Re: more info on ramen.tgz

[Russell Fulton <r.fulton () auckland ac nz>]

Here we go, replying to my own post :)

> On Wed, 17 Jan 2001 11:35:13 -0800 "Jeffrey F. Lawhorn"
> <jeffl () wanet net> wrote:
>
> > One more thing I've noticed about the synscan in the ramen.tgz, it sends a TCP
> > packet to 212.184.80.190 port 80 from port 31337 after it finishes scanning
> > each /16.
>
> I did not observe this behaviour on the machine we had infected.

I've looked a little more closely at the traffic logs and while the
above assertion is true it does not actually mean much.  What our worm
did was start scanning 156.82/16 but stopped after just a few minutes.
It had only scanned up to 156.82.24.xx when it suddenly quit. So it
never got the the point where it would have sent a packet to
212.184.80.190.  My apologies for the confusion.  My initial
impression was that it had scanned several consecuitive /16s.

> Neither was any mail sent from the machine (unless it used a local
> relay).

this is true, but again, it may have done so if something had not
stopped it dead.

> It looks like there are more than one variant of this beast out there.

I withdraw that assertion.

Cheers, Russell.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand