Security Incidents mailing list archives
Re: FTP and RPC based worms [was anyone else ...]
From: Steve Clement <steve () ALDIGITAL CO UK>
Date: Tue, 16 Jan 2001 13:38:37 +0000
Russell Fulton wrote:
On Mon, 15 Jan 2001 14:40:16 +0200 Mihai Moldovanu <mihaim () PROFM RO> wrote: All fairly standard stuff except that the whole process took under 2 minutes from initial probe to launching the scanner. I conclude that what we have here is a worm spreading via ftp. I have port scanned the compromised system and it is listening on port 27374, the same as the one on 194.163.254.235 where it got its tools from. When I connected to this port via telnet I got a large amount of binary data dumped to the terminal. No other unusual ports open. I have not examined the compromised system myself yet, its in another department across campus. I scanned our network traffic for the last couple of days looking for traffic to tcp 27374 and found a very slow scans going from one address. 194.163.254.235 also probed tcp 111 on machines that responded to the ftp scan but were not vulnerable to their ftp exploit.
No wonder they've been hacked with a out of the box redhat 7.0 Install..., that site's hostname is btw: sms.convidis.de a very nice sms portal, it delivered my sms to the uk in under 5sec's, someone should contact them and make them aware of the fact that they' ve been hacked... http://www.convidis.de if theres trouble with germa I could probably help out... cheers steve -- Steve A.L. Digital Ltd. Voysey House Barley Mow Passage London W4 4GB mailto:steve () aldigital co uk UNITED KINGDOM PGP key on keyservers
Current thread:
- Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
- Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- Re: anyone else seen an increase in sunrpc scans these days? Mihai Moldovanu (Jan 15)
- FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
- Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
- Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
- FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
- Re: FTP and RPC based worms [was anyone else ...] Steve Clement (Jan 16)
- Rise in rpc scans - Honeynet Project Lance Spitzner (Jan 15)