Security Incidents mailing list archives

Re: anyone else seen an increase in sunrpc scans these days?

From: Mihai Moldovanu <mihaim () PROFM RO>
Date: Mon, 15 Jan 2001 14:40:16 +0200

Jason Lewis wrote:

I couldn't find any of those addresses, but I have similar scans in my logs.

63.91.6.36
64.32.209.213
64.21.114.2
66.22.62.2
216.98.160.251


Yes . The same problem here . But not only 111 . 21 also.
We deployed a honnypot and waited to be compromised. It took 12 hours to be
compromised. I took it out of the network
and this is what i found on it :
It seemns like a worm that installs StatDXscan  ( Class B rpc.statd scanner) ,
wu-ftpd scanner , a modified t0rn rootkit along with Adore LKM rootkit , and
flood
tools : Sl2 , smurf5 , tojaned sshd running on port 48480 )
t0rnscan  has inside it the following string:  irc.webbernet.net:6667


--
Lead programmer,
Mihai Moldovanu (mihaim () profm ro)
WEB:    http://tfm.profm.ro/
             http://www.developers.ro/

Current thread:

Re: anyone else seen an increase in sunrpc scans these days?, (continued)
- Re: anyone else seen an increase in sunrpc scans these days? Matthew Hallacy (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Devdas Bhagat (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 15)
  - sunrpc / wu-ftpd worm ? Mihai Moldovanu (Jan 15)
  - Re: anyone else seen an increase in sunrpc scans these days? Digital Overdrive (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Cristian Dumitrescu (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Nathan W. Lindstrom (Jan 16)
    - Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 18)
    - Re: anyone else seen an increase in sunrpc scans these days? razor (Jan 18)
    - Re: anyone else seen an increase in sunrpc scans these days? Ignacio Machin (Jan 22)
- Re: anyone else seen an increase in sunrpc scans these days? Mihai Moldovanu (Jan 15)
  - FTP and RPC based worms [was anyone else ...] Russell Fulton (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] Royans K Tharakan (Jan 15)
    - Re: FTP and RPC based worms [was anyone else ...] slim bones (Jan 16)
    - Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Mihai Moldovanu (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Jeffrey F. Lawhorn (Jan 16)
    - Re: Ramen worm . More details on it. ( found a password and e-mails crypted inside it) Daniel Martin (Jan 16)
    - Re: FTP and RPC based worms [was anyone else ...] Steve Clement (Jan 16)
- Re: anyone else seen an increase in sunrpc scans these days? thomas lakofski (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Niels Heinen (Jan 15)
- Re: anyone else seen an increase in sunrpc scans these days? Edward Mitchell (Jan 15)

(Thread continues...)