Return-Path: <sentto-279987-3879-1005840876-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 15 Nov 2001 08:16:07 -0800 (PST) Received: (qmail 2167 invoked by uid 510); 15 Nov 2001 16:13:25 -0000 Received: from n14.groups.yahoo.com (216.115.96.64) by all.net with SMTP; 15 Nov 2001 16:13:25 -0000 X-eGroups-Return: sentto-279987-3879-1005840876-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.55] by n14.groups.yahoo.com with NNFMP; 15 Nov 2001 16:15:46 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 15 Nov 2001 16:14:35 -0000 Received: (qmail 60489 invoked from network); 15 Nov 2001 16:14:34 -0000 Received: from unknown (216.115.97.171) by m11.grp.snv.yahoo.com with QMQP; 15 Nov 2001 16:14:34 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3.grp.snv.yahoo.com with SMTP; 15 Nov 2001 16:14:34 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAFGFKV25864 for iwar@onelist.com; Thu, 15 Nov 2001 08:15:20 -0800 Message-Id: <200111151615.fAFGFKV25864@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 15 Nov 2001 08:15:20 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:'Limpninja'.Trojan.horse.emerges] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit 'Limpninja' Trojan horse emerges By James Middleton, VNU Net, 11/14/2001 http://www.vnunet.com/News/1126812 Security watchers are speculating that hackers familiar with the ways of the ninja may be attempting to construct a distributed denial of service (DDos) network on compromised Secure Shell Hosts (SSHs). Threads on security newsgroups have suggested that hackers may be breaking into Linux boxes running the SSH1 protocol, using a known vulnerability in the SSH CRC32 (cyclic redundancy checksum) that was published late last month. Writing on the BugTraq security mailing list yesterday William Salusky, of security firm DMZS, said: "It appears that someone may be building up a network of [potential] DDos hosts." He explained that he had discovered a compromised Red Hat box that was being used as a central host for other 'zombie' machines, although it is not yet clear how the central server communicates with the zombies. Apparently the attacker manually installed an IRC server, which was communicating with more than 120 other host machines. The communication channel was called 'kujikiri', a method of esoteric teaching used by the ninja, and the channel key was tagged 'ninehandscutting', an ancient ninjitsu hand movement. Apparently all hosts communicating with the central server were logging on using identification names prefixed with 'ninja'. According to experts, the Trojan program installed in the attack does not match any signatures identified so far and, if it is new, Salusky has already christened it 'Limpninja'. Also last week attackers operating from network blocks in The Netherlands used the same exploit to break into another Red Hat box on the University of Washington network. Once inside the server the attackers installed Trojan horses and the machine was set up to scan for other vulnerable hosts. According to Dave Dittrich, of the computing and communications department of the University, 25,386 unique hosts were scanned over a number of days and 1,244 vulnerable hosts were identified, although only four were thought to be compromised. As of yet there is no evidence to tie the University hack to previous 'ninja' attacks although the incident suggests that there are still a number of vulnerable machines out there. A Computer Emergency Response Team warning about the SSH1 vulnerability, which allows a remote attacker to execute arbitrary code with the privileges of the SSH daemon (typically root), can be found here. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/XwUZwC/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST