[conspire] linux antivirus?
rick at linuxmafia.com
Thu Sep 11 01:08:25 PDT 2003
Oops! I forgot lpdw0rm.
Quoting Blue Boar (BlueBoar at thievco.com):
> I've personally tracked (at peak) thousands of infected linux machines
> for the three variants of lion and lpdw0rm.
(FYI, dates cited for the 1i0n and lpdw0rm appearances refer to the
_first_ versions of each, per my googling. That googling is not
guaranteed infallible: I didn't exactly do a major research project on
OK, we're talking about poorly maintained Red Hat boxes again; I can
tell. How? Because this was a canned 'sploit in April 2001, targeted
almost entirely at Red Hat 7.0 boxes still running a ridiculously
long-vulnerable version of lprng. (lprng is a slightly revised version
of the crufty old BSD lpr print daemon.)
Now, I have a question for you: Why the _hell_ would anyone with an
ounce of common sense _not only_ turn on a notoriously vulnerable,
obsoletely designed print daemon, but also leave it accessible from
the global Internet?
But wait, it gets better: The vulnerability that lpdw0rm exploited had
been discovered in _October 2000_ or earlier. How do I know this?
Because that's when RH released package LPRng-3.6.24-2 specifically to
close it -- labelled as fixing "a critical string format bug".
Therefore, anyone caught with his pants down by lpdw0rm (any variant)
had been failing to install a blatantly needed and widely available
security update for 5+ months -- to fix a hole that had been known for
at least that long and possibly longer.
So, I have just about zero sympathy. We're talking massive negligence,
> Most of them get root by popping a root service, too.
This is not exactly true: Didn't BIND8 and lprng run in those days as
SUID-root monolithic binaries? Therefore, escalating to root wasn't
required: The thing was already using root authority, and all you
needed was something like a string-handling bug to subvert it remotely.
Cheers, Founding member of the Hyphenation Society, a grassroots-based,
Rick Moen not-for-profit, locally-owned-and-operated, cooperatively-managed,
rick at linuxmafia.com modern-American-English-usage-improvement association.
More information about the conspire