Security Incidents mailing list archives
Re: Port 555 scan
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Fri, 9 Feb 2001 20:01:11 -0700
On Fri, 9 Feb 2001 me () SOMEWHERE NET wrote:
Just got swept by a scan for port 555. Feb 9 06:04:24 XXX kernel: Packet log: input REJECT eth0 PROTO=6 211.193.34.30:4247 my.host.net:555 L=60 S=0x00 I=48749 F=0x4000 T=48 SYN (#25)
Everything else is consistent with the Raman worm. I don't know why port 555. I would expect 515 looking for the lprng daemon, among other ports...
If you go tto the http server running, you see this RameN Crew Hackers looooooooooooooooove noodles.?
Pretty clearly been nailed by Ramen.
root 2178 0.9 0.0 1404 60 ? R NFeb 3 82:11 ./synscan 33.65 .heh eth0 t1 21
Part of Ramen, I believe. Are you in the 33.65 address space?
root 12260 29.8 0.0 1112 188 ? R Feb 8 560:39 ./luckscan-a 163 555
That looks like your port 555 scanner. I don't remember that being mentioned before. Perhaps you've found a Ramen variant, or perhaps that's evidence of the box having been rooted on a separate occasion. I'm finding zero matches on any sort of web search for luckscan.
This box is so full of holes and poses a danger to everyone.
Indeed. Ryan
Current thread:
- Re: Port 555 scan Ryan Russell (Feb 10)
- <Possible follow-ups>
- Re: Port 555 scan Ryan Russell (Feb 10)
- Re: Port 555 scan me (Feb 12)
- Port 555 scan me (Feb 10)
- Re: Port 555 scan Rod Longanilla (Feb 10)
- Re: Port 555 scan Aaron (Feb 10)
- Re: Port 555 scan Alex Luketa (Feb 10)
- Re: Port 555 scan Robert G. Ferrell (Feb 12)
- Re: Port 555 scan John Paul (Feb 12)
- Re: Port 555 scan Robert van der Meulen (Feb 13)