Event ID - 60008

Port No60008
Service NameBackdoor.Linux.Lion
RFC Doc0
ProtocolTCP
DescriptionTo propagate, this Linux worm exploits the Transaction Signatures Buffer Overflow vulnerability, which allows the execution of arbitrary code on the target system.

It also retrieves sensitive information from the affected machine such as the following and sends it to a certain email address:

networking configuration
passwd file
shadow file
Reference LinkBackdoor.Linux.Lion
AttackSolutions:

Scan your system with Trend Micro antivirus and delete all files detected as ELF.LION.A. To do this, Trend Micro customers must download the latest pattern file and scan their system.

Details:

Similar to other Linux worms, this worm is a compilation of shell scripts and Linux ELF binaries which, as a whole, functions as an Internet worm and infects vulnerable systems at a fairly fast speed.

This worm starts out as a shell script named 1i0n.sh, thus the name Lion. Upon execution, it deletes the file /etc/hosts.deny to remove any denied hosts from accessing the infected machine. It then makes sure that the worm gets executed every time the system restarts by inserting the worm shell script in the /etc/rc.d/rc.sysinit file.

After this, it runs the shell script named STAR.SH, which is the worm’s propagation mechanism. This shell script starts 2 additional shell scripts named SCAN.SH and HACK.SH.

SCAN.SH is responsible for scanning the Internet for DNS servers, while HACK.SH is responsible for infecting them.

SCAN.SH uses a precompiled Linux binary named RANDB to generate random class B IP addresses to be targeted by the worm. After a class B network is selected, it executes a port-scanning tool, pscan, which is also a precompiled Linux binary. Pscan is used to scan a class B network for live DNS servers (open port 53) so that the worm can efficiently target only these machines.

Pscan stores the target machines in a file named BINDNAME.LOG, which is then used by the HACK.SH shell script to obtain the IP addresses of its targets. HACK.SH then invokes another shell script named BINDX.SH to execute the remote exploit on the target host.

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.