Event ID - 33568

Port No33568
Service Name1i0n
RFC Doc0
ProtocolTCP
DescriptionTo propagate, this Linux worm exploits the Transaction Signatures Buffer Overflow vulnerability, which allows the execution of arbitrary code on the target system.

It also retrieves sensitive information from the affected machine such as the following and sends it to a certain email address:

networking configuration
passwd file
shadow file
Reference Link1i0n
AttackSolution:

Scan your system with Trend Micro antivirus and delete all files detected as ELF.LION.A. To do this, Trend Micro customers must download the latest pattern file and scan their system.

details:

First, the infecting machine sends a command to create the directory named /dev/.lib where it stores the worm package. It then retrieves several sensitive information from the remote host and stores them in a file named 1i0n. These information includes the remote machine’s networking configuration, passwd file and shadow file.

Then, it sends the gathered information to the email address, 1i0n@china.com, where the receiving party can perform offline password cracking using the PASSWD and shadow file.

After this, the remote host is instructed to download a copy of the worm package stored in the following Web page and save it as 1i0n.tgz:

http://colion.51.net/crew.tgz

The preceding routine is done using the text browser, Lynx.

Next, it issues the command to extract the 1i0n.tgz archive and execute the shell script 1i0n.sh, which starts the infection and propagation of the worm in the remote host all over again.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.