#!/bin/bash #Copyright 2001 William Stearns #Released under the GPL. LIONFINDVERSION="0.1.9" #Banner. echo '====' Lionfind '====' echo Version $LIONFINDVERSION echo A script to report on the existence of and remove the Lion worm. echo Copyright 2001 William Stearns \, echo Released under the GNU General Public License \(GPL\). echo Updated versions may be found at the echo Institute for Security Technology Studies echo \(http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/lionfind.htm\), echo and SANS \(http://www.sans.org/y2k/lion.htm\). #FIXME - restoreme. #echo Usage help may be obtained with \"$0 -h\". if ! . detectlib ; then echo Cannot find detectlib in the current directory, exiting exit 2 fi InitDetectLib if [ $DetectLibVer -lt 023 ]; then echo detectlib is too old, please update. Exiting. exit 1 fi AttackName Lion if AttackMarker /dev/.lib /usr/src/.puta /usr/info/.t0rn ; then ReplacedFile /bin/login /sbin/xlogin #The original lion had this commented out, but it's worth a check #The following list contains some apps that are transient and some that #do not appear to be enabled in the current lion. I'm listing them here #as their paths mean they're safe to kill. PathToRunningApps \ /dev/.lib/lib/1i0n.sh \ /dev/.lib/lib/lib/1i0n.sh \ /dev/.lib/lib/scan/1i0n.sh \ /dev/.lib/lib/scan/getip.sh \ /dev/.lib/lib/scan/star.sh \ /dev/.lib/lib/scan/scan.sh \ /dev/.lib/lib/scan/hack.sh \ /dev/.lib/lib/scan/pscan \ /dev/.lib/lib/scan/randb \ /dev/.lib/lib/scan/bindx.sh \ /dev/.lib/lib/scan/bind \ /dev/.lib/lib/lib/1i0n.sh \ /dev/.lib/lib/lib/getip.sh \ /dev/.lib/lib/lib/pg \ /dev/.lib/lib/lib/sz \ /dev/.lib/lib/lib/t0rnp \ /dev/.lib/lib/lib/t0rns \ /dev/.lib/lib/lib/t0rnsb \ /dev/.lib/lib/lib/tfn \ /dev/.lib/lib/lib/mjy \ /dev/.lib/lib/lib/name \ /dev/.lib/lib/lib/.t0rn/shdcf2 \ /dev/.lib/lib/lib/.t0rn/sharsed \ /dev/.lib/1i0n.sh \ /dev/.lib/star.sh \ /dev/.lib/scan.sh \ /dev/.lib/randb \ /dev/.lib/pscan \ /dev/.lib/bindx.sh \ /dev/.lib/bind \ /dev/.lib/hack.sh \ /dev/.lib/getip.sh \ /dev/.lib/lion \ /sbin/asp \ /usr/sbin/nscd \ /usr/src/.puta/t0rns \ /bin/in.telnetd \ /usr/sbin/inetd #OK, I'm sorry about inetd. The real inetd will be whacked in addition to the #one running /etc/.nsys as it's config file (running a root shell on 2555/tcp). #See in.fingerd. I'll grant you that the current script doesn't specifically #enable finger in /etc/inetd.conf, but if it's already enabled, the trojan #in.fingerd will be run on an incoming finger attempt. Anyways, we'll restart #inetd at the bottom of this script. PackagesMangled \ /bin/ls fileutils \ /bin/netstat net-tools \ /bin/ps procps \ /sbin/ifconfig net-tools \ /usr/bin/du fileutils \ /usr/bin/find findutils \ /usr/bin/top procps \ /usr/sbin/in.fingerd finger-server \ /usr/sbin/nscd nscd \ AttackFiles \ /bin/in.telnetd \ /bin/mjy \ /etc/.nsys \ /etc/ttyhash \ /dev/.lib/.hack \ /dev/.lib/bindname.log \ /dev/.lib/1i0n.sh \ /dev/.lib/asp62 \ /dev/.lib/bind \ /dev/.lib/bindx.sh \ /dev/.lib/getip.sh \ /dev/.lib/hack.sh \ /dev/.lib/index.htm \ /dev/.lib/pscan \ /dev/.lib/randb \ /dev/.lib/scan.sh \ /dev/.lib/star.sh \ /dev/.lib/bindname.log \ /dev/.lib/1i0n.tgz \ /dev/.lib/lib/scan/1i0n.sh \ /dev/.lib/lib/scan/hack.sh \ /dev/.lib/lib/scan/bind \ /dev/.lib/lib/lib/mail.log \ /dev/.lib/lib/scan/randb \ /dev/.lib/lib/scan/scan.sh \ /dev/.lib/lib/scan/pscan \ /dev/.lib/lib/scan/star.sh \ /dev/.lib/lib/scan/bindx.sh \ /dev/.lib/lib/scan/bindname.log \ /dev/.lib/lib/scan/mail.log \ /dev/.lib/lib/1i0n.sh \ /dev/.lib/lib/lib/netstat \ /dev/.lib/lib/lib/dev/.1addr \ /dev/.lib/lib/lib/dev/.1logz \ /dev/.lib/lib/lib/dev/.1proc \ /dev/.lib/lib/lib/dev/.1file \ /dev/.lib/lib/lib/t0rns \ /dev/.lib/lib/lib/du \ /dev/.lib/lib/lib/ls \ /dev/.lib/lib/lib/t0rnsb \ /dev/.lib/lib/lib/ps \ /dev/.lib/lib/lib/t0rnp \ /dev/.lib/lib/lib/find \ /dev/.lib/lib/lib/ifconfig \ /dev/.lib/lib/lib/pg \ /dev/.lib/lib/lib/ssh.tgz \ /dev/.lib/lib/lib/top \ /dev/.lib/lib/lib/sz \ /dev/.lib/lib/lib/ARSEX3 \ /dev/.lib/lib/lib/login \ /dev/.lib/lib/lib/in.fingerd \ /dev/.lib/lib/lib/1i0n.sh \ /dev/.lib/lib/lib/pstree \ /dev/.lib/lib/lib/in.telnetd \ /dev/.lib/lib/lib/mjy \ /dev/.lib/lib/lib/sush \ /dev/.lib/lib/lib/tfn \ /dev/.lib/lib/lib/name \ /dev/.lib/lib/lib/getip.sh \ /dev/.lib/lib/lib/.t0rn/shdcf \ /dev/.lib/lib/lib/.t0rn/shdcf2 \ /dev/.lib/lib/lib/.t0rn/sharsed \ /dev/.lib/lib/lib/.t0rn/shhk \ /dev/.lib/lib/lib/.t0rn/shhk.pub \ /dev/.lib/lib/lib/.t0rn/shrs \ /tmp/.pinespool \ /usr/info/.t0rn/shdcf \ /usr/info/.t0rn/shdcf2 \ /usr/info/.t0rn/sharsed \ /usr/info/.t0rn/shhk \ /usr/info/.t0rn/shhk.pub \ /usr/info/.t0rn/shrs \ /usr/man/man1/man1/lib/.lib/mjy \ /usr/man/man1/man1/lib/.lib/in.telnetd \ /usr/man/man1/man1/lib/.lib/.x \ /usr/sbin/nscd \ /usr/src/.puta/.1addr \ /usr/src/.puta/.1file \ /usr/src/.puta/.1proc \ /usr/src/.puta/.1logz \ /usr/src/.puta/t0rns \ /usr/src/.puta/t0rnp \ /usr/src/.puta/t0rnsb \ /tmp/info_tmp /dev/.lib/ \ /dev/.lib/lib/ \ /dev/.lib/lib/lib/ \ /dev/.lib/lib/lib/dev/ \ /dev/.lib/lib/lib/.t0rn/ \ /dev/.lib/lib/scan/ \ /sbin/asp \ /tmp/ramen.tgz \ /usr/src/.puta/ \ /usr/man/man1/man1/ \ /usr/man/man1/man1/lib/ \ /usr/man/man1/man1/lib/.lib/ \ /usr/man/man1/man1/lib/.lib/.backup/ \ /usr/src/.puta/ \ /usr/info/.t0rn/ NukedFiles \ /etc/hosts.deny \ /.bash_history \ /root/.bash_history \ /var/log/messages \ /var/log/maillog \ /var/log/utmp \ /var/log/wtmp \ /var/log/lastlog AddedLine /etc/inetd.conf "1008 stream tcp nowait root /bin/sh sh" AddedLine /etc/inetd.conf "10008 stream tcp nowait root /bin/sh sh" AddedLine /etc/inetd.conf "60008 stream tcp nowait root /bin/sh sh" AddedLine /etc/inetd.conf "33567 stream tcp nowait root /bin/sh sh" AddedLine /etc/inetd.conf "asp stream tcp nowait root /sbin/asp" #27374/tcp AddedLine /etc/rc.d/rc.sysinit "# Name Server Cache Daemon.." #We'll miss a few blank lines. AddedLine /etc/rc.d/rc.sysinit "/usr/sbin/nscd -q" AddedLine /etc/rc.d/rc.sysinit "/bin/in.telnetd" AddedLine /etc/rc.d/rc.sysinit "# # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #" AddedLine /etc/rc.d/rc.sysinit "/dev/.lib/lib/scan/star.sh" AddedLine /etc/rc.d/rc.sysinit "/dev/.lib/star.sh" #33568/tcp holds the trojaned ssh in a default lion ReplacedLine /etc/inetd.conf "\(finger.*\)root\(.*\)" "\1nobody\2" #This may incorrectly set the _c_finger line to run as nobody, but I'm not aware of any distribution #that even uses cfingerd... Please send in corrections if this turns out to be incorrect. ServicesStopped inet syslog echo 'ONE LAST IMPORTANT NOTE!' echo Your network information and password files have been mailed off echo to the attacker. You are strongly encouraged to change _all_ echo passwords on this system. echo Also, depending on which version of the worm was installed, every echo file on your system named \"index.html\" may have been replaced echo with a defaced version. exit $True #Attack found else exit $False #Attack not found fi