Security Incidents mailing list archives

Re: Port 555 scan

From: me () SOMEWHERE NET
Date: Mon, 12 Feb 2001 10:47:39 -0500

Yeah, this looks pretty much like Ramen, i mean it's signed for god's sake,
but I, as others have also pointed out, have not seen the 555 dest port
before.  It's possible that this box has been rooted multiple times, it was
way too easy to get in-- someone suggested a too easy/poorly designed
honeypot, if that is the case, though I would not think so, then the honeypot
admin is a little too careless in allowing their rooted box to go on the
offensive.
I am not on the same subnet as the scanner, as a matter of fact, my ip's are
quite different than the scanner box.  I would suggest that this guy is going
after a huge portion of the internet, there is only on hit per address and
only on the 555 port, leave this thing running for a couple days/weeks and you
can cover a lot of ground.

Question:  How does the community feel about my taking a more 'Active' role in
determining what was happening on this rooted box?  It can be said that I did
bend the rules a bit by finding a way, low tech though it was- simple is best-
;^), into this box and seeing what was running, just took a walk around the
block as it were- did no mischief to the box, just looked.
But it does raise some question of ethics....the grey between the white and
black hatted, or just wrong?
I'd be interested in opinions.




Ryan Russell wrote:

On Fri, 9 Feb 2001 me () SOMEWHERE NET wrote:

Just got swept by a scan for port 555.

Feb  9 06:04:24 XXX kernel: Packet log: input REJECT eth0 PROTO=6
211.193.34.30:4247 my.host.net:555 L=60 S=0x00 I=48749 F=0x4000 T=48 SYN
(#25)


Everything else is consistent with the Raman worm.  I don't know why port
555.  I would expect 515 looking for the lprng daemon, among other
ports...

If you go tto the http server running, you see this
                                              RameN Crew
                                  Hackers looooooooooooooooove noodles.


Pretty clearly been nailed by Ramen.

root      2178  0.9  0.0  1404    60  ?  R NFeb  3  82:11 ./synscan
33.65 .heh eth0 t1 21


Part of Ramen, I believe.  Are you in the 33.65 address space?

root     12260 29.8  0.0  1112   188  ?  R  Feb  8 560:39 ./luckscan-a
163 555


That looks like your port 555 scanner.  I don't remember that being
mentioned before.  Perhaps you've found a Ramen variant, or perhaps that's
evidence of the box having been rooted on a separate occasion.

I'm finding zero matches on any sort of web search for luckscan.


This box is so full of holes and poses a danger to everyone.


Indeed.

                                        Ryan

Current thread:

Re: Port 555 scan Ryan Russell (Feb 10)
- <Possible follow-ups>
- Re: Port 555 scan Ryan Russell (Feb 10)
  - Re: Port 555 scan me (Feb 12)
- Port 555 scan me (Feb 10)
  - Re: Port 555 scan Rod Longanilla (Feb 10)
  - Re: Port 555 scan Aaron (Feb 10)
- Re: Port 555 scan Alex Luketa (Feb 10)
- Re: Port 555 scan Robert G. Ferrell (Feb 12)
- Re: Port 555 scan John Paul (Feb 12)
  - Re: Port 555 scan Robert van der Meulen (Feb 13)