Snort mailing list archives
RE: Port 10008/tcp ?
From: "Bunter, Matthew" <Matthew.Bunter () cwcom cwplc com>
Date: Tue, 22 May 2001 10:05:36 +0100
FYI : It has been observed in public and private reports a recent pattern of activity surrounding probes to TCP port 10008. An artifact called the 'cheese worm', has been obtained, which may contribute to the pattern. Description: The 'cheese worm' is a worm designed to remove all inetd services referencing '/bin/sh' from systems with root shells listening on TCP port 10008. In reality, the 'cheese worm' will attempt to execute a series of shell commands on any host which accepts TCP connections on TCP port 10008. The 'cheese worm' perpetuates its attack cycle across multiple hosts by copying itself from attacking host to victim host and self-initiating another attack cycle. Thus, no human intervention is required to perpetuate the cycle once the worm has begun to propagate. Solution: Sites are encouraged to review hosts infected with the 'cheese worm' for other signs of intrusion and take appropriate steps to insure the security of impacted systems. In particular, certain versions of the BIND TSIG exploit discussed in http://www.cert.org/incident_notes/IN-2001-03.html -( Exploitation of BIND Vulnerabilities) create a backdoor root shell on TCP port 10008. Such an exploit was bundled into at least one version of the '1i0n' worm. A detailed analysis of the '1i0n' worm was published by Max Vision and is available at http://www.whitehats.com/library/worms/lion/index.html The Korea Computer Emergency Response Team Coordination Center (CERTCC-KR) has published CERTCC-KR-IN-01-007 discussing the 'cheese' worm in Korean. If you believe a host under your control has been compromised, you may wish to refer to Steps for Recovering From a Root Compromise IN-2001-03, Exploitation of BIND Vulnerabilities create a backdoor root shell on TCP port 10008. Such an exploit was bundled into at least one version of the '1i0n' worm. A detailed analysis of the '1i0n' worm was published by Max Vision and is available at http://www.whitehats.com/library/worms/lion/index.html The Korea Computer Emergency Response Team Coordination Center (CERTCC-KR) has published CERTCC-KR-IN-01-007 discussing the 'cheese' worm in Korean. If you believe a host under your control has been compromised, you may wish to refer to Steps for Recovering From a Root Compromise
-----Original Message----- From: Jason Lewis [SMTP:jlewis () jasonlewis net] Sent: 16 May 2001 02:54 To: 'Bunter, Matthew'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Port 10008/tcp ? This is from the Incidents list at Securityfocus.com On Tue, 15 May 2001, Joerg Weber wrote:my FW-Logs went insane last night with gazillions of connection attemptstoport 10008. FW-1 does unfortunately not log dropped packets, so I've no idea aboutflagset al, but the scan looks like this: SourcePort = Increases with each scan DestPort = 10008I got some scans on port 10008 as well. The really odd thing is this. If you port scan them back, you'll find that on some high TCP port, if you connect and send a few newlines, it'll reply with a uuencoded cheese.tgz file. I took a very brief look at the contents of cheese.tgz. The comments say it's a cleaner, written to remove root shells from inetd.conf. There's alot more than that in the code though. Looks like a trojan that's really a scanner. Jason Lewis http://www.packetnexus.com "All you can do is manage the risks. There is no security." -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Bunter, Matthew Sent: Tuesday, May 15, 2001 12:26 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Port 10008/tcp ? Just in case you did a typo (not accusing you or anything) 10007 is for mvs capacity and 10080 is for something called amanda Nothing for 10007 Matt-----Original Message----- From: Tudor Panaitescu [SMTP:tpanaitescu () colorcon com] Sent: 15 May 2001 16:46 To: snort-users () lists sourceforge net Subject: [Snort-users] Port 10008/tcp ? Hello everyone ! Does anybody know what is this port, 10008/tcp for ? I've got some attempts, allways 2 at a time from the same sourceaddress.TIA, Tudor _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users********************************************************************** This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. ********************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Port 10008/tcp ? Tudor Panaitescu (May 15)
- Re: Port 10008/tcp ? H D Moore (May 15)
- <Possible follow-ups>
- RE: Port 10008/tcp ? Stacey Conrad (May 15)
- Re: Port 10008/tcp ? Neil Dickey (May 15)
- Re: Port 10008/tcp ? Edwin Chiu (May 15)
- RE: Port 10008/tcp ? Bunter, Matthew (May 15)
- RE: Port 10008/tcp ? Jason Lewis (May 15)
- RE: Port 10008/tcp ? Tudor Panaitescu (May 15)
- RE: Port 10008/tcp ? Tudor Panaitescu (May 15)
- RE: Port 10008/tcp ? Bunter, Matthew (May 22)