[lug] More Redhat worm discussion

D. Stimits stimits at idcomm.com
Mon Apr 23 17:26:58 MDT 2001 

Gary Frerking wrote:
> 
> At the risk of PETA coming after me for beating a four-legged animal, I
> came across something interesting while reading an analysis of the Lion
> worm (one of the recent worms that target Redhat servers).
> 
> The analysis is here:
> 
>    http://www.whitehats.com/library/worms/lion/index.html
> 
> The paragraph that caught my interest is:
> 
> "My worm testing was greatly complicated by my choice of example target
> platform: a default server install of Redhat 6.2. I thought that it was

I am curious what the default is for installers of bind from a RH 6.2
workstation. Probably a workstation install is far more popular than a
server install, unless it is actually intended as a server. Based on the
web services on machines that appear to have been cracked and used to
attempt entry to my machine, it seems that a large majority of the RH
machines that actually got cracked were not used as web servers, though
they had the default apache installed.

> probably the most popular distribution and version of Linux in use on
> the Internet. Thus, it would be the best example of a typical worm
> target. Indeed, the BIND exploit specifically listed Redhat 6.2 as the
> target platform! However, Redhat does not enable the named service by
> default. When it is activated (via linuxconf or ntsysv utilities), named
> is run as user named, such as "named -u named". The only way Redhat 6.2
> can be vulnerable to the BIND exploit is when the administrator manually
> adds named to the startup scripts, then intentionally runs it as root by
> deleting the "-u named" portion of the startup command. After extensive

I wouldn't be surprised if a number of vulnerable machines had some kind
of bad manual configuration. I also wonder if upgrading a bind package
would in any way change the rc.d scripts (I don't run bind, so I have
nothing to check).

> testing, I determined that this was true for all published BIND exploits
> that claim to affect Redhat 6.2. Then I was convinced that I must have
> missed something. A very warm thanks goes to Andreas Östling, who
> described seeing the very same results I had seen and gave me
> encouragement to continue the analysis."
> 
> So...
> 
> The way I read it, according to this guy you actually have to jump
> through hoops to make a default installation of Redhat 6.2 vulnerable.
> 
> This obviously doesn't mean the default Redhat 6.2 installation is
> secure in all respects, but to me it sheds a little light on how this
> kind of thing is being misrepresented by the press and by word-of-mouth.

My curiosity makes me wonder what differences there are between bind
settings for a server install and a workstation install, as well as how
bind updates change startup scripts, if at all.

D. Stimits, stimits at idcomm.com

> 
> -- Gary
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list