Re: A rise

[Ryan Russell <ryan () SECURITYFOCUS COM>]

A couple more data points for people watching for worms:

I had my first non-Red Hat dns/rpc/ftp prober yesterday.  A Cobalt linux
box.  Anyone correlated which BIND/lprng/wuftp/rpc.statd those boxes have
in common?

One of the boxes that probed me recently was running a SSHd on port 6667.
(it reported SSH-1.5-1.2.27).  It seemed to want a password, it wasn't
giving up a shell without one.  It was Red Hat 6.2.  Not running
portmapper or lpr.  uftpd 2.6.0(1) running, but anonymous didn't work.
Looks very much like Ramen moved in with a rootkit.  Different port number
on the sshd though, which I thought was strange.  A previous poster saw
similar with the sshd running on 5555.  Possibly the rootkit just picks a
port from a set, and you're supposed to portscan to figure out which one
when you want in later?

                                        Ryan