Security Incidents mailing list archives
Re: Port 555 scan
From: Rod Longanilla <SecTraqs () nm2 com>
Date: Fri, 9 Feb 2001 15:27:55 -0800
Hi all, [original email sections snipped to shorten reply length] Looks like that server was noodled by the Ramen trojan. Here's a detailed analysis of the trojan: http://whitehats.com/print/library/worms/ramen/index.html The scan for Port 555 is new to me. I haven't seen that variant of the trojan unless the owner of this server is testing things out on a live wire, or the box was rooted more than once. Usually I see a series of scans to port 21, and 111. Scaning the box back, usually reveals its a linux system that's been Noodled. Fingering the server and using the login/login-as-passwd entry was interesting. It's obvious someone inexperienced put up a default installed linux server; or a really bad (too easy?) honeypot. Looking at my logs, we've been getting a ton of scans and specific port probes from Korean, China, and Japan ISP's lately. I read of "seasonal script kiddies" where during the winter months in some geographical locations, there are an increase of scans, exploit attempts, etc from these areas. Not sure if that applies to these countries. In anycase, if you have any Linux systems running on your network, you might want to check them out just in case. If you can telent to port 27374 or 39168 (ramen trojan uses these ports to listen and propagate itself) on any of your linux servers, you might want to investigate further. Just MHO, -Rod -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of me () SOMEWHERE NET Sent: Friday, February 09, 2001 12:01 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Port 555 scan Just got swept by a scan for port 555. Feb 9 06:04:24 XXX kernel: Packet log: input REJECT eth0 PROTO=6 211.193.34.30:4247 my.host.net:555 L=60 S=0x00 I=48749 F=0x4000 T=48 SYN (#25) ...[snip scan].... If you go tto the http server running, you see this RameN Crew Hackers looooooooooooooooove noodles. Telnet'd and Ftp'd straight into the box with the username i got from their finger and used it as passwd as well. look at the ps -aux seems they are sysscanning everyone ..[snip partial ps output]... root 2159 0.0 0.0 1676 0 ? SWNFeb 3 0:00 (scan.sh) root 2161 0.0 0.0 1676 0 ? SWNFeb 3 0:00 (hackl.sh) root 2162 0.0 0.0 1676 0 ? SWNFeb 3 0:00 (hackw.sh) root 2171 0.0 0.0 2472 48 ? S NFeb 3 0:28 tail -f .l root 2172 0.0 0.0 1684 0 ? SWNFeb 3 0:00 (hackl.sh) root 2173 0.0 0.0 2472 0 ? SWNFeb 3 0:20 (tail) root 2174 0.0 0.0 1684 0 ? SWNFeb 3 0:00 (hackw.sh) root 2178 0.9 0.0 1404 60 ? R NFeb 3 82:11 ./synscan 33.65 .heh eth0 t1 21 root 12260 29.8 0.0 1112 188 ? R Feb 8 560:39 ./luckscan-a 163 555 root 31895 29.3 0.0 1112 188 ? R Feb 8 576:29 ./luckscan-a 63 555 root 32165 0.0 0.0 1676 0 ? SWNFeb 8 0:00 (wh.sh) root 32166 22.8 0.0 1108 36 ? R NFeb 8 434:55 ./w -t 163.23.138.136 -s0 ..[snip of libs/lsof output]... I know Korean ISP's are not too good at responding to such things, so what should be done about this? This box is so full of holes and poses a danger to everyone.
Current thread:
- Re: Port 555 scan Ryan Russell (Feb 10)
- <Possible follow-ups>
- Re: Port 555 scan Ryan Russell (Feb 10)
- Re: Port 555 scan me (Feb 12)
- Port 555 scan me (Feb 10)
- Re: Port 555 scan Rod Longanilla (Feb 10)
- Re: Port 555 scan Aaron (Feb 10)
- Re: Port 555 scan Alex Luketa (Feb 10)
- Re: Port 555 scan Robert G. Ferrell (Feb 12)
- Re: Port 555 scan John Paul (Feb 12)
- Re: Port 555 scan Robert van der Meulen (Feb 13)