[prev in list] [next in list] [prev in thread] [next in thread]
List: arachnids
Subject: [arachNIDS] Lion Worm information posted
From: Max Vision <vision () whitehats ! com>
Date: 2001-04-05 12:50:03
[Download RAW message or body]
I have posted a writeup on the Lion Worm, covering all three versions, at
http://whitehats.com/library/worms/lion/
Since the worm uses LSD's bind exploit, both the infoleak and tsig attacks
used by the worm are already detected by arachNIDS signature exports. The
relevant signatures are:
http://whitehats.com/info/IDS482
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS482/named-exploit-infoleak-lsd"; \
content: "|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; \
reference:arachnids,482;)
http://whitehats.com/info/IDS489
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS489/named-exploit-tsig-lsd"; \
content: "|3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F20|"; \
reference:arachnids,489;)
Feedback welcome,
Max
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic