[conspire] linux antivirus?

Rick Moen rick at linuxmafia.com
Thu Sep 11 01:08:25 PDT 2003

Oops!  I forgot lpdw0rm.  

Quoting Blue Boar (BlueBoar at thievco.com):

> I've personally tracked (at peak) thousands of infected linux machines
> for the three variants of lion and lpdw0rm.  

(FYI, dates cited for the 1i0n and lpdw0rm appearances refer to the
_first_ versions of each, per my googling.  That googling is not
guaranteed infallible:  I didn't exactly do a major research project on
this stuff.)

OK, we're talking about poorly maintained Red Hat boxes again; I can
tell.  How?  Because this was a canned 'sploit in April 2001, targeted
almost entirely at Red Hat 7.0 boxes still running a ridiculously
long-vulnerable version of lprng.  (lprng is a slightly revised version
of the crufty old BSD lpr print daemon.)

Now, I have a question for you:  Why the _hell_ would anyone with an
ounce of common sense _not only_ turn on a notoriously vulnerable,
obsoletely designed[1] print daemon, but also leave it accessible from
the global Internet?

But wait, it gets better:  The vulnerability that lpdw0rm exploited had
been discovered in _October 2000_ or earlier.  How do I know this?
Because that's when RH released package LPRng-3.6.24-2 specifically to
close it -- labelled as fixing "a critical string format bug".
Therefore, anyone caught with his pants down by lpdw0rm (any variant)
had been failing to install a blatantly needed and widely available
security update for 5+ months -- to fix a hole that had been known for
at least that long and possibly longer.

So, I have just about zero sympathy.  We're talking massive negligence,

> Most of them get root by popping a root service, too.

This is not exactly true:  Didn't BIND8 and lprng run in those days as
SUID-root monolithic binaries?  Therefore, escalating to root wasn't
required:  The thing was already using root authority, and all you
needed was something like a string-handling bug to subvert it remotely. 

Cheers,     Founding member of the Hyphenation Society, a grassroots-based, 
Rick Moen   not-for-profit, locally-owned-and-operated, cooperatively-managed,
rick at linuxmafia.com     modern-American-English-usage-improvement association.

More information about the conspire mailing list