Security Incidents mailing list archives
RE: DoS worm
From: "Thor Larholm" <thor () pivx com>
Date: Thu, 21 Oct 2004 02:05:36 -0700
From your description your six machines are now compromised by a random
Trojan being controlled by shaman.exodus.ro - I take it you perhaps took some capture logs of the SSH connections, the SYN flooding and the SMB probing? That would be invaluable to knowing whether this is a new SMB vulnerability or whether the worm simply connects using insecure administrator passwords. Thor -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Wednesday, October 20, 2004 10:48 PM To: incidents () securityfocus com Subject: DoS worm Yesterday, someone (we believe it was one of our students) unplugged a lab Mac from the campus network and plugged in a PC (laptop, we assume). Besides whatever the user wanted, it apparently did three things: 1. Attempt to open a lot of connections (port 22, SSH) to shaman.exodus.ro (62.80.109.128), then 2. Send a SYN flood, spoofing the source address as 0.0.0.0, to ports 22 and 80 of weed.powered.at (195.149.115.18), and 3. Probe random addresses in our Class B space (port 445, CIFS); if it got a connection, it tried various SMB-type things amongst which I was able to pick out the string "IPC". Five other machines in our space eventually demonstrated similar symptoms. I don't know what this beast is. I infer that #2 is a DoS attack which is perhaps the purpose of the worm, and that #3 is its spread vector via the IPC$ share. Anybody recognize this? Dave Gillett
Current thread:
- RE: DoS worm Thor Larholm (Oct 21)
- RE: DoS worm David Gillett (Oct 22)