Re: A rise

[Leon Rosenstein <l_rosenstein () MONTELSHOW COM>]

I have noticed a huge increase in scans at home (I have a dsl connection in
the 216 class A).  I always due what Ryan said (check both the Ramen port
and 5555) but lately I have begun checking 80 also.  In almost EVERY case I
find the original page on port 80 defaced (I don't know if the owner
{legitimate one I mean *smile*} has done with or if the person who owned the
box {illegitimate} did it.   It has never been the Ramen noodles hack though
(as far as Hackers love ramen noodles or whatever it says).

Just though I would add my 2 cents.

Leon

I read on Friday that Ramen had been modified by adding the knark rootkit,
BIND exploit, and rpc exploit to the initial code. This might explain the
newfound interest in RPC scanning.

Jeff
Office of Naval Intelligence
Computer Network Ops

> From: Ryan Russell <ryan () securityfocus com>
> Reply-To: Ryan Russell <ryan () securityfocus com>
> Date: Sat, 17 Feb 2001 19:31:49 -0700
> To: INCIDENTS () securityfocus com
> Subject: Re: A rise
>
> Yes, a big jump.  Redhat 6.0, 6.2 or 7.0 in every case.  So far, I haven't
> found one that is listening on the Ramen port or 5555 as recetly reported.
> Lots of different source IPs.
>
> Ryan
>
> On Sat, 17 Feb 2001, John wrote:
>
> > In the last week I have had a sudden but, big rise in the number of RPC
> > scans.
> > Has anyone else had a grow in the number of RPC scans also in the last
week?
> >