Security Incidents mailing list archives
Re: more info on ramen.tgz
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Thu, 18 Jan 2001 11:33:55 +1300
On Wed, 17 Jan 2001 11:35:13 -0800 "Jeffrey F. Lawhorn" <jeffl () wanet net> wrote:
One more thing I've noticed about the synscan in the ramen.tgz, it sends a TCP packet to 212.184.80.190 port 80 from port 31337 after it finishes scanning each /16.
I did not observe this behaviour on the machine we had infected. Neither was any mail sent from the machine (unless it used a local relay). Apart from the scanning and the initial connection back to get its kit there were no other outbound connections. The scanning stopped abruptly after the about 40 /16 approx coincident with activity on the console. (the machine was attacked at 1 am, but as it happened the owner is an astronomer and started using it at about 2am). It looks like there are more than one variant of this beast out there. Russell Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- more info on ramen.tgz Jeffrey F. Lawhorn (Jan 17)
- Re: more info on ramen.tgz Joe Stewart (Jan 17)
- Re: more info on ramen.tgz outcast (Jan 17)
- Re: more info on ramen.tgz Nathan W. Lindstrom (Jan 17)
- Re: more info on ramen.tgz Daniel Martin (Jan 17)
- Re: more info on ramen.tgz dor (Jan 17)
- Re: more info on ramen.tgz Russell Fulton (Jan 17)
- <Possible follow-ups>
- Re: more info on ramen.tgz Russell Fulton (Jan 17)