Educause Security Discussion mailing list archives
Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers
From: "James J. Barlow" <jbarlow () NCSA UIUC EDU>
Date: Wed, 24 Jan 2007 18:16:19 -0600
Warren, Good writeup and thanks for the info. I just have a couple things to add since what Brian Smith-Sweeney from NYU replied with is spot on to what we have seen here at NCSA. As for the sample binary or script that attacks port 6000, we caught one of these scanning out of our network with a compromised account. The malware that they were using was pretty basic (this may or may not be similar to what was on your network). A script runs a binary which would do a scan given a network block and port then would put the open IP's into a file. Script then feeds those IP addresses into another binary that would attach to port 6000 of the remote host and start keystroke logging to a file. The last script would check the keystroke files for ssh, telnet, and rlogin attempts. We have this package if you are interested, and have used it to scan our network on occassion to see if there are open X-servers (and it's amazing how many one can actually find). We were just surprised that they were not looking for more juicy stuff like SSH RSA passphrases, PGP passphrases, or grid cert passphrases. On Wed, Jan 24, 2007 at 04:42:36PM -0500, Warren Petrofsky wrote:
On several of our machines we found scripts and IRC bots installed in obfuscated directories like /dev/shm/ /someDirName or /var/samba/ /samba/.. /someDirName. (note the spaces and dots). We have yet to find a sample of the binary or script attacking port 6000.
-- James J. Barlow <jbarlow () ncsa uiuc edu> Head of Security Operations and Incident Response National Center for Supercomputing Applications Voice : (217)244-6403 1205 West Clark Street, Urbana, IL 61801 Cell : (217)840-0601 http://www.ncsa.uiuc.edu/~jbarlow Fax : (217)244-1987
Current thread:
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Roger Safian (Jan 24)
- <Possible follow-ups>
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Brian Smith-Sweeney (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers James J. Barlow (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Wes Young (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Warren Petrofsky (Jan 24)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Valdis Kletnieks (Jan 25)
- Re: Ongoing Port 6000 attacks, Windows Xserver Compromises, keyloggers Chris Edwards (Jan 26)