Security Incidents mailing list archives
Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it)
From: "Jeffrey F. Lawhorn" <jeffl () wanet net>
Date: Tue, 16 Jan 2001 15:17:49 -0800
In message <3A64ACD2.39EDC7B () profm ro>, Mihai Moldovanu said:
The asp executable ( the one wich get's installed in /sbin/asp and serve requests on 27374 ) has a strange getline function coded wich seems to be specialy crafted to allow remote upload / execution of code . Unfortunately I can't prove that function have a buffer overflow in it .
As near as I can determine, all the asp executable does is send the configured file (/tmp/ramen.tgz) when ever it receives any data on the port it's listening on (27374). jeffl -- Jeffrey F. Lawhorn |Internet Security Consulting Software Design Associates, Inc. |IDS Monitoring/Reporting jeffl () wanet net 619-679-5900 voice |Expunge Intruders http://www.wanet.net/ 619-679-2327 fax | Finger jeffl () wanet net for PGP Public Key. Insist on Quality! WANet.Net is an ISP/C Member - http://www.ispc.org/
Attachment:
_bin
Description:
Current thread:
- Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
- Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
- Rise in rpc scans - Honeynet Project Lance Spitzner (Jan 15)