PDA

Visualizza la versione completa : Linux.Sorso


appio79
27-08-2004, 11:34
:dh˛: :dh˛: :dh˛: me l'ero beccato e me lo ha trovato il nortorn da win!!!!!!:fagiano: :dh˛: :dh˛: :dh˛:
________________________________________
Linux.Sorso

Discovered on: July 02, 2003
Last Updated on: July 30, 2003 07:05:26 PM

Linux.Sorso is a worm that replicates using a Samba buffer overflow exploit. The worm targets vulnerable installations of the Samba server version 2.2.8a and earlier, version 2.0.10 and earlier, and Samba-TNG version 0.3.2 and earlier. The worm also contains code for a backdoor and a Distributed Denial of Service (DDoS) attack and only affects Linux running on Intel x86 platforms.

Also Known As: Worm.Linux.Sorso.a, Backdoor.Linux.Sorso (AVP)

Type: Zoo Worm




Systems Affected: Linux
Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX




protection
# Virus Definitions (Intelligent Updater) *


July 03, 2003
# Virus Definitions (LiveUpdateÖ) **


July 09, 2003

*


Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**


LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

technical details

When Linux.Sorso is executed, it performs the following actions:

1. Tries to establish an anonymous SMB session with a Samba server.

2. Sends a TRANS2_OPEN2 request with invalid parameters containing exploit code.

NOTE: The worm uses a Linux shell code exploit, which runs only on Intel x86 platforms.

3. Sends a shell command sequence to the remote shell, which causes the server to download the files from http://www.jx263.com/.

4. Extracts the downloaded files to /usr/lib/.lib and starts a script called start.sh. This requires the presence of the shell command /bin/sh, wget, and tar in the PATH to properly execute.

5. Adds several cron jobs to be executed. These jobs include an exploit program to spread itself, a hijacked version of http daemon, a hijacked ps command, a backdoor, and a DDoS program.

6. Mails the server's IP address, with the /etc/hosts, /etc/passwd, and /etc/shadow files, to hyukie54@163.com and nihao16897888@21cn.com.

7. Scans random class C-sized networks for Samba hosts and tries to exploit each one found.

8. Replaces the existing http daemon with a hijacked version, allowing Web access to any file on the machine.

9. Hides running processes, which the worm created, using the hijacked ps command.

10. Replaces /sbin/klogd with a backdoor program. Upon receiving an ICMP packet of a specific size, the backdoor program binds to a fixed TCP port and provides a shell running as root.

11. Generates a list of possible IPs on a random class C-sized network once a day and adds them to a file. The DDoS program goes through every IP address in the file and sends an ICMP request to that particular IP, using a spoofed source address. As a result, all the ICMP echo response packets go to the spoofed IP address and create an ICMP DDOS attack. The spoofed source IP address is www.rising.com.cn.




removal instructions

Once Linux.Sorso attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred. However, the author of the threat may have been able to use the threat to access the computer to make changes to it. Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely re-installing the operating system.
________________________________________

mi sa che devo installarmi qualche antivirus... cosa mi consigliate?

francofait
27-08-2004, 11:45
Originariamente inviato da appio79
:dh˛: :dh˛: :dh˛: me l'ero beccato e me lo ha trovato il nortorn da win!!!!!!:fagiano: :dh˛: :dh˛: :dh˛:
________________________________________
Linux.Sorso

Discovered on: July 02, 2003
Last Updated on: July 30, 2003 07:05:26 PM

Linux.Sorso is a worm that replicates using a Samba buffer overflow exploit. The worm targets vulnerable installations of the Samba server version 2.2.8a and earlier, version 2.0.10 and earlier, and Samba-TNG version 0.3.2 and earlier. The worm also contains code for a backdoor and a Distributed Denial of Service (DDoS) attack and only affects Linux running on Intel x86 platforms.

Also Known As: Worm.Linux.Sorso.a, Backdoor.Linux.Sorso (AVP)

Type: Zoo Worm




Systems Affected: Linux
Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX




protection
# Virus Definitions (Intelligent Updater) *


July 03, 2003
# Virus Definitions (LiveUpdateÖ) **


July 09, 2003

*


Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**


LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

technical details

When Linux.Sorso is executed, it performs the following actions:

1. Tries to establish an anonymous SMB session with a Samba server.

2. Sends a TRANS2_OPEN2 request with invalid parameters containing exploit code.

NOTE: The worm uses a Linux shell code exploit, which runs only on Intel x86 platforms.

