| Port No | 60008 |
| Service Name | The Lion worm |
| RFC Doc | 0 |
| Protocol | TCP |
| Description | To propagate, this Linux worm exploits the Transaction Signatures Buffer Overflow vulnerability, which allows the execution of arbitrary code on the target system.
It also retrieves sensitive information from the affected machine such as the following and sends it to a certain email address: networking configuration passwd file shadow file |
| Reference Link | The Lion worm |
| Attack | Solution: Scan your system with Trend Micro antivirus and delete all files detected as ELF.LION.A. To do this, Trend Micro customers must download the latest pattern file and scan their system. Details: BINDX.SH executes a file named BIND specifying the target host’s IP address as a parameter. This Linux binary is responsible for remotely exploiting the Bind 8 “Transaction Signatures Buffer Overflow” vulnerability to execute arbitrary code in the target host. If successful, the bind exploit spawns a remote shell on the target host which readily accepts commands from the infecting machine. The infecting machine then sends a series of commands to the remote host to continue the propagation of the worm. First, the infecting machine sends a command to create the directory named /dev/.lib where it stores the worm package. It then retrieves several sensitive information from the remote host and stores them in a file named 1i0n. These information includes the remote machine’s networking configuration, passwd file and shadow file. Then, it sends the gathered information to the email address, 1i0n@china.com, where the receiving party can perform offline password cracking using the PASSWD and shadow file. After this, the remote host is instructed to download a copy of the worm package stored in the following Web page and save it as 1i0n.tgz: http://co The preceding routine is done using the text browser, Lynx. Next, it issues the command to extract the 1i0n.tgz archive and execute the shell script 1i0n.sh, which starts the infection and propagation of the worm in the remote host all over again. |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.