Security Incidents mailing list archives

FTP and RPC based worms [was anyone else ...]

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Tue, 16 Jan 2001 11:50:32 +1300

On Mon, 15 Jan 2001 14:40:16 +0200 Mihai Moldovanu <mihaim () PROFM RO>
wrote:


Yes . The same problem here . But not only 111 . 21 also.
We deployed a honnypot and waited to be compromised. It took 12 hours to be
compromised. I took it out of the network
and this is what i found on it :
It seemns like a worm that installs StatDXscan  ( Class B rpc.statd scanner) ,
wu-ftpd scanner , a modified t0rn rootkit along with Adore LKM rootkit , and
flood
tools : Sl2 , smurf5 , tojaned sshd running on port 48480 )
t0rnscan  has inside it the following string:  irc.webbernet.net:6667


We had a machine compromised in the early hours of this morning via
wu-ftpd.

Here are the network traffic logs as generated by argus interleaved with
my interpetation:

initial FIN/SYN scan packet
16 Jan 01 01:06:48    tcp 194.163.254.235.21    <o>     130.216.7.109.21    2        1         0            0           
FSR_SA
Grab ftp banner:
16 Jan 01 01:06:49    tcp 194.163.254.235.1239   ->     130.216.7.109.21    6        5         0            95          
FSRA_FSPA
compromise via site exec (recorded independently by snort)
16 Jan 01 01:08:00    tcp 194.163.254.235.1255   o>     130.216.7.109.21    19       17        1678         2051        
SRPA_SPA
get tools to install from 'home'
16 Jan 01 01:08:15    tcp   130.216.7.109.2846   ->   194.163.254.235.27374 39       69        545          95282       
FSPA_FSPA
launch scanner on 156.82.0.0/8
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>        156.82.0.1.21    1        0         0            0           
FS_
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>        156.82.0.2.21    1        0         0            0           
FS_
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>        156.82.0.3.21    1        0         0            0           
FS_
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>        156.82.0.4.21    1        0         0            0           
FS_
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>        156.82.0.5.21    1        0         0            0           
FS_
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>        156.82.0.6.21    1        0         0            0           
FS_
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>        156.82.0.7.21    1        0         0            0           
FS_
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>        156.82.0.8.21    1        0         0            0           
FS_
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>        156.82.0.9.21    1        0         0            0           
FS_
16 Jan 01 01:08:22    tcp   130.216.7.109.21     o>       156.82.0.10.21    1        0         0            0           
FS_

All fairly standard stuff except that the whole process took under 2
minutes from initial probe to launching the scanner.

I conclude that what we have here is a worm spreading via ftp.

I have port scanned the compromised system and it is listening on port
27374, the same as the one on 194.163.254.235 where it got its tools
from.  When I connected to this port via telnet I got a large amount
of binary data dumped to the terminal.  No other unusual ports open.

I have not examined the compromised system myself yet, its in another
department across campus.

I scanned our network traffic for the last couple of days looking for
traffic to tcp 27374 and found a very slow scans going from one address.

194.163.254.235 also probed tcp 111 on machines that responded to
the ftp scan but were not vulnerable to their ftp exploit.

Cheers, Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand.

Current thread:

Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- Re: anyone else seen an increase in sunrpc scans these days? Devdas Bhagat (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 15)
  - sunrpc / wu-ftpd worm ? Mihai Moldovanu (Jan 15)
  - Re: anyone else seen an increase in sunrpc scans these days? Digital Overdrive (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
    - Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
    - Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- Re: anyone else seen an increase in sunrpc scans these days? Mihai Moldovanu (Jan 15)
  - FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
    - Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
    - Re: FTP and RPC based worms [was anyone else ...] Steve Clement (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? thomas lakofski (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Niels Heinen (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Edward Mitchell (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Timothy Lyons (Jan 15)

(Thread continues...)