3. Sends a shell command sequence to the remote shell, which causes the server to download the files from http://www.jx263.com/.

4. Extracts the downloaded files to /usr/lib/.lib and starts a script called start.sh. This requires the presence of the shell command /bin/sh, wget, and tar in the PATH to properly execute.

5. Adds several cron jobs to be executed. These jobs include an exploit program to spread itself, a hijacked version of http daemon, a hijacked ps command, a backdoor, and a DDoS program.

6. Mails the server's IP address, with the /etc/hosts, /etc/passwd, and /etc/shadow files, to hyukie54@163.com and nihao16897888@21cn.com.

7. Scans random class C-sized networks for Samba hosts and tries to exploit each one found.

8. Replaces the existing http daemon with a hijacked version, allowing Web access to any file on the machine.

9. Hides running processes, which the worm created, using the hijacked ps command.

10. Replaces /sbin/klogd with a backdoor program. Upon receiving an ICMP packet of a specific size, the backdoor program binds to a fixed TCP port and provides a shell running as root.

11. Generates a list of possible IPs on a random class C-sized network once a day and adds them to a file. The DDoS program goes through every IP address in the file and sends an ICMP request to that particular IP, using a spoofed source address. As a result, all the ICMP echo response packets go to the spoofed IP address and create an ICMP DDOS attack. The spoofed source IP address is www.rising.com.cn.




removal instructions

Once Linux.Sorso attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred. However, the author of the threat may have been able to use the threat to access the computer to make changes to it. Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely re-installing the operating system.
________________________________________

mi sa che devo installarmi qualche antivirus... cosa mi consigliate?

Dico che un buon Antivurus se usi una rete ibrida con XP e Samba per la condivisione delle risorse , non ti guasta certo, comunque ad essere infettato da linux-sorso Ŕ Win non linux , l'antivirus di win non ha alcuna possibilitÓ di andarti a cercare virus su partizioni linux , non le riconosce e non Ŕ in grado di farci scansioni da alcun genere di conseguenza.

francofait
27-08-2004, 11:45
Originariamente inviato da appio79
:dh˛: :dh˛: :dh˛: me l'ero beccato e me lo ha trovato il nortorn da win!!!!!!:fagiano: :dh˛: :dh˛: :dh˛:
________________________________________
Linux.Sorso

Discovered on: July 02, 2003
Last Updated on: July 30, 2003 07:05:26 PM

Linux.Sorso is a worm that replicates using a Samba buffer overflow exploit. The worm targets vulnerable installations of the Samba server version 2.2.8a and earlier, version 2.0.10 and earlier, and Samba-TNG version 0.3.2 and earlier. The worm also contains code for a backdoor and a Distributed Denial of Service (DDoS) attack and only affects Linux running on Intel x86 platforms.

Also Known As: Worm.Linux.Sorso.a, Backdoor.Linux.Sorso (AVP)

Type: Zoo Worm




Systems Affected: Linux
Systems Not Affected: Windows 3.x, Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me, Microsoft IIS, Macintosh, OS/2, UNIX




protection
# Virus Definitions (Intelligent Updater) *


July 03, 2003
# Virus Definitions (LiveUpdateÖ) **


July 09, 2003

*


Intelligent Updater definitions are released daily, but require manual download and installation.
Click here to download manually.

**


LiveUpdate virus definitions are usually released every Wednesday.
Click here for instructions on using LiveUpdate.

technical details

When Linux.Sorso is executed, it performs the following actions:

1. Tries to establish an anonymous SMB session with a Samba server.

2. Sends a TRANS2_OPEN2 request with invalid parameters containing exploit code.

NOTE: The worm uses a Linux shell code exploit, which runs only on Intel x86 platforms.

3. Sends a shell command sequence to the remote shell, which causes the server to download the files from http://www.jx263.com/.

4. Extracts the downloaded files to /usr/lib/.lib and starts a script called start.sh. This requires the presence of the shell command /bin/sh, wget, and tar in the PATH to properly execute.

5. Adds several cron jobs to be executed. These jobs include an exploit program to spread itself, a hijacked version of http daemon, a hijacked ps command, a backdoor, and a DDoS program.

6. Mails the server's IP address, with the /etc/hosts, /etc/passwd, and /etc/shadow files, to hyukie54@163.com and nihao16897888@21cn.com.

