Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw

Re: Stay aware of security

by OzzyOsbourne (Chaplain)
on Mar 20, 2001 at 20:29 UTC ( #65721=note: print w/replies, xml ) Need Help??

in reply to Stay aware of security

To secure or not secure, that is the question.

This thread seems to have evolved into to camps: People who lock it all down, and people who think it's too hard to lock it all down.

I am in camp 3: Lock everything down according to its value. I leave rakes and shovels in my yard, I don't leave my wallet on the window sill, and I always lock my doors.

Some of my stuff is LOCKED, some is not that locked, and it's all behind a firewall.

Final points:

  1. If someone wants in, they'll find a way,
  2. You don't have to leave the door open.
  3. As a home user, you are 1 in a Zillion

Finding an appropriate security policy is the hard part.

Find balance.


Replies are listed 'Best First'.
Re (tilly) 2: Stay aware of security
by tilly (Archbishop) on Mar 20, 2001 at 22:26 UTC
    I am in camp 4. The Internet is the biggest (virtual) metropolis around. One in a zillion is very findable when people have tools like port scanning. But you are never going to be perfect.

    Therefore unles I have a good reason not to, I lock my door. I don't leave valuable lying around without reason. But I am not totally paranoid, and if you want to break the windows, I know you can get in.

    But wherever I reasonably can, I pay attention to security.

    Far too often people confuse being one in a crowd with being safe. That isn't true. In a world with DDoS attacks, if you aren't part of the solution, you are part of the problem...

      I don't know if this appropriate here, but I know a lot of perl monks are penguin lovers also. I was forwarded this PGP signed message from my LUG. It was sent to one of the sysadmins at the university i attend:
      Hash: SHA1
      March 23, 2001 7:00 AM
      Late last night, the SANS Institute (through its Global Incident
      Analysis Center) uncovered a dangerous new worm that appears to be spreading rapidly across the Internet. It scans the Internet looking for Linux computers with a known vulnerability. It infects the vulnerable machines, steals the password file (sending it to a site), installs other hacking tools, and forces the newly infected machine to begin scanning the Internet looking for other victims.
      Several experts from the security community worked through the night to decompose the worm's code and engineer a utility to help you discover if the Lion worm has affected your organization.
      Updates to this announcement will be posted at the SANS web site,
      The Lion worm is similar to the Ramen worm. However, this worm is significantly more dangerous and should be taken very seriously. It infects Linux machines running the BIND DNS server. It is known to infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas. The specific vulnerability used by the worm to exploit machines is the TSIG vulnerability that was reported on January 29, 2001.
      The Lion worm spreads via an application called "randb". Randb scans random class B networks probing TCP port 53. Once it hits a system, it checks to see if it is vulnerable. If so, Lion exploits the system using an exploit called "name". It then installs the t0rn rootkit.
      Once Lion has compromised a system, it:
      - - Sends the contents of /etc/passwd, /etc/shadow, as well as some network settings to an address in the domain.
      - - Deletes /etc/hosts.deny, eliminating the host-based perimeter protection afforded by tcp wrappers.
      - - Installs backdoor root shells on ports 60008/tcp and 33567/tcp (via inetd, see /etc/inetd.conf)
      - - Installs a trojaned version of ssh that listens on 33568/tcp
      - - Kills Syslogd , so the logging on the system can't be trusted
      - - Installs a trojaned version of login
      - - Looks for a hashed password in /etc/ttyhash
      - - /usr/sbin/nscd (the optional Name Service Caching daemon) is overwritten with a trojaned version of ssh.
      The t0rn rootkit replaces several binaries on the system in order to stealth itself. Here are the binaries that it replaces:
      du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat, ps, pstree, top
      - - "Mjy" is a utility for cleaning out log entries, and is placed in /bin and /usr/man/man1/man1/lib/.lib/.
      - - in.telnetd is also placed in these directories; its use is not known at this time.
      - - A setuid shell is placed in /usr/man/man1/man1/lib/.lib/.x
      We have developed a utility called Lionfind that will detect the Lion files on an infected system. Simply download it, uncompress it, and run lionfind. This utility will list which of the suspect files is on the system.
      At this time, Lionfind is not able to remove the virus from the system. If and when an updated version becomes available (and we expect to provide one), an announcement will be made at this site.
      Download Lionfind at
      Further information can be found at:, CERT Advisory CA-2001-02, Multiple Vulnerabilities in BIND ISC BIND 8 contains buffer overflow
      in transaction signature (TSIG) handling code Information about the t0rn rootkit.
      The following vendor update pages may help you in fixing the original BIND vulnerability:
      Redhat Linux RHSA-2001:007-03 - Bind remote exploit
      Debian GNU/Linux DSA-026-1 BIND
      SuSE Linux SuSE-SA:2001:03 - Bind 8 remote root compromise. txt.txt
      Caldera Linux CSSA-2001-008.0 Bind buffer overflow
      This security advisory was prepared by Matt Fearnow of the SANS Institute and William Stearns of the Dartmouth Institute for Security Technology Studies.
      The Lionfind utility was written by William Stearns. William is an Open-Source developer, enthusiast, and advocate from Vermont, USA. His day job at the Institute for Security Technology Studies at Dartmouth College pays him to work on network security and Linux projects.
      Also contributing efforts go to Dave Dittrich from the University of Washington, and Greg Shipley of Neohapsis
      Matt Fearnow
      SANS GIAC Incident Handler
      If you have additional data on this worm or a critical quetsion please email
      -----BEGIN PGP SIGNATURE-----
      Version: GnuPG v1.0.4 (BSD/OS)
      Comment: For info see
      -----END PGP SIGNATURE-----
        Good idea for the warning, but I think many sys admin's should not have fallen prey to this attack - since the worm uses the security hole in Bind. Most have upgraded, if not.. I guess that's a good lesson in procrasination. :(

        The Bind warning of the security bug has been out for some time and most who have not upgraded ... well, they usually haven't due to personal reasons (i.e. home server) or have not considered the consequences thoroughly. It was only a matter of time, where someone would exploit these bugs. In any case, those who use Bind 8.. should upgrade to Bind 8.2.3

        p.s. It's not only linux systems but all unix systems running Bind DNS.
        Yes, 'tis a sad day for Linux. Although not the first worm for Linux, it is becoming painfully apparent that viruses for Linux are becoming more widespread, and will without question become a problem :(

Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://65721]
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (2)
As of 2022-09-27 05:05 GMT
Find Nodes?
    Voting Booth?
    I prefer my indexes to start at:

    Results (118 votes). Check out past polls.