A worm scans the network for special configuratiom (particulary ssh-1.x.x allowing remote root login), using buffer overflow, as I could determine gets remote root shell, copies some code, compiles it and runs. The code also include scanner, for the worm to continue it's job from the machine it vulnes. It also ereases /var/log/messages, and stops syslogd and many other services (see attacment for details), disables $HISTORY, adds a user `tcp' to the system passwd file, ereases `top', `netstat', `ps', replaces the sshd with some other service it calles backdoor together with it's configuration file, runs it instead of sshd, changes config files like known_hosts, random_seed, etc, chattr +i /etc/passwd and /etc/shadow to make them readonly. Does a lot of other things, you can find them in the attached script I could recover from theleted files. The main goal, as I could determine is to run a process `httpd', that is actually an IRC bot. For the whole stuff in tar.gz format (source code of the scanner, IRC bot, etc) please let me know privately via e-mail.
This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 11:42:06 PDT