Security Incidents mailing list archives
Re: Korea (was RE: ?)
From: dbrumley () RTFM STANFORD EDU (David Brumley)
Date: Thu, 27 Jan 2000 12:55:05 -0800
port 2222 is a rootshell left by the amd exploit. they may be trying to see which exploits succeeded, or just scouring for other hackers boxes. -me On Thu, 27 Jan 2000, horio shoichi wrote:
Fernando Cardoso wrote:I have LOTS of portscanning (mostly to port 111) from a number of hosts in Korea. I portscanned them back and find out that at least a couple of them had port 2222 open. A telnet to that port droped me in a rootshell without being asked for any password.... FernandoI had a portscan on 2222. Seems known trojan but I cannot find the reference as yet. /var/log/ipflog.14.gz:2:Jan 6 11:42:09 nanakusa ipmon[25233]: 11:42:08.668116 ne0 @0:9 b 24.129.20.10,9706 -> a.b.c.144,2222 PR tcp len 20 44 -S /var/log/ipflog.14.gz:3:Jan 6 11:42:09 nanakusa ipmon[25233]: 11:42:08.864595 ne0 @0:9 b 24.129.20.10,9707 -> a.b.c.145,2222 PR tcp len 20 44 -S /var/log/ipflog.14.gz:4:Jan 6 11:42:09 nanakusa ipmon[25233]: 11:42:08.867860 ne0 @0:9 b 24.129.20.10,9708 -> a.b.c.146,2222 PR tcp len 20 44 -S /var/log/ipflog.14.gz:5:Jan 6 11:42:09 nanakusa ipmon[25233]: 11:42:08.871132 ne0 @0:45 b 24.129.20.10,9709 -> a.b.c.147,2222 PR tcp len 20 44 -S /var/log/ipflog.14.gz:6:Jan 6 11:42:09 nanakusa ipmon[25233]: 11:42:08.874388 ne0 @0:9 b 24.129.20.10,9710 -> a.b.c.148,2222 PR tcp len 20 44 -S /var/log/ipflog.14.gz:7:Jan 6 11:42:10 nanakusa ipmon[25233]: 11:42:10.202803 ne0 @0:2 b 24.129.20.10,9718 -> a.b.c.150,2222 PR tcp len 20 44 -S /var/log/ipflog.14.gz:8:Jan 6 11:42:10 nanakusa ipmon[25233]: 11:42:10.206067 ne0 @0:6 b 24.129.20.10,9798 -> a.b.c.154,2222 PR tcp len 20 44 -S /var/log/ipflog.14.gz:9:Jan 6 11:42:10 nanakusa ipmon[25233]: 11:42:10.327883 ne0 @0:9 b 24.129.20.10,9886 -> a.b.c.157,2222 PR tcp len 20 44 -S /var/log/ipflog.14.gz:10:Jan 6 11:42:10 nanakusa ipmon[25233]: 11:42:10.331056 ne0 @0:9 b 24.129.20.10,9888 -> a.b.c.159,2222 PR tcp len 20 44 -S horio shoichi
-- #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# David Brumley - Stanford Computer Security - dbrumley () Stanford EDU Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley Fax: +1-650-725-9121 PGP: finger dbrumley-pgp () sunset Stanford EDU #+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+# c:\winnt> secure_nt.exe Securing NT. Insert Linux boot disk to continue...... "I have opinions, my employer does not."
Current thread:
- Re: Strange DNS/TCP activity, (continued)
- Re: Strange DNS/TCP activity technot (Jan 27)
- Re: Strange DNS/TCP activity Richard Bejtlich (Jan 27)
- Connect thru PIX & ports 1727, 2209, 9200 CL: Nelson, Jeff (Jan 27)
- Re: Korea (again) Kim R. Rasmussen (Jan 26)
- Re: Korea (again) zeek (Jan 27)
- Re: Korea (again) Kim Roland Rasmussen (Jan 27)
- Re: Korea (again) Thomas Molina (Jan 27)
- Re: Korea (again) Rob Quinn (Jan 28)
- Re: Korea (again) Granquist, Lamont (Jan 27)
- Re: Korea (was RE: ?) horio shoichi (Jan 26)
- Re: Korea (was RE: ?) David Brumley (Jan 27)
- Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
- Re: Korea (was RE: ?) Arrigo Triulzi (Jan 28)
- Re: Korea (was RE: ?) Dug Song (Jan 28)
- Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
- DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
- Recent Scans Edwin Covert (Jan 28)
- Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)