Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: DoS worm

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 21 Oct 2004 09:05:45 -0700
  I have the SMB probing; although I strongly suspect weak admin
passwords, I don't see anything that looks like brute-forcing through 
a list.  (Maybe it's trying to avoid triggering account lockout?)  I
could provide these in .pkt (EtherPeek) format if that would be useful.
  The only SSH connections I saw were unanswered SYNs, but I don't know
that there weren't others that did get answers.

David Gillett


-----Original Message-----
From: Thor Larholm [mailto:thor () pivx com]
Sent: Thursday, October 21, 2004 2:06 AM
To: gillettdavid () fhda edu; incidents () securityfocus com
Subject: RE: DoS worm



From your description your six machines are now compromised 

by a random
Trojan being controlled by shaman.exodus.ro - I take it you 
perhaps took
some capture logs of the SSH connections, the SYN flooding and the SMB
probing? That would be invaluable to knowing whether this is a new SMB
vulnerability or whether the worm simply connects using insecure
administrator passwords.


Thor

-----Original Message-----
From: David Gillett [mailto:gillettdavid () fhda edu] 
Sent: Wednesday, October 20, 2004 10:48 PM
To: incidents () securityfocus com
Subject: DoS worm

  Yesterday, someone (we believe it was one of our students)
unplugged a lab Mac from the campus network and plugged in a
PC (laptop, we assume).  Besides whatever the user wanted, it
apparently did three things:

1.  Attempt to open a lot of connections (port 22, SSH) to
shaman.exodus.ro (62.80.109.128), then

2.  Send a SYN flood, spoofing the source address as 0.0.0.0,
to ports 22 and 80 of weed.powered.at (195.149.115.18), and

3.  Probe random addresses in our Class B space (port 445, CIFS);
if it got a connection, it tried various SMB-type things amongst 
which I was able to pick out the string "IPC".  Five other machines
in our space eventually demonstrated similar symptoms.

  I don't know what this beast is.  I infer that #2 is a DoS attack
which is perhaps the purpose of the worm, and that #3 is its spread
vector via the IPC$ share.

  Anybody recognize this?

Dave Gillett

<<attachment: winmail.dat>>

Previous By Date Next
Previous By Thread Next

Current thread: