Security Incidents mailing list archives
Re: FTP and RPC based worms [was anyone else ...]
From: Roberto <cinini () TERRA ES>
Date: Tue, 16 Jan 2001 02:54:14 -0000
hola, having seen this too, past few days it is originating most from pacbell.net hostnames, but it also consists lpd in my case, w0rm is my guess. I think t0rn or whoever is behind this too since my machine was hacked as i posted few weeks ago i have managed to find the dir used for this .. it was /lib/ldd.so where was tksb "sauber" and tks "sniffer". and it turns out it was t0rnkit behind it the new one... is there more information on this kit ? certain dirs / ports / analyis ? anything ? ciao
On Mon, 15 Jan 2001 14:40:16 +0200 Mihai
Moldovanu <mihaim () PROFM RO>
wrote:Yes . The same problem here . But not only 111 .
21 also.
We deployed a honnypot and waited to be
compromised. It took 12 hours to be
compromised. I took it out of the network and this is what i found on it : It seemns like a worm that installs StatDXscan (
Class B rpc.statd scanner) ,
wu-ftpd scanner , a modified t0rn rootkit along
with Adore LKM rootkit , and
flood tools : Sl2 , smurf5 , tojaned sshd running on port
48480 )
t0rnscan has inside it the following string:
irc.webbernet.net:6667
We had a machine compromised in the early hours
of this morning via
wu-ftpd. Here are the network traffic logs as generated by
argus interleaved with
my interpetation: initial FIN/SYN scan packet 16 Jan 01 01:06:48 tcp 194.163.254.235.21
<o> 130.216.7.109.21 2 1 0 0 FSR_SA
Grab ftp banner:
16 Jan 01 01:06:49 tcp 194.163.254.235.1239 -
130.216.7.109.21 6 5 0
95 FSRA_FSPA
compromise via site exec (recorded independently
by snort)
16 Jan 01 01:08:00 tcp 194.163.254.235.1255
o> 130.216.7.109.21 19 17 1678 2051 SRPA_SPA
get tools to install from 'home' 16 Jan 01 01:08:15 tcp 130.216.7.109.2846 ->
194.163.254.235.27374 39 69 545 95282 FSPA_FSPA
launch scanner on 156.82.0.0/8 16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.1.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.2.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.3.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.4.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.5.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.6.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.7.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.8.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.9.21 1 0 0 0 FS_
16 Jan 01 01:08:22 tcp 130.216.7.109.21
o> 156.82.0.10.21 1 0 0 0 FS_
All fairly standard stuff except that the whole
process took under 2
minutes from initial probe to launching the scanner. I conclude that what we have here is a worm
spreading via ftp.
I have port scanned the compromised system and
it is listening on port
27374, the same as the one on 194.163.254.235
where it got its tools
from. When I connected to this port via telnet I got
a large amount
of binary data dumped to the terminal. No other
unusual ports open.
I have not examined the compromised system
myself yet, its in another
department across campus. I scanned our network traffic for the last couple of
days looking for
traffic to tcp 27374 and found a very slow scans
going from one address.
194.163.254.235 also probed tcp 111 on machines
that responded to
the ftp scan but were not vulnerable to their ftp
exploit.
Cheers, Russell. Russell Fulton, Computer and Network Security
Officer
The University of Auckland, New Zealand.
Current thread:
- Re: FTP and RPC based worms [was anyone else ...] Roberto (Jan 15)
- <Possible follow-ups>
- Re: FTP and RPC based worms [was anyone else ...] Magnus Ullberg (Jan 16)
- Re: FTP and RPC based worms [was anyone else ...] Sean Brown (Jan 17)
- Re: FTP and RPC based worms [was anyone else ...] delouw (Jan 24)
- Re: FTP and RPC based worms [was anyone else ...] dor (Jan 25)
- Re: FTP and RPC based worms [was anyone else ...] Jeremy L. Gaddis (Jan 25)