I have been the proud owner (actually, leased) Cobalt RaQ3 for a whole week now, and today I login to find my system has been hit by 'LION' worm. Evidently all passwords are now compromised and root is trashed.

Go to http://www.sans.org/y2k/lion.htm for more info on LION worm.

I suggest you take seriously the BIND patch. I never even had time to install it before I got hit.

Shut down ntpd/xntpd too. There was a post to bugtraq two days ago about a vulnerability in their code parser. This exploit can yield root priviledges remotely.

This is what I received shortly after being exploited: How sweet eh?

Hello!Administrator:
I am sorry.
Your DNS server was hacked by my New variation of the ramen worm.
I am bestrow your index.html files only for awoke you path the DNS server.
Please change your password and path the DNS server to version 9.
And some backdoor in your system.
Do this follow me.:)
1.
kill the process of star.sh hack.sh scan.sh pscan ETC.
2.
remove the /tmp/ramen.tgz
3.
find the "/dev/.lib/star.sh" in the /etc/rc.d/rc.sysinit file and remove it.
4.
find the "asp stream tcp nowait root /sbin/asp " in the /etc/inetd.conf file and remove it.
5.
find the "10008 stream tcp nowait root /bin/sh sh" in the /etc/inetd.conf file and remove it.
6.
del the /dev/.lib

ok.
Now,You removed the 1i0n worm.
Don't forget to restar yous server.
:)

GoodLuck!

Lion
************************************
×îÐÂÍƳö¡°ÖлªµØͼ¡±
http://map.china.com

One of my servers were hit hard too. Deleted everything and infected one of my back up files, which meant I had to re-install each account. That sucks, but the weird thing was that I had the BIND patch installed on my RAQ. Very odd.

Jim

Don't think it was the lion then...

Brandon