Security Incidents mailing list archives
Re: more info on ramen.tgz
From: Russell Fulton <r.fulton () auckland ac nz>
Date: Thu, 18 Jan 2001 16:51:28 +1300
Here we go, replying to my own post :)
On Wed, 17 Jan 2001 11:35:13 -0800 "Jeffrey F. Lawhorn" <jeffl () wanet net> wrote:One more thing I've noticed about the synscan in the ramen.tgz, it sends a TCP packet to 212.184.80.190 port 80 from port 31337 after it finishes scanning each /16.I did not observe this behaviour on the machine we had infected.
I've looked a little more closely at the traffic logs and while the above assertion is true it does not actually mean much. What our worm did was start scanning 156.82/16 but stopped after just a few minutes. It had only scanned up to 156.82.24.xx when it suddenly quit. So it never got the the point where it would have sent a packet to 212.184.80.190. My apologies for the confusion. My initial impression was that it had scanned several consecuitive /16s.
Neither was any mail sent from the machine (unless it used a local relay).
this is true, but again, it may have done so if something had not stopped it dead.
It looks like there are more than one variant of this beast out there.
I withdraw that assertion. Cheers, Russell. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- more info on ramen.tgz Jeffrey F. Lawhorn (Jan 17)
- Re: more info on ramen.tgz Joe Stewart (Jan 17)
- Re: more info on ramen.tgz outcast (Jan 17)
- Re: more info on ramen.tgz Nathan W. Lindstrom (Jan 17)
- Re: more info on ramen.tgz Daniel Martin (Jan 17)
- Re: more info on ramen.tgz dor (Jan 17)
- Re: more info on ramen.tgz Russell Fulton (Jan 17)
- <Possible follow-ups>
- Re: more info on ramen.tgz Russell Fulton (Jan 17)