Snort mailing list archives
RE: Port 10008/tcp ?
From: "Bunter, Matthew" <Matthew.Bunter () cwcom cwplc com>
Date: Tue, 22 May 2001 10:05:36 +0100
FYI :
It has been observed in public and private reports a recent pattern of
activity surrounding probes to TCP port 10008. An artifact called the
'cheese worm', has been obtained, which may contribute to the pattern.
Description:
The 'cheese worm' is a worm designed to remove all inetd services
referencing '/bin/sh' from systems with root shells listening on
TCP port 10008. In reality, the 'cheese worm' will
attempt to execute a series of shell commands on any host which accepts
TCP
connections on TCP port 10008.
The 'cheese worm' perpetuates its attack cycle across
multiple hosts by copying itself from attacking host to victim host and
self-initiating another attack cycle. Thus, no human
intervention is required to perpetuate the cycle once the worm has begun
to
propagate.
Solution:
Sites are encouraged to review hosts infected with the 'cheese worm' for
other signs of intrusion and take appropriate steps to insure the
security of impacted systems.
In particular, certain versions of the BIND TSIG
exploit discussed in
http://www.cert.org/incident_notes/IN-2001-03.html -( Exploitation of
BIND Vulnerabilities)
create a backdoor root shell on TCP port 10008. Such an
exploit was bundled into at least one version of the '1i0n' worm. A
detailed analysis of the '1i0n' worm was published by
Max Vision and is available at
http://www.whitehats.com/library/worms/lion/index.html
The Korea Computer Emergency Response Team Coordination
Center (CERTCC-KR) has published CERTCC-KR-IN-01-007
discussing the 'cheese' worm in Korean.
If you believe a host under your control has been
compromised, you may wish to refer to
Steps for Recovering From a Root Compromise
IN-2001-03, Exploitation of BIND Vulnerabilities
create a backdoor root shell on TCP port 10008. Such an
exploit was bundled into at least one version of the '1i0n' worm. A
detailed analysis of the '1i0n' worm was published by
Max Vision and is available at
http://www.whitehats.com/library/worms/lion/index.html
The Korea Computer Emergency Response Team Coordination
Center (CERTCC-KR) has published CERTCC-KR-IN-01-007
discussing the 'cheese' worm in Korean.
If you believe a host under your control has been
compromised, you may wish to refer to
Steps for Recovering From a Root Compromise
-----Original Message----- From: Jason Lewis [SMTP:jlewis () jasonlewis net] Sent: 16 May 2001 02:54 To: 'Bunter, Matthew'; snort-users () lists sourceforge net Subject: RE: [Snort-users] Port 10008/tcp ? This is from the Incidents list at Securityfocus.com On Tue, 15 May 2001, Joerg Weber wrote:my FW-Logs went insane last night with gazillions of connection attemptstoport 10008. FW-1 does unfortunately not log dropped packets, so I've no idea aboutflagset al, but the scan looks like this: SourcePort = Increases with each scan DestPort = 10008I got some scans on port 10008 as well. The really odd thing is this. If you port scan them back, you'll find that on some high TCP port, if you connect and send a few newlines, it'll reply with a uuencoded cheese.tgz file. I took a very brief look at the contents of cheese.tgz. The comments say it's a cleaner, written to remove root shells from inetd.conf. There's alot more than that in the code though. Looks like a trojan that's really a scanner. Jason Lewis http://www.packetnexus.com "All you can do is manage the risks. There is no security." -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Bunter, Matthew Sent: Tuesday, May 15, 2001 12:26 PM To: snort-users () lists sourceforge net Subject: RE: [Snort-users] Port 10008/tcp ? Just in case you did a typo (not accusing you or anything) 10007 is for mvs capacity and 10080 is for something called amanda Nothing for 10007 Matt-----Original Message----- From: Tudor Panaitescu [SMTP:tpanaitescu () colorcon com] Sent: 15 May 2001 16:46 To: snort-users () lists sourceforge net Subject: [Snort-users] Port 10008/tcp ? Hello everyone ! Does anybody know what is this port, 10008/tcp for ? I've got some attempts, allways 2 at a time from the same sourceaddress.TIA, Tudor _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users********************************************************************** This message may contain information which is confidential or privileged. If you are not the intended recipient, please advise the sender immediately by reply e-mail and delete this message and any attachments without retaining a copy. ********************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Port 10008/tcp ? Tudor Panaitescu (May 15)
- Re: Port 10008/tcp ? H D Moore (May 15)
- <Possible follow-ups>
- RE: Port 10008/tcp ? Stacey Conrad (May 15)
- Re: Port 10008/tcp ? Neil Dickey (May 15)
- Re: Port 10008/tcp ? Edwin Chiu (May 15)
- RE: Port 10008/tcp ? Bunter, Matthew (May 15)
- RE: Port 10008/tcp ? Jason Lewis (May 15)
- RE: Port 10008/tcp ? Tudor Panaitescu (May 15)
- RE: Port 10008/tcp ? Tudor Panaitescu (May 15)
- RE: Port 10008/tcp ? Bunter, Matthew (May 22)