McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 1ion

• Linux.Lion.Worm (NAV)

• Lion worm

Characteristics

This is an Internet worm that targets servers running Linux operating systems. This worm retrieves a package file from an account on the 51.net domain. This domain is registered in China.

It may be useful to block the IP address 211.100.18.56 to prevent any attempt to communicate to this address.

This Internet worm uses a random port scan and seeks systems which contain a root access vulnerability in the BIND DNS service on Linux servers. Once a target is found, the system is attempted for compromise, and password information is sent to the email address "1i0nsniffer@china.com".

Additional information available at this link.

Symptoms

This Internet worm will attempt to gain root access to Linux Servers. Servers affected contain a version of BIND DNS service which has a vulnerability.

Systems which have been compromised will contain files with the following names:

In the /lib folder:

In the /scan folder:

This worm will attempt to make Internet connection to a website on the 51.net domain in order to download the file "crew.tgz". It will also attempt to send an email to the email account "1i0nsniffer@china.com".

Method of Infection

This Internet worm attempts to gain root access against Linux servers which also have a vulnerable version of the BIND DNS service.

Once root access is gained, the worm will gather details about the system into a file named "mail.log". The contents of mail.log will include the following:

This log file is then mailed to the email address "1i0nsniffer@china.com".

Removal

Use suggested DAT and engine to detect. Delete files identified by the scanner.

Linux/Lion can hack bind versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas, according to SANS. Administrators should upgrad the BIND DNS service to avoid being a target of this root attack.

Recommended links:

Redhat Linux - Bind remote exploit

Debian GNU/Linux

Caldera Linux Advisory CSSA-2001-008.0
Caldera Linux Advisory CSSA-2001-008.1

Administrators can prevent it from spreading out of their networks by blocking access to the host coollion.51.net (where the payload is currently stored) and china.com (wherethe e-mail is sent).

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• 1ion

• Linux.Lion.Worm (NAV)

• Lion worm

Characteristics

Characteristics -

This is an Internet worm that targets servers running Linux operating systems. This worm retrieves a package file from an account on the 51.net domain. This domain is registered in China.

It may be useful to block the IP address 211.100.18.56 to prevent any attempt to communicate to this address.

This Internet worm uses a random port scan and seeks systems which contain a root access vulnerability in the BIND DNS service on Linux servers. Once a target is found, the system is attempted for compromise, and password information is sent to the email address "1i0nsniffer@china.com".

Additional information available at this link.

Symptoms

Symptoms -

This Internet worm will attempt to gain root access to Linux Servers. Servers affected contain a version of BIND DNS service which has a vulnerability.

Systems which have been compromised will contain files with the following names:

In the /lib folder:

In the /scan folder:

This worm will attempt to make Internet connection to a website on the 51.net domain in order to download the file "crew.tgz". It will also attempt to send an email to the email account "1i0nsniffer@china.com".

Method of Infection

Method of Infection -

This Internet worm attempts to gain root access against Linux servers which also have a vulnerable version of the BIND DNS service.

Once root access is gained, the worm will gather details about the system into a file named "mail.log". The contents of mail.log will include the following:

This log file is then mailed to the email address "1i0nsniffer@china.com".

Removal -

Removal -

Use suggested DAT and engine to detect. Delete files identified by the scanner.

Linux/Lion can hack bind versions 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas, according to SANS. Administrators should upgrad the BIND DNS service to avoid being a target of this root attack.

Recommended links:

Redhat Linux - Bind remote exploit

Debian GNU/Linux

Caldera Linux Advisory CSSA-2001-008.0
Caldera Linux Advisory CSSA-2001-008.1

Administrators can prevent it from spreading out of their networks by blocking access to the host coollion.51.net (where the payload is currently stored) and china.com (wherethe e-mail is sent).

Variants

Variants -

N/A