7. Scans random class C-sized networks for Samba hosts and tries to exploit each one found.

8. Replaces the existing http daemon with a hijacked version, allowing Web access to any file on the machine.

9. Hides running processes, which the worm created, using the hijacked ps command.

10. Replaces /sbin/klogd with a backdoor program. Upon receiving an ICMP packet of a specific size, the backdoor program binds to a fixed TCP port and provides a shell running as root.

11. Generates a list of possible IPs on a random class C-sized network once a day and adds them to a file. The DDoS program goes through every IP address in the file and sends an ICMP request to that particular IP, using a spoofed source address. As a result, all the ICMP echo response packets go to the spoofed IP address and create an ICMP DDOS attack. The spoofed source IP address is www.rising.com.cn.




removal instructions

Once Linux.Sorso attacks a computer, it is difficult to determine what else the computer has been exposed to. In most cases, changes other than those made by the threat will not have occurred. However, the author of the threat may have been able to use the threat to access the computer to make changes to it. Unless you can be absolutely sure that malicious activity has not been performed on the computer, we recommend completely re-installing the operating system.
________________________________________

mi sa che devo installarmi qualche antivirus... cosa mi consigliate?

Dico che un buon Antivurus se usi una rete ibrida con XP e Samba per la condivisione delle risorse , non ti guasta certo, comunque ad essere infettato da linux-sorso Ŕ Win non linux , l'antivirus di win non ha alcuna possibilitÓ di andarti a cercare virus su partizioni linux , non le riconosce e non Ŕ in grado di farci scansioni da alcun genere di conseguenza.

appio79
27-08-2004, 13:46
Originariamente inviato da francofait
Dico che un buon Antivurus se usi una rete ibrida con XP e Samba per la condivisione delle risorse , non ti guasta certo, comunque ad essere infettato da linux-sorso Ŕ Win non linux , l'antivirus di win non ha alcuna possibilitÓ di andarti a cercare virus su partizioni linux , non le riconosce e non Ŕ in grado di farci scansioni da alcun genere di conseguenza.
Il norton lo ha trovato in un file di backup di una home utente del quale avevo fatto tempo fa un tar.gz. oggi l'ho ritrovato e cercando dei vecchi documenti (ero su una macchina windows) l'ho decompresso con winrar ed al termine dell'estrazione il nortorn mi ha dato l'avviso di rimozione. il file di back up era su una partizione fat32 che tengo per poter accedere ai dati da entrambi gli os..

appio79
27-08-2004, 13:49
e poi queste ultime righe del testo che ho postato sopra non mi piacciono affatto....!!!
reinstallare di nuovo gentoo dopo tutto il tempo che c'ho messo a configurarmela per benino.... :cry: :cry:

francofait
27-08-2004, 14:31
Un piangere tanto come virus x linux un vale un accidente , ti infetta le macchine windows , sfrutta una falla di samba , ed Ŕ scritto manco dirlo , orrore incredibile ,in Visual C++.
Noto e riconosciuto orma da + di 2 anni a tutti gli antivirus sia x win che x linux. Ormai x quanto rigurda Linux non costituisce alcun problema ed a suo tempo ne ha data anche ben poca. Pensare di infettare con successo un SO in evoluzione continua come linux, praticamente giornaliera ,x ora anche x il pornoKraker + smaliziato non Ŕ inpresa facile , tutti i tentativi fatti fino a qui son finiti in fiasco dopo poche ore.

GhePeU
27-08-2004, 14:51
scusa, ma che versione di samba usi? e quando hai installato gentoo?

appio79
27-08-2004, 15:33
Il backup risale a diversi mesi fa, novembre. non Ŕ una home del pc dove ho gentoo (portatile) ma ne ho preso alcune directories che mi servivano e le ho usate da gentoo , non vorrei che il worm stesse anche in quelle directories. gentoo l'ho installata la prima volta intorno a gennaio, poi l'ho reinstallata un mesetto fa dopo aver modificato le partizioni del portatile, tenendo sempre alcune cartelle bi backup.
per quanto riguarda la versione di samba non so quale sia, ho cambiato distro sul pc dal quale proveniva la home... :bh˛:

mi preoccupava il fatto dell'invio delle passwords di sitema e via dicendo... cmq ormai non credo mi possa procurare pi¨ danni visto che ho cambiato quasi tutto..

Loading