Security Incidents mailing list archives

Re: Crazy port 111 scans


From: hostmaster <gwenf () P2 NET>
Date: Tue, 6 Feb 2001 12:51:22 -0600

What we've found so far:

a "..." directory somewhere on the system containing sscan.tgz a directory
scan/luckscanx, luckstatx, x
Seems to grab scan.log, read a class-a address, delete scan.log and proceed
to scan the entire class-A on port 111 - while some incoming things happen
on port 21 and one (non-existant) host will stay in wait state on local 110
port.

Sometimes the  ... directory is hidden and  sometimes not.  Seems like more
than one point of origin - although, since Jan 25, I've had the following:
ip (or 216.90.222.219) in the following state: (continually reconnecting and
going into wait.

tcp        0      0 my.network.com:110        216.90.222.220:3504
TIME_WAIT   -

and, I have a load of named failures from the same IP with bad referral
(again either .219 or .220).

daemon:Jan 25 17:40:44 xxx named[8863]: bad referral
(222.90.216.in-addr.arpa !< 219.222.90.216.IN-ADDR.ARPA)

Seems to kick off about the same time every night (around 8-8:30 CST) -
including re-installation of the rootkit.  Don't know the name of the
rootkit.  This particular luckscanx attack is signed luciffer () luciffer org
and rht.com (Romanian Hacking Team).  It replaces ps, top, named, netstat,
etc....... all the goodies.  Runs in background.

At the same time I get a lot of anon ftp requests(failed) from one cable
modem or another (or dsl).

I'm still looking for the entry point - any help anyone can offer will be
gladly appreciated.

Jay

----- Original Message -----
From: "Lic. Rodolfo Gonzalez Gonzalez" <rgg () SOLARIUM CS BUAP MX>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, February 06, 2001 12:34 AM
Subject: Re: Crazy port 111 scans


On Mon, 5 Feb 2001, Reeves, Mike wrote:

I have had more 111 scans this past 5 days than in the last 2 months. Is
there some new RPC exploit or something?
Anyone else seeing these hosts?

It could be Ramen, couldn't be?. I've seen tons of scans to 111 and 515
and 21 :o

Regards.


Current thread: