[cobalt-security] RaQ3i are still vulnerable AFTER BIND update..

["Paulos Putremos" <putremos@xxxxxxxxxxxxxx>]

One of my Cobalt RaQ3i server was completely shafted on Wednesday night and after a few hours i'm 100% sure its the t0rn rootkit and probably:

The Lion worm is similar to the Ramen worm. However, this worm is significantly more dangerous and should be taken very seriously.  It infects Linux machines running the BIND DNS server.  It is known t infect bind version(s) 8.2, 8.2-P1, 8.2.1, 8.2.2-Px, and all 8.2.3-betas. The specific vulnerability used by the worm to exploit machines is the TSIG vulnerability that was reported on January 29, 2001.

The box certainly shows all of those signs.. it has about 60 sites on it and is a DNS server. It was definately patched with BIND Update 4.0.1 RaQ3-All-Security-4.0.2-9353.pkg. 
 
I am in the process of rebuilding the machine but I would still like to be able to check for sure if this hacker/script really has wiped out everything in my /home directory... i can't do much of anything seeing as its replaced my ls, ps, top, etc. and (maybe not a feature of the toolkit) has made my filesystem Read-only. Does anyone know this bugger inside out and at least help find a way to get the filesystem writeable and maybe then I can start to remove obvious entries from scripts like inetd.conf and rc.sysinit and replace good copies of files. i want to try and recover at least some of the stuff from /home as the backup I have to revert to is about a week old...

if anyone is interested (or even listening to me at all) i can send the .bash_history which shows what this bugger was up to.

Any advice is much appreciated

Paul Milne



------------------------------------------------------------
Email account furnished courtesy of AntiOnline - http://www.AntiOnline.com
AntiOnline - The Internet's Information Security Super Center!