Security Incidents mailing list archives
Re: A rise
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Mon, 19 Feb 2001 21:35:38 -0700
A couple more data points for people watching for worms: I had my first non-Red Hat dns/rpc/ftp prober yesterday. A Cobalt linux box. Anyone correlated which BIND/lprng/wuftp/rpc.statd those boxes have in common? One of the boxes that probed me recently was running a SSHd on port 6667. (it reported SSH-1.5-1.2.27). It seemed to want a password, it wasn't giving up a shell without one. It was Red Hat 6.2. Not running portmapper or lpr. uftpd 2.6.0(1) running, but anonymous didn't work. Looks very much like Ramen moved in with a rootkit. Different port number on the sshd though, which I thought was strange. A previous poster saw similar with the sshd running on 5555. Possibly the rootkit just picks a port from a set, and you're supposed to portscan to figure out which one when you want in later? Ryan
Current thread:
- A rise John (Feb 17)
- Re: A rise Jon Lewis (Feb 17)
- Re: A rise Ryan Russell (Feb 17)
- Re: A rise Jeff Stutzman (Feb 18)
- Re: A rise Ryan Russell (Feb 19)
- Re: A rise Ryan Russell (Feb 19)
- Re: A rise Glenn Forbes Fleming Larratt (Feb 19)
- Re: A rise Jeff Stutzman (Feb 18)
- <Possible follow-ups>
- Re: A rise Leon Rosenstein (Feb 19)