lion has
               been discovered by SANS.  This is the continued evolution of the
               Ramen & Lion worm capabilities
PLATFORM:      Linux x86 systems which are not patched with the latest releases 
               of/patches for LPRng, rpc-statd, wu-ftpd, and BIND. 
DAMAGE:        The new worm scans systems for exploitable holes in LPRng, 
               rpc-statd, wu-ftpd and BIND. This exploit gains root access and 
               installs a backdoor on a system. The worm also mails system 
               information to specific e-mail addresses and compromises some 
               system files. 
SOLUTION:      All systems should be patched to the latest releases/patches. 
               If a system has been infected, use the SANS utility named 
               'adorefind' to search an infected system for Adore installed 
               files.  Keep in mind that as the worm mutates in the future,
               the utility may not find all changed files/directories.
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. These vulnerabilities targeted by Adore are
ASSESSMENT:    being actively exploited. However, CIAC has received one report
               of the worm itself. 
______________________________________________________________________________

[******  Begin SANS Bulletin ******]

http://www.ciac.org/ciac/bulletins/l-067.shtml

[******  End SANS Bulletin ******]


- -----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBOszpcLnzJzdsy3QZAQFmxgQA6G4xxW6pFNgjVLBfX7lbfWr4+lmMisMJ
kphPcK8pAVN6p9ytg/jZ8PLsbofXOPvs1ytnlm0iy+gLAjp2g7rScDpHBGb/g1gL
PlcjeQDgjC4F/DFryNda8BWWiVj/dQShfw5OcaVC49HHDr4QOfdqqNU7nfA7hgm8
R/p0pltjuJ0=
=a2nz
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content.  The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

	http://www.auscert.org.au/Information/advisories.html

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 7031
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AusCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBOs3G0Sh9+71yA2DNAQHzaAP+IGW4ktAuSowW30d4jLJZvcvxV0UeOaJr
zXIXUx5vEP4FWKDCxLX0oMA5m9g4IFJVMcny86JIP002oYheMSihyNu3mJwQU060
ACJG9RJkp4PKJS3i6cYpgho+87W5wVRI7eGOuCMpXTzeDXwb6IyTn90A0OwSXotK
yKQ1K61YgSc=
=tnQE
-----END PGP SIGNATURE-----