Security Incidents mailing list archives

Re: Port 555 scan

From: Rod Longanilla <SecTraqs () nm2 com>
Date: Fri, 9 Feb 2001 15:27:55 -0800

Hi all,

[original email sections snipped to shorten reply length]

Looks like that server was noodled by the Ramen trojan.  Here's a detailed
analysis of the trojan:
http://whitehats.com/print/library/worms/ramen/index.html

The scan for Port 555 is new to me.  I haven't seen that variant of the
trojan unless the owner of this server is testing things out on a live wire,
or the box was rooted more than once.

Usually I see a series of scans to port 21, and 111.  Scaning the box back,
usually reveals its a linux system that's been Noodled.

Fingering the server and using the login/login-as-passwd entry was
interesting.  It's obvious someone inexperienced put up a default installed
linux server; or a really bad (too easy?) honeypot.

Looking at my logs, we've been getting a ton of scans and specific port
probes from Korean, China, and Japan ISP's lately.  I read of "seasonal
script kiddies" where during the winter months in some geographical
locations, there are an increase of scans, exploit attempts, etc from these
areas.  Not sure if that applies to these countries.

In anycase, if you have any Linux systems running on your network, you might
want to check them out just in case. If you can telent to port 27374 or
39168 (ramen trojan uses these ports to listen and propagate itself) on any
of your linux servers, you might want to investigate further.

Just MHO,
 -Rod



-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of me () SOMEWHERE NET
Sent: Friday, February 09, 2001 12:01 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Port 555 scan


Just got swept by a scan for port 555.

Feb  9 06:04:24 XXX kernel: Packet log: input REJECT eth0 PROTO=6
211.193.34.30:4247 my.host.net:555 L=60 S=0x00 I=48749 F=0x4000 T=48 SYN
(#25)

...[snip scan]....

If you go tto the http server running, you see this
                                              RameN Crew
                                  Hackers looooooooooooooooove noodles.

Telnet'd and Ftp'd straight into the box with the username i got from
their finger and used it as passwd as well.
look at the ps -aux seems they are sysscanning everyone

..[snip partial ps output]...

root      2159  0.0  0.0  1676     0  ?  SWNFeb  3   0:00 (scan.sh)
root      2161  0.0  0.0  1676     0  ?  SWNFeb  3   0:00 (hackl.sh)
root      2162  0.0  0.0  1676     0  ?  SWNFeb  3   0:00 (hackw.sh)
root      2171  0.0  0.0  2472    48  ?  S NFeb  3   0:28 tail -f .l
root      2172  0.0  0.0  1684     0  ?  SWNFeb  3   0:00 (hackl.sh)
root      2173  0.0  0.0  2472     0  ?  SWNFeb  3   0:20 (tail)
root      2174  0.0  0.0  1684     0  ?  SWNFeb  3   0:00 (hackw.sh)
root      2178  0.9  0.0  1404    60  ?  R NFeb  3  82:11 ./synscan
33.65 .heh eth0 t1 21
root     12260 29.8  0.0  1112   188  ?  R  Feb  8 560:39 ./luckscan-a
163 555
root     31895 29.3  0.0  1112   188  ?  R  Feb  8 576:29 ./luckscan-a
63 555
root     32165  0.0  0.0  1676     0  ?  SWNFeb  8   0:00 (wh.sh)
root     32166 22.8  0.0  1108    36  ?  R NFeb  8 434:55 ./w -t
163.23.138.136 -s0

..[snip of libs/lsof output]...

I know Korean ISP's are not too good at responding to such things, so
what should be done about this?
This box is so full of holes and poses a danger to everyone.

Current thread:

Re: Port 555 scan Ryan Russell (Feb 10)
- <Possible follow-ups>
- Re: Port 555 scan Ryan Russell (Feb 10)
  - Re: Port 555 scan me (Feb 12)
- Port 555 scan me (Feb 10)
  - Re: Port 555 scan Rod Longanilla (Feb 10)
  - Re: Port 555 scan Aaron (Feb 10)
- Re: Port 555 scan Alex Luketa (Feb 10)
- Re: Port 555 scan Robert G. Ferrell (Feb 12)
- Re: Port 555 scan John Paul (Feb 12)
  - Re: Port 555 scan Robert van der Meulen (Feb 13)