Slow DNS scans, backdoor scans, both worming

[Jens Hektor <hektor () RZ RWTH-AACHEN DE>]

Hi,

the recently reported slow dns and backdoor scans are both variants of
the lionworm.

I examined in the today 318 machines possibly slow scanning us
on 53/udp, 78 were open on port 12321 serving via http a w0rmkit slightly
different from that of lion.

IP data were sent to the German CERT.

The same holds true for the backdoor scanners. Same port, but slightly
different kit (more adore like).

Looks like worms are the new technology for the kids.

Bye, Jens

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, firewalls/network security
mailto:hektor () RZ RWTH-Aachen DE, Tel.: +49 241 80 4866, Raum: 2.35
Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889