Re: Crazy port 111 scans

["Reeves, Mike" <MReeves () SYNCHRONY NET>]

The root kit that was in my machine was in italian. It resided in a
directory called /dev/.a  Looking at the source and the logs it looks like
it sets the nic in promiscuos mode and sniffs packets. It also had an SSH
replacement that looks like it logged all logins to the system. (passwords)
This failed cause it was a fresh install and ssh wasn't on the box yet. The
rootkit also had caused a bunch of errors wich stuck out like a sore thumb
in the logs. It also contained a script to clean out the syslogs. I am not
much of a coder and I can't see what all it uses but it has the statdx.c
exploit bundled along with a port scanner. If anyone is better at
deciphering italian I would be glad to let you look at it.

Mike

-----Original Message-----
From: hostmaster [mailto:gwenf () P2 NET]
Sent: Tuesday, February 06, 2001 1:51 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Crazy port 111 scans


What we've found so far:

a "..." directory somewhere on the system containing sscan.tgz a directory
scan/luckscanx, luckstatx, x
Seems to grab scan.log, read a class-a address, delete scan.log and proceed
to scan the entire class-A on port 111 - while some incoming things happen
on port 21 and one (non-existant) host will stay in wait state on local 110
port.

Sometimes the  ... directory is hidden and  sometimes not.  Seems like more
than one point of origin - although, since Jan 25, I've had the following:
ip (or 216.90.222.219) in the following state: (continually reconnecting and
going into wait.

tcp        0      0 my.network.com:110        216.90.222.220:3504
TIME_WAIT   -

and, I have a load of named failures from the same IP with bad referral
(again either .219 or .220).

daemon:Jan 25 17:40:44 xxx named[8863]: bad referral
(222.90.216.in-addr.arpa !< 219.222.90.216.IN-ADDR.ARPA)

Seems to kick off about the same time every night (around 8-8:30 CST) -
including re-installation of the rootkit.  Don't know the name of the
rootkit.  This particular luckscanx attack is signed luciffer () luciffer org
and rht.com (Romanian Hacking Team).  It replaces ps, top, named, netstat,
etc....... all the goodies.  Runs in background.

At the same time I get a lot of anon ftp requests(failed) from one cable
modem or another (or dsl).

I'm still looking for the entry point - any help anyone can offer will be
gladly appreciated.

Jay

----- Original Message -----
From: "Lic. Rodolfo Gonzalez Gonzalez" <rgg () SOLARIUM CS BUAP MX>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Tuesday, February 06, 2001 12:34 AM
Subject: Re: Crazy port 111 scans


> On Mon, 5 Feb 2001, Reeves, Mike wrote:
>
> > I have had more 111 scans this past 5 days than in the last 2 months. Is
> > there some new RPC exploit or something?
> > Anyone else seeing these hosts?
>
> It could be Ramen, couldn't be?. I've seen tons of scans to 111 and 515
> and 21 :o
>
> Regards.