Re: Korea (was RE: ?)

[horio () ACM ORG (horio shoichi)]

Fernando Cardoso wrote:
> I have LOTS of portscanning (mostly to port 111) from a number of hosts
> in Korea. I portscanned them back and find out that at least a couple of
> them had port 2222 open. A telnet to that port droped me in a rootshell
> without being asked for any password....
>
> Fernando

I had a portscan on 2222. Seems known trojan but I cannot find the reference as yet.

/var/log/ipflog.14.gz:2:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.668116
            ne0 @0:9 b 24.129.20.10,9706 -> a.b.c.144,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:3:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.864595
            ne0 @0:9 b 24.129.20.10,9707 -> a.b.c.145,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:4:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.867860
            ne0 @0:9 b 24.129.20.10,9708 -> a.b.c.146,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:5:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.871132
            ne0 @0:45 b 24.129.20.10,9709 -> a.b.c.147,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:6:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.874388
            ne0 @0:9 b 24.129.20.10,9710 -> a.b.c.148,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:7:Jan  6 11:42:10 nanakusa ipmon[25233]: 11:42:10.202803
            ne0 @0:2 b 24.129.20.10,9718 -> a.b.c.150,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:8:Jan  6 11:42:10 nanakusa ipmon[25233]: 11:42:10.206067
            ne0 @0:6 b 24.129.20.10,9798 -> a.b.c.154,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:9:Jan  6 11:42:10 nanakusa ipmon[25233]: 11:42:10.327883
            ne0 @0:9 b 24.129.20.10,9886 -> a.b.c.157,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:10:Jan  6 11:42:10 nanakusa ipmon[25233]: 11:42:10.331056
             ne0 @0:9 b 24.129.20.10,9888 -> a.b.c.159,2222 PR tcp len 20 44 -S

horio shoichi