Security Incidents mailing list archives

Re: Slow scan, the rest of the story

From: hektor () RZ RWTH-AACHEN DE (Jens Hektor)
Date: Wed, 24 May 2000 16:03:54 -0000


Hi,

thanks for the answers to my posting, maybe the rest is also
interesting.

Of course I had informed the WHOIS given contact and later 
the day they gave positive feedback and scanning stoppped.

One hour later the whole started again now from two
machines located in Japan and Estonia. Admin contacts
as well as CERT's have been informed, no feedback from 
estonia until now, but scanning has stopped.

A little investigation revealed the Japanese machine as 
root-shelled, the process was found and here is additional
info:

The slow scan was caused by an aprox. 240Mbyte file of all
137.-IP's sorted by incrementing the 3rd byte, then the 
2nd byte and finally the 4th byte.

The login was trojaned giving access if the DISPLAY variable
contained a special string. Other trojans were found also.

Seemed that the attacker came from Slovenia.

Bye, Jens

Current thread:

udp traffic to port 137 tobias wigand (May 19)
- network.exe -- was -- Re: udp traffic to port 137 Walt (May 20)
- Hmmm... named again. Bugtraq List (May 22)
- Slow scan Jens Hektor (May 22)
  - Re: Slow scan, the rest of the story Jens Hektor (May 24)
- Re: udp traffic to port 137 Robert Saraceno, Jr. (May 22)