Security Incidents mailing list archives
Re: Crazy port 111 scans
From: hostmaster <gwenf () P2 NET>
Date: Tue, 6 Feb 2001 12:51:22 -0600
What we've found so far: a "..." directory somewhere on the system containing sscan.tgz a directory scan/luckscanx, luckstatx, x Seems to grab scan.log, read a class-a address, delete scan.log and proceed to scan the entire class-A on port 111 - while some incoming things happen on port 21 and one (non-existant) host will stay in wait state on local 110 port. Sometimes the ... directory is hidden and sometimes not. Seems like more than one point of origin - although, since Jan 25, I've had the following: ip (or 216.90.222.219) in the following state: (continually reconnecting and going into wait. tcp 0 0 my.network.com:110 216.90.222.220:3504 TIME_WAIT - and, I have a load of named failures from the same IP with bad referral (again either .219 or .220). daemon:Jan 25 17:40:44 xxx named[8863]: bad referral (222.90.216.in-addr.arpa !< 219.222.90.216.IN-ADDR.ARPA) Seems to kick off about the same time every night (around 8-8:30 CST) - including re-installation of the rootkit. Don't know the name of the rootkit. This particular luckscanx attack is signed luciffer () luciffer org and rht.com (Romanian Hacking Team). It replaces ps, top, named, netstat, etc....... all the goodies. Runs in background. At the same time I get a lot of anon ftp requests(failed) from one cable modem or another (or dsl). I'm still looking for the entry point - any help anyone can offer will be gladly appreciated. Jay ----- Original Message ----- From: "Lic. Rodolfo Gonzalez Gonzalez" <rgg () SOLARIUM CS BUAP MX> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, February 06, 2001 12:34 AM Subject: Re: Crazy port 111 scans
On Mon, 5 Feb 2001, Reeves, Mike wrote:I have had more 111 scans this past 5 days than in the last 2 months. Is there some new RPC exploit or something? Anyone else seeing these hosts?It could be Ramen, couldn't be?. I've seen tons of scans to 111 and 515 and 21 :o Regards.
Current thread:
- Crazy port 111 scans Reeves, Mike (Feb 05)
- Re: Crazy port 111 scans Lic. Rodolfo Gonzalez Gonzalez (Feb 06)
- Re: Crazy port 111 scans hostmaster (Feb 06)
- DNS server crashed Jason Lewis (Feb 06)
- Re: DNS server crashed Michael Boman (Feb 06)
- Re: DNS server crashed Phil Brutsche (Feb 06)
- A question of intent / DHCP poison attack? Conor Crowley (Feb 06)
- Re: A question of intent / DHCP poison attack? Ryan Russell (Feb 07)
- Re: A question of intent / DHCP poison attack? Valdis Kletnieks (Feb 07)
- Re: DNS server crashed Greg A. Woods (Feb 07)
- Re: Crazy port 111 scans Lic. Rodolfo Gonzalez Gonzalez (Feb 06)
- Re: DNS server crashed Jeremy Hanmer (Feb 06)
- Re: DNS server crashed Steve Stearns (Feb 06)
- Re: DNS server crashed Graphic Rezidew (Feb 06)