Security Incidents mailing list archives

Re: Printer exploit?

From: HyunWoo Lee <lotus () cert certcc or kr>
Date: Fri, 29 Jun 2001 13:49:20 +0900

We've also noticed a sudden increase of tcp 515 port scan from 19th Jun.
You can see a graph in the below link

    http://www.certcc.or.kr/statistics/rtsd/rtsd_scandetect.html

One of the affector of this increase we've recently found is red worm.

It scans 515 port intensively including bind and rpc.statd vulnerabilities also.

The worm distributor site of this code(red.tar) is "go.163.com", it should be shutdown immediately.

As time goes by, We are seeing some compromised hosts by this worm.

We will issue incident note for this case. But sorry for korean version only. anyway check out our site a little later.

    http://www.certcc.or.kr/paper/paper-2.htm


A short evidences to find this worm.

   Directory : /usr/lib/lib,
   Files : /usr/bin/kfm, /sbin/kfm, /usr/bin/td, /usr/bin/adore, etc.
   Related open ports : tcp 1522, tcp 39168

Hope, It will help.


--
----------------------------------------------------
Hyunwoo Lee / CCNA      E-mail : lotus () certcc or kr
CERTCC-KR                   Web : http://www.certcc.or.kr

           Get Ready Against New Attack?
----------------------------------------------------


Vangelis Haniotakis wrote:

On 28 Jun 2001, John Leach wrote:

We've noticed a sudden influx of tcp 515 printer port scans over the
last month on nearly all of our boxes (different sites, different isps)

We *do* have a *really* good HP colour laserjet, I guess the word got
out.


 Hmm, guess our printers must look tasty as well.

 We got hit by 3 different attackers today, all looking for port 515 on
random IP's. A total of about 60,000 probes launched towards all of our
class B network.

 Is this beginning to look a bit worrying?

--
Vangelis Haniotakis - Network & Communications Centre, University of Crete

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Printer exploit? Brendan Murphy (Jun 26)
- Re: Printer exploit? Tohru Watanabe (Jun 27)
- Re: Printer exploit? Piotr Klaban (Jun 27)
- Re: Printer exploit? sarnold (Jun 27)
  - Re: Printer exploit? Thomas Corriher (Jun 28)
- Re: Printer exploit? John Leach (Jun 28)
  - Re: Printer exploit? Vangelis Haniotakis (Jun 28)
    - Re: Printer exploit? HyunWoo Lee (Jun 29)
  - RE: Printer exploit? Rocket Downing (Jun 28)
- <Possible follow-ups>
- Re: Printer exploit? lifeonmars (Jun 27)
- RE: Printer exploit? John Hanks (Jun 27)
- RE: Printer exploit? Richard . Grant (Jun 27)
- Re: Printer exploit? Piotr Klaban (Jun 28)
- Re: Printer exploit? Jeremy Sanders (Jun 29)