[iwar] [fc:'Limpninja'.Trojan.horse.emerges]

From: Fred Cohen (fc@all.net)
Date: 2001-11-15 08:15:20

Next message: Fred Cohen: "[iwar] [fc:Power.grids,.911.shown.to.be.vulnerable]"
Previous message: Fred Cohen: "[iwar] [fc:US.government.server.blacklisted]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-Id: <200111151615.fAFGFKV25864@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Thu, 15 Nov 2001 08:15:20 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:'Limpninja'.Trojan.horse.emerges]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

'Limpninja' Trojan horse emerges 
By James Middleton, VNU Net, 11/14/2001 http://www.vnunet.com/News/1126812

Security watchers are speculating that hackers familiar with the ways of
the ninja may be attempting to construct a distributed denial of service
(DDos) network on compromised Secure Shell Hosts (SSHs). Threads on
security newsgroups have suggested that hackers may be breaking into
Linux boxes running the SSH1 protocol, using a known vulnerability in
the SSH CRC32 (cyclic redundancy checksum) that was published late last
month. Writing on the BugTraq security mailing list yesterday William
Salusky, of security firm DMZS, said: "It appears that someone may be
building up a network of [potential] DDos hosts."  He explained that he
had discovered a compromised Red Hat box that was being used as a
central host for other 'zombie' machines, although it is not yet clear
how the central server communicates with the zombies.  Apparently the
attacker manually installed an IRC server, which was communicating with
more than 120 other host machines.  The communication channel was called
'kujikiri', a method of esoteric teaching used by the ninja, and the
channel key was tagged 'ninehandscutting', an ancient ninjitsu hand
movement. Apparently all hosts communicating with the central server
were logging on using identification names prefixed with 'ninja'. According to experts, 
the Trojan program installed in the attack does
not match any signatures identified so far and, if it is new, Salusky
has already christened it 'Limpninja'. Also last week attackers
operating from network blocks in The Netherlands used the same exploit
to break into another Red Hat box on the University of Washington
network. Once inside the server the attackers installed Trojan horses
and the machine was set up to scan for other vulnerable hosts. According to Dave 
Dittrich, of the computing and communications
department of the University, 25,386 unique hosts were scanned over a
number of days and 1,244 vulnerable hosts were identified, although only
four were thought to be compromised.  As of yet there is no evidence to
tie the University hack to previous 'ninja' attacks although the
incident suggests that there are still a number of vulnerable machines
out there.  A Computer Emergency Response Team warning about the SSH1
vulnerability, which allows a remote attacker to execute arbitrary code
with the privileges of the SSH daemon (typically root), can be found
here.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Universal Inkjet Refill Kit $29.95
Refill any ink cartridge for less!
Includes black and color ink.
http://us.click.yahoo.com/XwUZwC/MkNDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Next message: Fred Cohen: "[iwar] [fc:Power.grids,.911.shown.to.be.vulnerable]"
Previous message: Fred Cohen: "[iwar] [fc:US.government.server.blacklisted]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST