Security Incidents mailing list archives
Re: more info on ramen.tgz
From: Daniel Martin <dtmartin24 () HOME COM>
Date: Wed, 17 Jan 2001 16:04:46 -0500
"Jeffrey F. Lawhorn" <jeffl () wanet net> writes:
One more thing I've noticed about the synscan in the ramen.tgz, it sends a TCP packet to 212.184.80.190 port 80 from port 31337 after it finishes scanning each /16. Unfortunately I was unable to capture any of the actual packets. Did anyone else manage to capture one of these packets?
This is actually part of the regular synscan tool - it just uses this packet to mark the end of the line. There's nothing special about the data in the packet and 212.184.80.190 is www.microsoft.de; that's so that this end packet doesn't look suspicious at all. Synscan works by having many separate processes each do part of the TCP connection. The main process forks off a child process that sends out SYN packets to all the hosts in the /16; meanwhile the main process listens (via pcap) for responses. When it gets a response, the main process forks off another child to check the specific vulnerabilities on that host. When the main process sees the packet to www.microsoft.de, port 80 from port 31337 go by, it knows that the child process has sent scans off to every host it was supposed to, and can now quit. Read more details in the actual synscan source code: http://www.psychoid.lam3rz.de/synscan.html In other news, I've updated my analysis of the ramen worm (minor changes) and put it up at http://members.home.net/dtmartin24/ramen_worm.txt
Current thread:
- more info on ramen.tgz Jeffrey F. Lawhorn (Jan 17)
- Re: more info on ramen.tgz Joe Stewart (Jan 17)
- Re: more info on ramen.tgz outcast (Jan 17)
- Re: more info on ramen.tgz Nathan W. Lindstrom (Jan 17)
- Re: more info on ramen.tgz Daniel Martin (Jan 17)
- Re: more info on ramen.tgz dor (Jan 17)
- Re: more info on ramen.tgz Russell Fulton (Jan 17)
- <Possible follow-ups>
- Re: more info on ramen.tgz Russell Fulton (Jan 17)