[Dshield] potential misuse of dshield data
tsl-lists at volition.org
Sat May 19 06:46:31 GMT 2001
I recently utilized the dshield website and the griffin.txt report in my
research of the cheese worm. When I started, I was looking for a copy
of the worm. Since I knew the worm was scanning 10008, I used the
report to locate hosts that were scanning that port, and quickly found
an infected box and was able to download the worm. Thank you for the
However, as I tracked the cheese worm down it struck me that similar
techniques could be used by someone who didn't have as good intentions.
Since several worms effectively announce their infection to the world
via scanning, I figured it was easy to build a list of potentially
As you may be aware, neither lion nor cheese actually close the bind
TSIG hole. With that in mind, I spent 10 minutes writing a quick shell
script and modifying the LSD bind exploit. I used the infoleak packet
bug to determine whether a host was vulnerable without actually
Running that script using the data from 5-17, I identified about 200
potential hosts. Approximately 20% were x86 linux machines vulnerable
to the bind TSIG bug. All of this was accomplished (download, parsing,
scanning) within two minutes.
I am unaware of the amount of time it would take to find an equivalent
number of hosts via scanning, but I would venture to say culling the
dshield database is much quicker, and much safer for a would be cracker.
Now I am sure this is no big revelation to some of you. I am however
curious as to the position dshield takes on this issue. One could argue
that such an approach will only become more effective as worm
proliferation increases. I would note that if I wasn't able to
correlate target ports with host IP's this approach wouldn't be
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the list