Security Incidents mailing list archives
Re: A rise
From: Leon Rosenstein <l_rosenstein () MONTELSHOW COM>
Date: Mon, 19 Feb 2001 14:36:18 -0500
I have noticed a huge increase in scans at home (I have a dsl connection in the 216 class A). I always due what Ryan said (check both the Ramen port and 5555) but lately I have begun checking 80 also. In almost EVERY case I find the original page on port 80 defaced (I don't know if the owner {legitimate one I mean *smile*} has done with or if the person who owned the box {illegitimate} did it. It has never been the Ramen noodles hack though (as far as Hackers love ramen noodles or whatever it says). Just though I would add my 2 cents. Leon I read on Friday that Ramen had been modified by adding the knark rootkit, BIND exploit, and rpc exploit to the initial code. This might explain the newfound interest in RPC scanning. Jeff Office of Naval Intelligence Computer Network Ops
From: Ryan Russell <ryan () securityfocus com> Reply-To: Ryan Russell <ryan () securityfocus com> Date: Sat, 17 Feb 2001 19:31:49 -0700 To: INCIDENTS () securityfocus com Subject: Re: A rise Yes, a big jump. Redhat 6.0, 6.2 or 7.0 in every case. So far, I haven't found one that is listening on the Ramen port or 5555 as recetly reported. Lots of different source IPs. Ryan On Sat, 17 Feb 2001, John wrote:In the last week I have had a sudden but, big rise in the number of RPC scans. Has anyone else had a grow in the number of RPC scans also in the last
week?
Current thread:
- A rise John (Feb 17)
- Re: A rise Jon Lewis (Feb 17)
- Re: A rise Ryan Russell (Feb 17)
- Re: A rise Jeff Stutzman (Feb 18)
- Re: A rise Ryan Russell (Feb 19)
- Re: A rise Ryan Russell (Feb 19)
- Re: A rise Glenn Forbes Fleming Larratt (Feb 19)
- Re: A rise Jeff Stutzman (Feb 18)
- <Possible follow-ups>
- Re: A rise Leon Rosenstein (Feb 19)