Security Incidents mailing list archives

Re: FTP and RPC based worms [was anyone else ...]

From: Magnus Ullberg <UllbergM () ABCBANK COM>
Date: Tue, 16 Jan 2001 13:53:50 -0600

I checked our logs and it seems likve we've had 10-20 different ip addresses
scan for tcp/111, tcp/21, or tcp/27374
Whats the standard approach? Just leave it alone since it doesn't affect
your network or contact the people the scan came from?
One of the sites resolve to mailgate.lostinspace-hub.com.. that sounds like
a box they don't want rooted.. so I will probably email them.. but what
about the other? There are misc. @home/dialup addresses, etc.

Thanks,
Magnus Ullberg
Network Coordinator

Area Bancshares Corporation
Networking Department
230 Frederica St.
Owensboro, KY 42301

        -----Original Message-----
        From:   Steve Clement [SMTP:steve () ALDIGITAL CO UK]
        Sent:   Tuesday, January 16, 2001 7:39 AM
        To:     INCIDENTS () SECURITYFOCUS COM
        Subject:        Re: FTP and RPC based worms [was anyone else ...]

        Russell Fulton wrote:
        >
        > On Mon, 15 Jan 2001 14:40:16 +0200 Mihai Moldovanu
<mihaim () PROFM RO>
        > wrote:
        >
        > All fairly standard stuff except that the whole process took under
2
        > minutes from initial probe to launching the scanner.
        >
        > I conclude that what we have here is a worm spreading via ftp.
        >
        > I have port scanned the compromised system and it is listening on
port
        > 27374, the same as the one on 194.163.254.235 where it got its
tools
        > from.  When I connected to this port via telnet I got a large
amount
        > of binary data dumped to the terminal.  No other unusual ports
open.
        >
        > I have not examined the compromised system myself yet, its in
another
        > department across campus.
        >
        > I scanned our network traffic for the last couple of days looking
for
        > traffic to tcp 27374 and found a very slow scans going from one
address.
        >
        > 194.163.254.235 also probed tcp 111 on machines that responded to
        > the ftp scan but were not vulnerable to their ftp exploit.
        >

        No wonder they've been hacked with a out of the box redhat 7.0
        Install..., that site's hostname is btw: sms.convidis.de a very nice
sms
        portal, it delivered my sms to the uk in under 5sec's, someone
should
        contact them and make them aware of the fact that they' ve been
        hacked... http://www.convidis.de if theres trouble with germa I
could
        probably help out...

        cheers steve


        --
        Steve
        A.L. Digital Ltd.
        Voysey House
        Barley Mow Passage
        London W4 4GB                 mailto:steve () aldigital co uk
        UNITED KINGDOM                PGP key on keyservers

Current thread:

Re: FTP and RPC based worms [was anyone else ...] Roberto (Jan 15)
- <Possible follow-ups>
- Re: FTP and RPC based worms [was anyone else ...] Magnus Ullberg (Jan 16)
  - Re: FTP and RPC based worms [was anyone else ...] Sean Brown (Jan 17)
- Re: FTP and RPC based worms [was anyone else ...] delouw (Jan 24)
  - Re: FTP and RPC based worms [was anyone else ...] dor (Jan 25)
  - Re: FTP and RPC based worms [was anyone else ...] Jeremy L. Gaddis (Jan 25)