Security Incidents mailing list archives
Re: Crazy port 111 scans
From: "Reeves, Mike" <MReeves () SYNCHRONY NET>
Date: Wed, 7 Feb 2001 13:07:55 -0500
The root kit that was in my machine was in italian. It resided in a directory called /dev/.a Looking at the source and the logs it looks like it sets the nic in promiscuos mode and sniffs packets. It also had an SSH replacement that looks like it logged all logins to the system. (passwords) This failed cause it was a fresh install and ssh wasn't on the box yet. The rootkit also had caused a bunch of errors wich stuck out like a sore thumb in the logs. It also contained a script to clean out the syslogs. I am not much of a coder and I can't see what all it uses but it has the statdx.c exploit bundled along with a port scanner. If anyone is better at deciphering italian I would be glad to let you look at it. Mike -----Original Message----- From: hostmaster [mailto:gwenf () P2 NET] Sent: Tuesday, February 06, 2001 1:51 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Crazy port 111 scans What we've found so far: a "..." directory somewhere on the system containing sscan.tgz a directory scan/luckscanx, luckstatx, x Seems to grab scan.log, read a class-a address, delete scan.log and proceed to scan the entire class-A on port 111 - while some incoming things happen on port 21 and one (non-existant) host will stay in wait state on local 110 port. Sometimes the ... directory is hidden and sometimes not. Seems like more than one point of origin - although, since Jan 25, I've had the following: ip (or 216.90.222.219) in the following state: (continually reconnecting and going into wait. tcp 0 0 my.network.com:110 216.90.222.220:3504 TIME_WAIT - and, I have a load of named failures from the same IP with bad referral (again either .219 or .220). daemon:Jan 25 17:40:44 xxx named[8863]: bad referral (222.90.216.in-addr.arpa !< 219.222.90.216.IN-ADDR.ARPA) Seems to kick off about the same time every night (around 8-8:30 CST) - including re-installation of the rootkit. Don't know the name of the rootkit. This particular luckscanx attack is signed luciffer () luciffer org and rht.com (Romanian Hacking Team). It replaces ps, top, named, netstat, etc....... all the goodies. Runs in background. At the same time I get a lot of anon ftp requests(failed) from one cable modem or another (or dsl). I'm still looking for the entry point - any help anyone can offer will be gladly appreciated. Jay ----- Original Message ----- From: "Lic. Rodolfo Gonzalez Gonzalez" <rgg () SOLARIUM CS BUAP MX> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Tuesday, February 06, 2001 12:34 AM Subject: Re: Crazy port 111 scans
On Mon, 5 Feb 2001, Reeves, Mike wrote:I have had more 111 scans this past 5 days than in the last 2 months. Is there some new RPC exploit or something? Anyone else seeing these hosts?It could be Ramen, couldn't be?. I've seen tons of scans to 111 and 515 and 21 :o Regards.
Current thread:
- Re: DNS server crashed, (continued)
- Re: DNS server crashed Jeremy Hanmer (Feb 06)
- Re: DNS server crashed Steve Stearns (Feb 06)
- Re: DNS server crashed Graphic Rezidew (Feb 06)
- Re: DNS server crashed Jason Lewis (Feb 07)
- Re: DNS server crashed karthik krishnamurthy (Feb 06)
- Re: DNS server crashed Andrei MURESAN (Feb 07)
- Re: DNS server crashed Max Gribov (Feb 07)
- Re: DNS server crashed Bryan Bradsby (Feb 10)
- Re: Crazy port 111 scans Tyrannis Von Nettesheim (Feb 06)
- Re: Crazy port 111 scans Reeves, Mike (Feb 06)
- Re: Crazy port 111 scans Reeves, Mike (Feb 07)
- Bad Referrals? Derek Kwan (Feb 07)
- Re: Bad Referrals? Chip McClure (Feb 07)
- Re: Bad Referrals? Derek Kwan [321844] (Feb 07)
- Re: Bad Referrals? Valdis Kletnieks (Feb 10)
- Bad Referrals? Derek Kwan (Feb 07)