Security Incidents mailing list archives

Re: Korea (was RE: ?)

From: dbrumley () RTFM STANFORD EDU (David Brumley)
Date: Thu, 27 Jan 2000 12:55:05 -0800


port 2222 is a rootshell left by the amd exploit. they may be trying to
see which exploits succeeded, or just scouring for other hackers boxes.

-me

On Thu, 27 Jan 2000, horio shoichi wrote:

Fernando Cardoso wrote:


I have LOTS of portscanning (mostly to port 111) from a number of hosts
in Korea. I portscanned them back and find out that at least a couple of
them had port 2222 open. A telnet to that port droped me in a rootshell
without being asked for any password....

Fernando


I had a portscan on 2222. Seems known trojan but I cannot find the reference as yet.

/var/log/ipflog.14.gz:2:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.668116
            ne0 @0:9 b 24.129.20.10,9706 -> a.b.c.144,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:3:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.864595
            ne0 @0:9 b 24.129.20.10,9707 -> a.b.c.145,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:4:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.867860
            ne0 @0:9 b 24.129.20.10,9708 -> a.b.c.146,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:5:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.871132
            ne0 @0:45 b 24.129.20.10,9709 -> a.b.c.147,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:6:Jan  6 11:42:09 nanakusa ipmon[25233]: 11:42:08.874388
            ne0 @0:9 b 24.129.20.10,9710 -> a.b.c.148,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:7:Jan  6 11:42:10 nanakusa ipmon[25233]: 11:42:10.202803
            ne0 @0:2 b 24.129.20.10,9718 -> a.b.c.150,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:8:Jan  6 11:42:10 nanakusa ipmon[25233]: 11:42:10.206067
            ne0 @0:6 b 24.129.20.10,9798 -> a.b.c.154,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:9:Jan  6 11:42:10 nanakusa ipmon[25233]: 11:42:10.327883
            ne0 @0:9 b 24.129.20.10,9886 -> a.b.c.157,2222 PR tcp len 20 44 -S
/var/log/ipflog.14.gz:10:Jan  6 11:42:10 nanakusa ipmon[25233]: 11:42:10.331056
             ne0 @0:9 b 24.129.20.10,9888 -> a.b.c.159,2222 PR tcp len 20 44 -S


horio shoichi


--
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley () Stanford EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp () sunset Stanford EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
            "I have opinions, my employer does not."

Current thread:

Re: Strange DNS/TCP activity, (continued)
- - - Re: Strange DNS/TCP activity technot (Jan 27)
    - Re: Strange DNS/TCP activity Richard Bejtlich (Jan 27)
    - Connect thru PIX & ports 1727, 2209, 9200 CL: Nelson, Jeff (Jan 27)
    - Re: Korea (again) Kim R. Rasmussen (Jan 26)
    - Re: Korea (again) zeek (Jan 27)
    - Re: Korea (again) Kim Roland Rasmussen (Jan 27)
    - Re: Korea (again) Thomas Molina (Jan 27)
    - Re: Korea (again) Rob Quinn (Jan 28)
    - Re: Korea (again) Granquist, Lamont (Jan 27)
    - Re: Korea (was RE: ?) horio shoichi (Jan 26)
    - Re: Korea (was RE: ?) David Brumley (Jan 27)
    - Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
    - Re: Korea (was RE: ?) Arrigo Triulzi (Jan 28)
    - Re: Korea (was RE: ?) Dug Song (Jan 28)
    - Re: Korea (was RE: ?) Patrick Oonk (Jan 28)
    - DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Fyodor (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Patrick Oonk (Jan 28)
    - Recent Scans Edwin Covert (Jan 28)
    - Re: DNS update queries: another sort of suspicious activity. Rob Quinn (Jan 31)

(Thread continues...)