Security Incidents mailing list archives
Re: Port 555 scan
From: me () SOMEWHERE NET
Date: Mon, 12 Feb 2001 10:47:39 -0500
Yeah, this looks pretty much like Ramen, i mean it's signed for god's sake, but I, as others have also pointed out, have not seen the 555 dest port before. It's possible that this box has been rooted multiple times, it was way too easy to get in-- someone suggested a too easy/poorly designed honeypot, if that is the case, though I would not think so, then the honeypot admin is a little too careless in allowing their rooted box to go on the offensive. I am not on the same subnet as the scanner, as a matter of fact, my ip's are quite different than the scanner box. I would suggest that this guy is going after a huge portion of the internet, there is only on hit per address and only on the 555 port, leave this thing running for a couple days/weeks and you can cover a lot of ground. Question: How does the community feel about my taking a more 'Active' role in determining what was happening on this rooted box? It can be said that I did bend the rules a bit by finding a way, low tech though it was- simple is best- ;^), into this box and seeing what was running, just took a walk around the block as it were- did no mischief to the box, just looked. But it does raise some question of ethics....the grey between the white and black hatted, or just wrong? I'd be interested in opinions. Ryan Russell wrote:
On Fri, 9 Feb 2001 me () SOMEWHERE NET wrote:Just got swept by a scan for port 555. Feb 9 06:04:24 XXX kernel: Packet log: input REJECT eth0 PROTO=6 211.193.34.30:4247 my.host.net:555 L=60 S=0x00 I=48749 F=0x4000 T=48 SYN (#25)Everything else is consistent with the Raman worm. I don't know why port 555. I would expect 515 looking for the lprng daemon, among other ports...If you go tto the http server running, you see this RameN Crew Hackers looooooooooooooooove noodles.Pretty clearly been nailed by Ramen.root 2178 0.9 0.0 1404 60 ? R NFeb 3 82:11 ./synscan 33.65 .heh eth0 t1 21Part of Ramen, I believe. Are you in the 33.65 address space?root 12260 29.8 0.0 1112 188 ? R Feb 8 560:39 ./luckscan-a 163 555That looks like your port 555 scanner. I don't remember that being mentioned before. Perhaps you've found a Ramen variant, or perhaps that's evidence of the box having been rooted on a separate occasion. I'm finding zero matches on any sort of web search for luckscan.This box is so full of holes and poses a danger to everyone.Indeed. Ryan
Current thread:
- Re: Port 555 scan Ryan Russell (Feb 10)
- <Possible follow-ups>
- Re: Port 555 scan Ryan Russell (Feb 10)
- Re: Port 555 scan me (Feb 12)
- Port 555 scan me (Feb 10)
- Re: Port 555 scan Rod Longanilla (Feb 10)
- Re: Port 555 scan Aaron (Feb 10)
- Re: Port 555 scan Alex Luketa (Feb 10)
- Re: Port 555 scan Robert G. Ferrell (Feb 12)
- Re: Port 555 scan John Paul (Feb 12)
- Re: Port 555 scan Robert van der Meulen (Feb 13)