WORM: Warning to all LINUX/PERL monks

I know this is supposed to be a perl website, however I know a lot of the bretheren use linux, so I just wanted to warn everone of a new worm that was posted by CERT.
I will accept all flames for going off topic.
I trust the reliability of this node because this email was sent to my university's sysadmin and he passed it on to our school LUG. The node containing this CERT warning and all applicable links is quite long, so it can be seen here:
Stay aware of security/ ATtention Linux perl monks
I apologize for putting it in two places, just didn't quite know what the best place to spread this to the members of the community.;^}

Comment on WORM: Warning to all LINUX/PERL monks

Replies are listed 'Best First'.
BIND exploit by dws (Chancellor) on Mar 24, 2001 at 10:08 UTC
Lest all Linux monks panic, this exploit will only affect you if you're a) running BIND, and b) exposed directly to the internet. If you don't need to be running BIND, turn it off. (Repeat this advice for all services you don't need.) Saturday morning update: Yesterday I warned several Linux-running friends who don't typically pay attention to happenings in the outside world. Two have reported that they've been hacked. PAY ATTENTION TO THIS ONE.	[reply]
Re: BIND exploit by deprecated (Priest) on Mar 25, 2001 at 00:45 UTC
Um, I hate to beat an offtopic horse... But, it also doesnt affect you if you arent running an i386 platform. Presumably this program is not installing source, compiling that source, and then causing problems. I run bind 9 at home so it isnt an issue, but should I have been exposed to the security hole, the programs mentioned on the t0rn rootkit homepage do not affect me -- I run a PowerPC router/firewall at home. sigh Why cant we just use our powers for good instead of evil? brother dep. -- Laziness, Impatience, Hubris, and Generosity.	[reply]
Re: Re: BIND exploit by strredwolf (Chaplain) on Mar 25, 2001 at 04:37 UTC
The exploit, according to Wired News, affects all archetectures that can run BIND, including FreeBSD, Ultrix, Solaris, etc. It may be a short amount of time before they sneak in something Javaish. -- $Stalag99{"URL"}="http://stalag99.keenspace.com";	[reply]
Re: Re: Re: BIND exploit by deprecated (Priest) on Mar 25, 2001 at 05:17 UTC
Re: WORM: Warning to all LINUX/PERL monks by Masem (Monsignor) on Mar 24, 2001 at 17:09 UTC
It is a bad worm, yes, and it's taking advantage of a problem that many linux users (but doubtfully the ones on PM have) and that's the lack of updating critical software. The worm's based off a bug found in January for the so-called Raman worm which had to be used in conjunction with wuftpd and one other client, and affect all versions of BIND except the most recent, 8.2.3 (non-beta). Nearly all major nux vendors had patches out the same day, but quotes estimate that maybe only 50 to 75% of those running nix took this necessary step. This worm is using the exact same exploit, delievering a much deadlier protocol since it basically sticks a root kit on the affected box. And it's exploiting the fact that some nix installs NEVER get patched for security holes (one article I read says that 20% of the internet* is affected because of the number of nix-based servers that have old BIND versions. But this is why I don't think most PM-ers will be affected, because we are computer professionals and know the value of security patches :D. (Of course, the other trick besides patching is to stick the bind process behind a different user besides root, which means that a would-be attacker would not be able to root-kit your machine.) Dr. Michael K. Neylon - mneylon-pm@masemware.com \|\| "You've left the lens cap of your mind on again, Pinky" - The Brain*	[reply]
Re: Re: WORM: Warning to all LINUX/PERL monks by Clownburner (Monk) on Mar 24, 2001 at 22:55 UTC
Although it doesn't apply to this worm really, even if BIND is not run as root, it usually starts that way, so if you could exploit this hole, you could plant a "bomb" that would effectively root the box the next time BIND was run as root (such as a restart), which could then be provoked with any number of DoS attacks... But not running BIND as root is certainly the first step. What we need is a clean-slate, audited-code DNS implementation that is configuration-file compatible with BIND -- That would certainly make migration easier for the rest of the world, and maybe we'd get away from these BIND-related nasties for good. Signature void where prohibited by law.	[reply]
Re: WORM: Warning to all LINUX/PERL monks by turnstep (Parson) on Mar 25, 2001 at 01:17 UTC
I'd just like to point out that there is a BIND alternative, and IMO a pretty good one: DJDNS I tend to agree with this anti-BIND rant for the most part.	[reply]
Re: WORM: Warning to all LINUX/PERL monks by arhuman (Vicar) on Mar 24, 2001 at 15:33 UTC
Yes I think that there is no need to panic too... I even add, even if some people will find me cynic, that I wonder how the Internet will react to this worm. Now that security IS a professional priority, that the vulnerabilities are for a large part known an categorized, that IDS are common, and security 'expert' even more common... Will the Internet handle it better than the Morris worm ? Now just a 2 cents analysis : I fear far much a huge DDOS attack, with this new BIND exploit and the formatstring exploits 'popping' everywhere... For me a new wave is coming, I just wonder who will be the authors : black-hats or government agencies (They're all talking about cyberwar and none of them try anything ?) :-) "Trying to be a SMART lamer" (thanx to Merlyn ;-)	[reply]

Back to Meditations