Security Incidents mailing list archives

Re: more info on ramen.tgz

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 18 Jan 2001 11:33:55 +1300

On Wed, 17 Jan 2001 11:35:13 -0800 "Jeffrey F. Lawhorn"
<jeffl () wanet net> wrote:

One more thing I've noticed about the synscan in the ramen.tgz, it sends a TCP
packet to 212.184.80.190 port 80 from port 31337 after it finishes scanning
each /16.


I did not observe this behaviour on the machine we had infected.
Neither was any mail sent from the machine (unless it used a local
relay).

Apart from the scanning and the initial connection back to get its kit
there were no other outbound connections.  The scanning stopped
abruptly after the about 40 /16 approx coincident with activity on the
console.  (the machine was attacked at 1 am, but as it happened the
owner is an astronomer and started using it at about 2am).

It looks like there are more than one variant of this beast out there.

Russell


Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

Current thread:

more info on ramen.tgz Jeffrey F. Lawhorn (Jan 17)
- Re: more info on ramen.tgz Joe Stewart (Jan 17)
- Re: more info on ramen.tgz outcast (Jan 17)
  - Re: more info on ramen.tgz Nathan W. Lindstrom (Jan 17)
- Re: more info on ramen.tgz Daniel Martin (Jan 17)
- Re: more info on ramen.tgz dor (Jan 17)
- Re: more info on ramen.tgz Russell Fulton (Jan 17)
- <Possible follow-ups>
- Re: more info on ramen.tgz Russell Fulton (Jan 17)