Security Incidents mailing list archives
Re: Port 10008
From: <jlewis () lewis org>
Date: Tue, 15 May 2001 11:48:11 -0400 (EDT)
On Tue, 15 May 2001, Joerg Weber wrote:
my FW-Logs went insane last night with gazillions of connection attempts to port 10008. FW-1 does unfortunately not log dropped packets, so I've no idea about flags et al, but the scan looks like this: SourcePort = Increases with each scan DestPort = 10008
I got some scans on port 10008 as well. The really odd thing is this. If you port scan them back, you'll find that on some high TCP port, if you connect and send a few newlines, it'll reply with a uuencoded cheese.tgz file. I took a very brief look at the contents of cheese.tgz. The comments say it's a cleaner, written to remove root shells from inetd.conf. There's alot more than that in the code though. Looks like a trojan that's really a scanner. -- ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Port 10008 Joerg Weber (May 15)
- Re: Port 10008 jlewis (May 15)
- Re: Port 10008 jlewis (May 22)
- Re: Port 10008 Tracey Losco (May 15)
- Re: Port 10008 Tim Brown (May 15)
- Re: Port 10008 Mike Scott (May 15)
- Re: Port 10008 Crist Clark (May 15)
- Re: Port 10008 Rob Lindenbusch (May 15)
- Re: Port 10008 Bryan Andersen (May 15)
- Cheese Worm - Port 10008 HyunWoo Lee (May 16)
- Re: Port 10008 jlewis (May 15)